ebook img

DTIC ADA459066: Authentication in Reprogramming of Sensor Networks for Mote Class Adversaries PDF

0.12 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA459066: Authentication in Reprogramming of Sensor Networks for Mote Class Adversaries

Authentication in Reprogramming of Sensor Networks for Mote Class Adversaries 1 Limin Wang SandeepS. Kulkarni SoftwareEngineeringandNetworkSystemsLaboratory DepartmentofComputerScienceandEngineering MichiganStateUniversity EastLansingMI 48824USA Abstract Reprogramming is performed via wireless radio, which is a broadcast medium, and is vulnerable to packet injection or Reprogramming is an essential service for wireless sensor corruption attacks. Moreover, the current reprogramming networks. Authenticating reprogramming process is impor- protocols [7,10,13,17,21] are epidemic in nature. Once a tantassensorsneedtoverifythatthecodeimageistrulyfrom false or viralcode imageis installed onone sensor, it could atrustedsource. Therearetwowaystoachieveauthentica- rapidly infect the entire network, and thus, lead to catas- tion: public key based and symmetric key based. Although trophicdamage. Forthesereasons,itisimportantthatsensor previous work has shown that public key authentication is nodesbeabletoverifythatthecodeimageisfromatrusted feasibleonsensornodesifusedsparingly,itisstillquiteex- source. pensivecomparedto symmetrickeybasedapproach. Inthis In this paper, we are interested in providing security for re- paper, we propose a symmetric key based protocol for au- programming. Specifically,wefocusonauthentication. Our thenticating reprogramming process. Our protocol is based goalistoprovideawaythatsensornodescanverifyprogram onthe secret instantiationalgorithm from [5,11], whichre- authenticityandintegrity. Authenticationcanbeachievedin quires only O(logn) keys to be maintained at each sensor. twoways:publickeybased,orsymmetrickeybased.Inpub- Weintegratethisalgorithmwiththeexistingreprogramming lickeybasedauthentication,abasestationsignsthepackets protocol. Throughsimulation, weshowthatitisabletoau- using its private key. All the sensors have the public keyof thenticate reprogramming process at very low communica- thebase station, andcanuse ittoverifythat thepacketsare tioncost,andhasveryshortdelay. from the base station. However, public key based authenti- Keywords: Sensornetworks,Reprogramming,Authenti- cation is computationally expensive. Although recent work cation,Symmetrickeys hasshownthatellipticcurvecryptography(ECC)isfeasible on Mica-2 motes [6,16], it should still be avoided or used 1 Introduction sparingly. Bycontrast,symmetrickeybasedauthenticationneedsmuch lessenergy/memory/computationresources,andhence,isex- Wireless reprogramming is an essential service for sensor pectedtobemoreappropriateforresourceconstrainedsensor networksduetothefactthatsensornetworksconsistofhun- nodes. (Asanillustration,ontheMicamotes,encryptionus- dreds or thousands of sensor nodes and they are often de- ingpublickeyisapproximately100-1000timesslowerthan ployed in remote or hostile environments. It is demanding thesymmetrickeyencryption.) Asimpleapproachistouse andsometimesimpossibletocollectallthesensornodesfrom asinglenetwork-widekeysharedbythebasestationandall thefieldforreprogramming. Therefore,itisnecessarytore- thesensors[8]. Theproblemwiththisapproachisthatifone programsensornetworksinplace. sensor is compromised and the key is captured (which has 1Email:{wanglim1,sandeep}@cse.msu.edu. beenshowntoberelativelyeasy[2]),theentirenetworkisno Web:http://www.cse.msu.edu/˜{wanglim1,sandeep}. longer secure. Another symmetric key based approach is to Thiswork waspartially sponsoredbyNSF CAREERCCR-0092724, sharea pairwisekeybetweenthe basestation andeachsen- DARPA Grant OSURS01-C-1901, ONR Grant N00014-01-1-0744, NSF equipmentgrantEIA-0130724,andagrantfromMichiganStateUniversity. 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2006 2. REPORT TYPE 00-00-2006 to 00-00-2006 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Authentication in Reprogramming of Sensor Networks for Mote Class 5b. GRANT NUMBER Adversaries 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Michigan State University,Department of Computer Science and REPORT NUMBER Engineering,Software Engineering and Network Systems Laboratory,East Lansing,MI,48824 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES The original document contains color images. 