Wireless Sensor Network

1. WIRELESS NETWORKS SECURITY ISSUES
Rituparna Chaki
Visiting Professor
at
AGH University of Sc. & Tech
rchaki@ieee.org

2. Passive attacks
 An attacker does not actively participate in
decreasing the network performance.
 It collect the information about the
 source node,
 the destination node,
 and the route established between them.
2

3. Disrupt the packets that are destined for other nodes in the
network.
Attackers offer an attractive route to the destination node.
So, the source node can easily choose that path for packet
forwarding.
Then the malicious node collects all the packets and destroys
them, drops them, or forwards them on a false route.
The destination node does not receive the packets sent by
the source node.
Active attacks
3

4. Host-based attacks
 User compromise: This involves compromising the
users
 Hardware compromise: This involves tampering with
the hardware to extract the program code, data and
keys stored within a sensor node. The attacker might
also attempt to load its program in the compromised
node.
 Software compromise: This involves breaking the
software running on the nodes.

5. Network-based attacks
Layer-specific attacks
Protocol-specific attacks.
It includes the attacks such as attack on information in
transit and deviating from protocol

6. Layer-Specific Attacks
Application Layer
Transport Layer
Network Layer
Rushing attack
Sleep deprivation
Wormhole
Blackhole
Routing cache poisoning
Eavesdropping
SYN flooding
Session hijacking
Malicious code Denial of service
Multilayer
Impersonation
Man-in the-middle
6

7.  An attacker can employ signal jamming at the physical layer, which
disrupts normal communications.
 At the link layer, malicious nodes can occupy channels through
the capture effect, which takes advantage of the binary exponential
scheme in MAC protocols and prevents other nodes from channel
access.
 At the network layer, the routing process can be interrupted through
routing control packet modification, selective dropping, table
overflow, or poisoning.
 At the transport and application layers, SYN flooding, session
hijacking, and malicious programs can cause DoS attacks.
Layer Specific Attacks
7

8. Attacks depending on the Technique
Consequence of Attack Attack Techniques
Blackhole
False Source Route, Maximum
Sequence, Rushing
Selfishness &
Denial-of-Service
Packet Dropping
Sleep Deprivation Malicious Flooding
Routing Loop Spoofing
Location Disclosure Cache poisoning
Information Theft Worm Hole
8

9. Blackhole Attack
The malicious node (M) Induces a possible routing link
between attack targeted devices (call them S and D),
then
M emits protocol-compliant messages for leading both
S and D to choose such link for their communications.
9

10. S
D
A
B
C