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 8 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 sor. Althoughthisapproachisresistanttonodecompromise, 2. SystemModel itdoesnotscalewelltolargenetworks. Inthispaper,weshowhowasymmetrickeybasedalgorithm Thegoalofthispaperistoaddsecuritytotheexistingrepro- can be used for authentication in reprogramming for mote- gramming protocols, such as MNP [13] and Deluge [7], in classadversaries. Examplesofsuchadversariesarelikelyto whichthecodeimageispropagatedfromabasestationtoall occurinsensornetworktestbeds. Suchtestbedsareexpected the sensors in the network. These reprogrammingprotocols to be typically physically secure so that attacks from a lap- are all based on the advertise-request-data three-way hand- topclass adversaryareprevented/mitigated. However,since shake model [9]. The program to be distributed is divided the testbed relinquishes control of sensors to users for their intoN segments. EachsegmentcontainsK packets;thelast experiments,oneexperimentcanbeaffectedbyanothercon- segmentmaycontainfewerpackets. Thedefaultpacketpay- current experiment. In this case, a potential adversary is in loadis23bytes. Sensorsmustreceivethesegmentsinorder. mote-class,i.e.,itscomputationandcommunicationcapabil- However,withinasegment,thepacketscanbereceivedoutof ity as well as battery power is similar to the sensors in the order. Thesensorsbroadcastadvertisementsoftheavailable network. Inourwork,thenetworkconsistsofabasestation segments. When the neighbors receive the advertisements, and a collection of sensors. The sensors need to verify that if they haven’t received that segment completely, they will the code image is truly from the base station. We note that sendrequeststotheadvertiser.Thisrequestalsospecifiesthe theonlycommunicationthatneedstobeauthenticatedisthe packets that the requester wants. The sender then transmits communication from the base station, rather than the com- therequestedpacketsinthesegment. Thisprocesscontinues municationbetweentwoarbitrarysensors. Utilizingthisfact, untileverypacketis receivedbyeveryreceiver. This model weapplyasecretinstantiationalgorithmfrom[5,11]topro- providesefficientandreliabletransmissioninahighlylossy videauthentication. Thus,intheprotocol,onlyaverysmall andunstablewirelessenvironment. numberofkeysaremaintainedateverysensor. We consider an adversaryas one who tries to inject its own Finally, observe that authentication is sufficient for repro- codeintosensornodes. Itcaneavesdroponanycommunica- gramming in sensor networks. In other words, it suffices to tioninthenetwork. Itisabletocompromisea sensornode, ensure that the sensors can be assured that the code is from andacquireallinformationinsideit. However,anadversary thetrustedsource. However,inthisapplication,confidential- cannotcompromisethebasestation. Initially,wedonotcon- ity is not required, i.e., the code being transmitted is public sidercollusionamongsensornodes. Wediscusstheeffectof andcanbeacquiredbytheadversary.Hence,thecodeissent collusion in Section 3.1. As mentioned in the Introduction, inplaintextalongwithappropriateauthentication. we only consider a mote-class adversary, i.e., an adversary Contributionsofthepaper. Weintegratethesecretinstan- has limited computationalresources, andcannot launchDe- tiation algorithm from [5,11] with the existing reprogram- nialofServiceattack. Weexpectthattheproposedalgorithm ming protocols. The algorithm requires only O(logn) keys would be useful in a testbed setting. To illustrate this, con- tobe maintainedateach sensor,and a smallsignatureis in- sider the case where a sensor network testbed [1] provides cludedinthemessagesfromthebasestationthatcanbeveri- a user with a certain set of sensors for performing an ex- fiedatthesensors.ThroughsimulationonTOSSIM[15],we periment. In this case, typically, the testbed itself is phys- show that it is able to authenticate reprogramming process ically secure from laptop-class adversaries. However, since at low communication cost, and has short delay. We illus- the testbed mayrelinquishcontrol of somesensors to users, tratethisbyevaluatingtheeffectofaddingauthenticationto such sensors may be able interfere with other experiments MNP[13]. runningonthetestbed.Moreover,sinceanadversaryislikely to be detected by auditing techniques that may exist in the Organization of the paper. In Section 2, we describe the testbed,thelikelihoodofsecurityattacksisfurtherreduced. system model and requirements of secure reprogramming problem. In Section 3, we present our authentication pro- Thegoalsoftheproposedprotocolareasfollows: tocol,andillustratethe processofintegratingitto theexist- ingreprogrammingprotocols, MNPandDeluge. InSection 1. Authenticity. Eachsensor must be able to verify that a 4,weevaluateourapproachintermsofcommunicationcost code image is from a trusted source and has not been anddelay.WesurveyrelatedworkinSection5andconclude changedduringtransit. We considerthebasestationas inSection6. atrustedsource,andisprotectedagainstcompromise. 2. Compromiseresilience. Becausecurrentmost-classde- vices are not tamper-resistant, it is relatively easy to 2 compromiseasensor. Itmustnotbepossiblethatcom- 0(cid:13) promisingasinglesensornodewillcausetheotherparts 1(cid:13) ofthenetworkinsecure. 0(cid:13) ...(cid:13)...(cid:13)...(cid:13) ...(cid:13) 3. Low cost. The security scheme should be efficient in 1(cid:13) ...(cid:13)...(cid:13) ...(cid:13) ...(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 1(cid:13) 0(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 0(cid:13) termsofcomputation,communication,andmemoryus- age. Moreover, it should not add long delay to the re- 0(cid:13) 1(cid:13) 1(cid:13)0(cid:13) 1(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 1(cid:13) 1(cid:13) 0(cid:13) 1(cid:13) 0(cid:13) 0(cid:13) 0(cid:13) 0(cid:13) programmingprocess. 1(cid:13)0(cid:13) 0(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 0(cid:13) 1(cid:13) 1(cid:13) 1(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 0(cid:13) 1(cid:13) 0(cid:13) 3.Protocol 1(cid:13) 0(cid:13) 1(cid:13) 1(cid:13) 0(cid:13) 1(cid:13) 0(cid:13) 0(cid:13) 0(cid:13) 1(cid:13) 1(cid:13) 1(cid:13) 1(cid:13) 1(cid:13) 1(cid:13) 0(cid:13) Ourauthenticationprotocolforreprogrammingissymmetric key based. In Section 3.1, we describe the secret instantia- tion algorithm [5,11], which specifies how the secrets (i.e., Figure1.Secretinstantiation:anexample. keys)aredistributedandusedforauthenticatingthecommu- nicationfromthebasestationtosensors. InSection3.2,we discusstheissuesofintegratingthesecretinstantiationalgo- rithmwiththeexistingreprogrammingprotocols. secret in the first column. If the second digit of the ID is y thenthesensorgetsyth secretinthesecondcolumn,andso on. 3.1 SecretInstantiationAlgorithm Theorem1. Ifsensorjreceivesamessageanditverifiesall thesignaturesbasedonthesecretsitknowsthenthatmessage The base station has a collection of secrets. Initially, each mustbesentbythebasestation. sensorreceivessomesubsetofthiscollection. Thebasesta- tionknowsthesecretdistribution,i.e.,itknowsthesubsetof Proof: EachsensorhasauniqueIDthatisoflengthlogrn, secrets received by each sensor. Whenever the base station thus it is associatedwith a uniquecombination oflogrn se- crets. Only the base station contains all the secrets. There- sendsamessage,itseparatelysignsitusingallthesecretsin fore, no other sensor, exceptthe base station, has all the se- itscollection. Thus,messagetransmissionisassociatedwith a collection of signatures, one for each secret that the base cretsthatsensorj has. Hence,ifj verifieslogrnsignatures, itisassuredthatthemessageoriginatedatthebasestation. station has. To sign message m, with secret s, the base sta- tion can use algorithms such as MD5. (Additionally, if the To illustrate the algorithm, we show an example in Figure length of the signature needs to be small, then only a small 1. Let the number of nodes be 16 and let r be 2. Then the part of this signature (e.g., last byte) may be used.) When- base station contains 8 (i.e., 2 log 16) secrets with 2 rows 2 everasensorreceivesthiscommunication,itverifiesthesig- and4columns. Eachsensorhas4(i.e.,log216)secrets. The naturesbasedonthecollectionofsecretsithas. Ofcourse,a set ofsecretsa sensorhas are decidedby its uniqueID. For sensorwill only be able to verify a subset of the signatures, example, if a sensor’s ID is 0011, then it has the secrets on as it does not have all the secrets. It is required that if all the first row in the first two columns and the secrets on the thesesignatureverificationaresuccessful,thesensorcanas- secondrowinthenexttwocolumns. sume that the communication is truly from the base station Collusion. In the secret instantiation algorithm, compro- (and not from an outsider or anther sensor pretending to be mising a single sensor node will not compromise the entire thebasestation). network. Thisisduetothefactsthateachsensorhasonlya To implement this, a 2-dimensional array of secrets with r subsetofthesecrets,andifanadversaryattemptstopretend rows (numbered 0::r 1) and logrn (numbered 1::logrn) to be the base station, it needs to get all the secrets. How- (cid:0) columns(where2 r nandnisthenumberofsensors) ever,colludingusersmaybeabletoobtainallthekeysand, (cid:20) (cid:20) is maintained. As mentioned above, the base station knows thereby, pretend to be the base station. By choosing an ap- all these secrets. Each sensor is assigned a unique ID that propriate value for r, this key distribution provides a trade- is a number with radix r. Observe that the ID is of length offbetweenlevelofcollusionresistanceandnumberofkeys logrn.(Leading0sareaddedifnecessary.)ThisIDidentifies at the base station. The smallest value for r is 2; for this the secrets that a sensor should get. Specifically, if the first case,thebasestationmaintains2log2nsecretsandeachsen- digit(mostsignificant)oftheIDisxthenthesensorgetsxth sor maintains log2n secrets. However, collusion of 2 users 3 with complementary IDs (e.g., a sensor with ID 1010 and a Sign (H(1,1))(cid:13) H(1,1)(cid:13) sensorwithID0101)canallowthemtopretendtobethebase H(1,1)(cid:13) station. H(1,2)(cid:13) H(1,3)(cid:13) H(1,4)(cid:13) H(1,5)(cid:13) H(1,K)(cid:13) H(2,1)(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) ......(cid:13) Data(cid:13) H(cid:13) Asthevalueofrincreases,thenumberofsecretsmaintained P(1,1)(cid:13) P(1,2)(cid:13) P(1,3)(cid:13) P(1,4)(cid:13) P(1,K)(cid:13) bythebasestation(rlogrn)increases. However,inthiscase, H(2,2)(cid:13) H(2,3)(cid:13) H(2,4)(cid:13) H(2,5)(cid:13) H(2,K)(cid:13) H(3,1)(cid:13) thenumberofsecretsmaintainedbyeachsensor(logrn)de- Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) ......(cid:13) Data(cid:13) H(cid:13) creases.Moreover,whenrincreases,thecollusionresistance P(2,1)(cid:13) P(2,2)(cid:13) P(2,3)(cid:13) P(2,4)(cid:13) P(2,K)(cid:13) H(3,2)(cid:13) H(3,3)(cid:13) H(3,4)(cid:13) H(3,5)(cid:13) H(3,K)(cid:13) H(4,1)(cid:13) alsoincreases. Forr = pn, thealgorithmcorresponds[11] Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) ......(cid:13) Data(cid:13) H(cid:13) tothe grid algorithmin [12]. Forr = n, the algorithmcor- P(3,1)(cid:13) P(3,2)(cid:13) P(3,3)(cid:13) P(3,4)(cid:13) P(3,K)(cid:13) responds to the case where each sensor maintains a unique ......(cid:13) ......(cid:13) ......(cid:13) secretthatisknownonlytothatsensorandthebasestation. H(N,1)(cid:13) H(N,2)(cid:13) H(N,3)(cid:13) H(N,4)(cid:13) H(N,5)(cid:13) H(N,K)(cid:13) In this case, collusion between sensors does not allowthem Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) Data(cid:13) H(cid:13) ......(cid:13) Data(cid:13) 0(cid:13) P(N,1)(cid:13) P(N,2)(cid:13) P(N,3)(cid:13) P(N,4)(cid:13) P(N,K)(cid:13) topretendtobethebasestation. Figure2.chainedhashmechanism. 3.2 IntegrationwithReprogrammingProtocols Inthissection,weintegrateoursecretinstantiationalgorithm hashH(1;1)usingallthesecrets.Wedenotethesignatureas withreprogrammingprotocols. Asaprogramnormallycon- sign(H(1;1))inFigure2. sists of hundreds or thousands of packets, it would incur a In multihop reprogramming, every sensor needs to receive lotofoverheadifthebasestationsignseverypacketitsends. theprogram. Andoncetheyreceivepartoftheprogram(one Hence,weusethechainedhashapproachproposedin[4]. ormoresegments),theycanstartadvertisingandforwardthe We illustrate the chained hash mechanism in Figure 2. A programtoitsneighbors. Whensensorsreceiveandforward program is divided into N segments, shown as N rows of theprogram,thesignatureandhashH(1;1)arealsobuffered packets. Each segment (row) has K packets. We represent and forwarded. This signature and the hash H(1;1) should thejth data packetoftheith segment asP(i;j), i = 1::N, be sent right before the transmission of the segment starts. j = 1::K. The hash value of packet P(i;j) is denoted as In the remainderof this paper, we use MNP as an example. H(i;j). A data packet P(i;j) has two parts, the data part MNP uses a sender selection algorithm to try to guarantee and a hash of the next packet. If P(i;j) is the last packet thatthereisonlyonesenderinaneighborhoodata time. If in segment i (1 i < N), then the next packet is the first asensorwinsinthesenderselectionalgorithmandbecomes (cid:20) packet of segment i+1. If P(i;j) is the last packet in the thesender,itbroadcastsa“StartDownload”messageseveral program, then the hash value is 0. Hence, each data packet times, then starts transmitting the requested data packets in canberepresentedas the segment. We add the signature and the hash H(1;1) in IfP(i;j)isthelastpacketoftheprogram the “StartDownload” message. If the signature plus hash is toolong,anddoesnotfitinonemessage,wecanusemulti- P(i;j)=data(i;j) plemessagesfor“StartDownload”. Inthiscase,thereceiver needs to receiveall of them in order to get the entire signa- elseifj isthelastpacketinthesegment ture. When a node receives the packet(s) that contains P(i;j)=data(i;j)H(i+1;1);i=1::N 1;j =K j (cid:0) sign(H(1;1)) and H(1;1), it decrypts the signature using the collection of secrets it has, and verifies H(1;1). else If all the signature verification are successful, it assumes P(i;j)=data(i;j)H(i;j+1);i=1::N;j =1::K 1 that the packet is truly from the base station. When a node j (cid:0) receives a data packet P(i;j), it can verify its authenticity andintegrityifandonlyifithasalreadyreceivedandverified H(i;j) from a previously received packet. Therefore, it Notethatthehashvalueiscomputedoverthe entirepacket, impliesthatthedatapacketshavetobeverifiedinorder. not just the data part. As shown in Figure 2, the hash val- ues of the packets construct a chain. The head of the hash However,packetsdonotarriveinthesameorderastheyare chain,i.e.,thehashvalueofthefirstpacket,issignedbythe sent due to packet losses and/or delay. If we require that basestation. Inouralgorithm,thebasestationsignsthefirst the data packetshave to be received/storedin sequentialor- 4 der,wehavetothrowawayalargeportionofthedatapack- whenadatapacketP(i,j)arrives ets that have been received. Our simulation results (as well ifP(i,j)isreceivedthefirsttime,i.e.,received(j)==0 as the results from [3,4]) show that if we require that the storeP(i,j):storedatapartinEEPROMandthehashvalue forthenextpacketinmemory,setreceived(j)to1 datapacketscanonlybereceivedandstoredinorder,repro- while((received(j)==1)and(j==verifiedPackets+1)) grammingprocesswillbedelayedsignificantly(thecomple- ComputeH(i,j) tiontimeforreprogrammingincreasesby6or7timesifwe ifcomputedH(i,j)==savedH(i,j)fromthepreviouspacket use the default segment size 128 packets/segment in MNP). verifiedPackets++,j++ else//thepacketcannotbeverified,henceisthrownaway Correspondingly, the energy consumption also increases by setreceived(j)to0,breakwhileloop a large amount. On the other hand, if out of order delivery endif is allowed then an adversary can mount a denial of service endwhile endif attackbysendingalargenumberofgarbagepackets,asstor- ingthepackets(toEEPROM,i.e.,theexternalflashofmotes) requiressignificantenergy. However,sincea moteclassad- versaryhaslimitedpowerandmessagetransmissionrequires Figure 3. Operation a node performs when it receives a significant energy, the adversary cannot launch such attack datapacketP(i,j) for a large duration. Therefore, in our design, we allow the packets that arrive out of order (within one segment) to be receivedandstoredimmediately. Inourprotocol,eachsensormaintainsareceivedvector(cor- MNP [13] as described in Section 3.2. We refer to the in- responds to MissingVector in MNP), which is a bitmap of tegrated protocol as SecureMNP. We simulate SecureMNP thecurrentsegment, indicatingwhichpacketshavebeenre- using TOSSIM. TOSSIM is a discrete event simulator for ceived. Allthebitsinthereceivedvectorareinitializedto0. TinyOSwirelesssensornetworks. InTOSSIM,thenetwork Onceasensorreceivesapacketforthefirsttime,itstoresthe is modeled as a directed graph. Each vertex in the graph is packet(thedatapart)inEEPROM,andsetsthecorrespond- a sensor node. Each edge has a bit-error rate, representing ing bit in received to 1. The hash value part of the packet theprobabilitywithwhichabitcanbecorruptedifitissent needs be bufferedin memory so that it can be retrievedfast alongthislink. for verification. Moreover, each sensor contains a variable, In our simulation, each segment has 128 data packets. The verifiedPackets, which is the number of packets the sensor simulationsareperformedinagridtopology.Theinter-node hasreceivedandverified. distanceis10feet. Duetothefactthattheexecutiontimeof When a sensor node receives a packet P(i;j), if the pre- eachsimulationisoforderoftensofhours,wedonotprovide vious packet has been verified, i.e., j = verifiedPackets+1, confidenceintervals. thenthenodecanverifypacketP(i;j)usingthesaved(and ThedefaultpayloadsizeofeachpacketinMNPis23bytes. verified) H(i;j) from the previous packet. If the verifica- In SecureMNP, each packet carries a 4-byte hash, which is tion is successful, the node will increase verifiedPackets by thehashvalueofthenextpacket. Hence,excludingthehash 1,andcontinueverifyingthenextreceived(butnotverified) value,theeffectivedatapayloadis19bytes.Therefore,inev- packet.(Whenwetalkaboutpreviousornextpacket,werefer erydatapacket,4outof23bytesofthepayloadisconsumed tothepreviousornextnodeonthe hashchain.) Thisverifi- in authentication. Therefore, in order to transmit a program cationprocesscontinuesuntilwereachamissingpacket. On ofcertainsize,moredatapacketsneedtobereceivedatevery the other hand, if the packet verification fails, the packet is sensor. thrownaway(i.e., received(j)is set to0), andthe verifica- We consider a 20x20 network, i.e., the number of sensors tionprocessstops. in the network is 400. We set r to be 2. In this case, the The operation a sensor performs when it receives a data packet P(i;j) (the jth packet in the ith segment) is shown base station contains 18 (i. e., 2log2400) secrets, and each sensorhas9secrets.AswedescribedinSection3.2,thebase inFigure3. station signs H(1;1) using all the secrets, and attaches all thesignaturesandH(1;1)in“StartDownload”messages. If sensors only verify the last bytes of the signatures, we only 4.Evaluation need 18 bytes for the signatures, and the signatures fit in a single packet. If two bytes of each signature are used, then In this section, we evaluate the performance of our secure thelength ofthe 18signaturesis36bytes. Inthiscase, two reprogramming protocol. We integrate our protocol with packetsfor“StartDownload”messagesneedtobesent. 5 Computationcost. Foreachprogramtobedistributed,the 1800 signatures are only signed at the base station once. Sen- 1600 sors verify the signatures once, i.e., when they start receiv- s)1400 ing the first segment. When a sensor forwards the program e ( m to its neighbors, it simply uses the signatures receivedfrom g Ti1200 n the base station. Therefore, the computation cost is mini- mi1000 m mized, as encryption or decryption is only performed once gra 800 o oneachsensoratthestartofreprogramming. Finally,while pr Re 600 hashcomputationisperformedforeverypacket,itisveryef- ficient(lessthan10msperpacket).Hence,hashcomputation 400 SecureMNP MNP alsodoesnotsignificantlyincreasethecomputationcost. 200 0 5 10 15 20 Program Size (KB) Memorycost. Ourauthenticationprotocolhasmemorycost in the following ways. First, the algorithm uses a variable Figure 4. Delayofauthenticationunderdifferentprogram verifiedPacketstokeeptrackofhowmanypacketshavebeen sizes. verified/authenticated. Second,logrnsecretsaremaintained ateachsensor.Whenrincreases,thenumberofsecretsmain- tainedatthesensordecreases. Ina20x20network,thenum- 350 3000 berofsecretsateachsensorisnomorethan9. Third,since 300 esrwnetaeoencerthdaeslshletooegagwsmsmhtepoevnarnaetc.tlkuacAeelotlsssntiwtthsaoeei5nb1hase2sa1ssrbu2heym8ctveeepaisvala.uecTed4ks-heabtefnsyo,hdtretahssthhtehoaesrvsephpadalavuccoaeekulseutthtcesoaaiftnisniobsurtesduheessedtreo,cdarwunetrddoe- Messages sent by a node11225050500000 SecureMNP Messages received by a node1122505050000000000 SecureMNP inmemoryifreprogrammingspeedisimportant. Fourth,the MNP MNP 00 5 10 15 20 00 5 10 15 20 signaturesfromthebasestationalsoneedtobesavedeitherin Program Size (KB) Program Size (KB) memoryorinflash. Fifth,theencryption/decryptionprocess (a) (b) consumessomeamountofmemory. Delay. We assume that the last two bytes of each signa- ture are used, then the collection of the signatures from the Figure5.Communicationcostofauthenticationunderdif- basestationarecontainedintwo“StartDownload”messages: ferentprogramsizes. “StartDownload1”and“StartDownload2”.Inordertogetthe entiresetofsignatures,eachnodeneedstoreceivebothmes- sages. Aswe allowpacketsto besaved beforeverified,and everypacket. InFigure5,weshowthatforagivenprogram hash values can be computed very fast, authentication pro- sizetobedistributed,themessagetransmissionandreception cessdoesnotaffectreprogrammingtimesignificantly.Given ofSecureMNPisabout20%higherthanthatofMNP. a certain number of data packets to be sent, the reprogram- ming time remains almost the same no matter whether the security protocol is used. The major overhead is the hash 5. RelatedWork values that are carried in data payload. As we have pointed outearlier,4outof23bytesdatapayloadinadatapacketare Inthissection,wereviewrelatedworkintheareasofnetwork usedforauthentication.Thesizeofcodeimagethatissentby reprogramming,authenticatedbroadcast,andsecurenetwork aMNPsegmentis2.94KB(128 23bytes).Bycontrast,the reprogramming. (cid:2) sizeofthecodeimagethatissentbyaSecureMNPsegment Network reprogramming. The work on network repro- is2.43KB(128 19bytes).InFigure4,weshowthatgivena (cid:2) gramming include MOAP [21], Deluge [7], MNP [13], In- certainamountofcodeimagetobesent,thereprogramming fuse [10], Sprinkler [17]. Although these protocols differ timerequiredbySecureMNPisonlyalittlehigherthanthat in manyaspects, such assuppressionschemes, transmission requiredbyMNP. scheduling,lossdetectionandrecoverymechanisms,theyare Communication cost. Similarly, the communication cost all designed to send the entire code image from one (or a requiredbySecureMNPisalittlehigherthanthatisrequired few)basestationtoallthesensorsinthenetwork. Although byMNPduetofactthatthehashvaluesthatareattachedwith weonlyshowedhowtointegrateourauthenticationprotocol 6 with MNP, it can be used with other reprogramming proto- 6. Conclusion cols as well. For example, if we want to authenticate Del- ugereprogrammingprocess,theonlydifferencecomparedto In this paper, we showed how authentication could be SecureMNP is that the signatures and the hash value of the achieved for reprogramming protocols in sensor networks. firstpacketareattachedwithadvertisementmessages,rather We used symmetric keydistribution algorithms from [5,11] than “StartDownload” messages in SecureMNP. Our proto- toensurethatthebasestationcancommunicatesecurelywith colcanalsobeusedtoauthenticateTDMAbasedreprogram- eachsensorinthenetwork. Basedonthesecurityofthekey ming protocols, such as Infuse [10] and Sprinkler [17]. In distribution, the reprogramming protocol allows sensors to this case, we can think of the whole program as a big seg- concludethatthecodeistrulytransmittedbythebasestation. ment.Theintegrationprocessisstraightforward. Thus,theywillnotacceptunauthorizedcode. Weillustrated Authenticated broadcast. A. Perrig et. al. proposed thisalgorithminthecontextoftheMNP[13]. Ourapproach TESLA[19]and(cid:22)TESLA[20]toprovidebroadcastauthen- canalsobeeasilyappliedtootherreprogrammingprotocols ticationthrougha hashchain. (cid:22)TESLAisdesignedtowork suchas[7,10]. Ourresultsshowthattheoverheadaddedin ontheresource-constrainedsensornodes. Itappliessymmet- terms of communication cost, increased delay and memory ric keys, and achieves asymmetry for authentication by de- footprintissmall. layingthedisclosureofthesymmetrickeys.BiBa[18]isan- Our focus in this paper was on mote-class adversary. Since otherprotocolthatperformsauthenticatedbroadcastviapre- suchadversaryhaslimitedenergy,itcannotuseextensivede- computedhashcollisionsandchains.However,allthesepro- nialofserviceattack. However,alaptop-classadversarycan tocols, TESLA, (cid:22)TESLA, and BiBa require loose time syn- mount a denial of service attack by sending garbage data to chronization,andhence,introduceadditionalconstraintsand the mote. In [4] authors providean approach for mitigating overhead. laptop-classadversarybyrequiringthatthesensorreceivethe Securenetworkreprogramming. Researchershaveshown datain order. Bythisrequirement, thesensorswillnotsave interestin secure networkreprogrammingrecently. P. Lani- any packets to EEPROM (an energy consuming operation) ganet. al.proposedSluice[14],whichalsousesahashchain unlessthepacketisauthenticated.However,thisrequirement for authentication. However, the hashes are verified on the increases the reprogrammingtime and energyusage signifi- segment level rather than at the packet level. Although the cantly,byasmuchas6to7times. (In[4], theuseofpublic computation,communicationandmemorycostarerelatively keyalso contributestoincreasedtime/energyusage.) More- less,Sluiceisvulnerabletosomeformofattacks,e. g.,asin- over,evenwiththisrequirement,alaptop-classadversarycan glebadpacketwillcausetheentiresegmenttobediscarded. causesignificantdamageasmessagetransmissionandrecep- P.Duttaet. al.[4]proposedaprotocol,calledSecureDeluge, tionisalsoveryenergyconsuming. which provides authentication through a packet level hash As discussed in Section 2, our algorithm is expected to be chain. InSecureDeluge,packetscanonlybereceived/stored especially valuable for security in sensor network testbed. in order. All the packets that arrive out of order are thrown Suchtestbed istypically physicallysecure, therebyprevent- away.Thisrequirementincreasesthedelayandmessagecost ing/mitigating laptop-class attackers. However, the testbed significantly, especially when the network is lossy. J. Deng typicallyrelinquishescontrolofindividualsensornodesthat et. al.[3]triestoaddresstheproblembysendingahashtree are used in an experiment. Thus, an experiment could be overthedatapacketsbeforesendingtheactualdatapackets. interferedbyothersensorsinthetestbed. Ouralgorithmpro- Aftersensorshavereceivedtheentirehashtree,theycanre- vides protection from such interference/attacks with a low ceive/verifydata packets that arriveout of order. Receiving overhead. thehash treeitself requiresa partial order. Andsending the Since the key distributionprotocol usedin thisapproach al- hash tree over the radio increases communication cost. In lowstradeoffbetweenthenumberofsecretsandlevelofcol- ourprotocol,weallowthepacketsthatareoutofordertobe lusionresistance,thedesignercanchooseappropriateparam- saved and wait for verification later. All these three proto- eters to determine the desired level of collusion resistance. colsmentionedabovearebasedonthepublickeyalgorithm. In our experiments, for simplicity, we used the base r = 2 By contrast, our protocol is symmetric key based. We have therebychoosingtheleastnumberofsecretsatthebasesta- shown that our algorithm authenticates reprogramming pro- tion. However, if higher collusion resistance is desired, the cesswithoutaddingmuchdelayandcost. designer can choose higher base; for example, for a 20x20 network(400sensors),ifr = 10isusedthenthenumberof secretsmaintainedatthebasestationincreasesto30(ascom- pared to18 whenr = 2). Moreover,sincethese secretsare 7 usedonly a fewtimesduringreprogramming, itwill notaf- [12] S.S.Kulkarni, M.G.Gouda, andA. Arora. Secret instanti- fectthereprogrammingcost(time/energy)significantly. Ad- ation in ad hoc networks. Special Issue of Elsevier Journal ditionally, with increased value for r, the number of secrets ofComputerCommunicationsonDependableWirelessSensor atthesensorisreduced. Thus,providinghigherlevelofcol- Networks,2005. lusionresistancedoesnotadverselyaffectthesensors. [13] S.S.KulkarniandL.Wang. MNP:Multihopnetworkrepro- grammingserviceforsensornetworks. InProceedingsofthe 25thInternationalConferenceonDistributedComputingSys- References tems(ICDCS),pages7–16,June2005. [14] P. E. Lanigan, R. Gandhi, and P. Narasimhan. Sluice: Se- [1] A.Arora,E.Ertin,R.Ramnath,W.Leal,andM.Nesterenko. cure dissemination of code updates in sensor networks. the Kansei: Ahigh-fidelity sensingtestbed. IEEEInternetCom- 26th International conference on distributed computing sys- puting,specialissueonLarge-ScaleSensorNetworks,March tems(ICDCS06),July2006. 2006. [15] P. Levis, N. Lee, M. Welsh, and D. Culler. Tossim: Ac- [2] J. Deng, R. Han, and S. Mishra. Practical study of transi- curate and scalable simulation of entire tinyos applications. tory master key establishment for wireless sensor networks. In Proceedings of the First ACM Conference on Embedded the 1st IEEE/CreateNet Conference on Security and Privacy NetworkedSensorSystems(SenSys2003), LosAngeles,CA, inCommunicationNetworks(SecureComm), pages289–299, November2003. September2005. [16] D.Malan,M.Welsh,andM.Smith. Apublic-keyinfrastruc- [3] J.Deng, R.Han, and S.Mishra. Securecodedistributionin tureforkeydistributionintinyosbasedonellipticcurvecryp- dynamicallyprogrammablewirelesssensornetworks.theFifth tography. the 1st IEEE International Conference on Sensor InternationalConferenceonInformationProcessinginSensor andAdHocCommunicationsandNetworks,2004. Networks(IPSN),April2006. [17] V.Naik,A.Arora,P.Sinha,andH.Zhang. Sprinkler: Areli- [4] P.K.Dutta,J.W.Hui,D.C.Chu,andD.E.Culler. Securing ableandenergyefficient datadisseminationserviceforwire- the deluge network programming system. the Fifth Interna- lessembeddeddevices. ToappearinProceedingsofthe26th tional Conference on Information Processing in Sensor Net- IEEEReal-TimeSystemsSymposium,December2005. works(IPSN),April2006. [5] M.Gouda,S.Kulkarni,andE.Elmallah. Logarithmickeying [18] A.Perrig. Thebibaone-timesignatureandbroadcastauthen- ofcommunicationnetworks.TheEighthInternationalSympo- ticationprotocol. ProceedingsoftheEighthACMConference siumonStabilization,Safety,andSecurityofDistributedSys- onComputerandCommunicationSecurity(CCS-8),Novem- tems,November2006. ber2001. [6] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz. [19] A.Perrig,R.Canetti,J.Tygar,andD.X.Song. Efficient au- Comparing elliptic curve cryptography and RSA on 8-bit thenticationandsigningofmulticaststreamsoverlossychan- CPUs. the 6th International Workshop on Cryptographic nels. IEEESymposiumonSecurityandPrivacy,pages56–73, HardwareandEmbeddedSystems(CHES04),August2004. May2000. [7] J.W.HuiandD.Culler. Thedynamicbehaviorofadatadis- [20] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. seminationprotocolfornetworkprogrammingatscale.InPro- SPINS:Securityprotocolsforsensornetworks. Seventh An- ceedingsofthesecondInternationalConferenceonEmbedded nualInternationalConferenceonMobileComputingandNet- Networked Sensor Systems (SenSys 2004), Baltimore, Mary- works(MobiCOM2001),July2001. land,2004. [21] T.Stathopoulos,J.Heidemann,andD.Estrin. Aremotecode [8] C.Karlof,N.Sastry,andD.Wagner. Tinysec:Alinklayerse- update mechanism for wireless sensor networks. Technical curityarchitectureforwirelesssensornetworks. the2ndACM report,UCLA,2003. ConferenceonEmbeddedNetworkedSensorSystems(Sensys), November2004. [9] J.Kulik,W.Heinzelman,andH.Balakrishnan. Negotiation- basedprotocolsfordisseminatinginformationinwirelesssen- sornetworks. WirelessNetworks,8:169–185,2002. [10] S. S. Kulkarni and M. Arumugam. Infuse: A tdma based datadisseminationprotocolforsensornetworks.International JournalonDistributedSensorNetworks(IJDSN),2(1):55–78, 2006. [11] S.S.KulkarniandM.G.Gouda. Anoteoninstantiatingse- curityinsensornetworks. Availableathttp://www.cse. msu.edu/˜sandeep/securitydistribution/. 8

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.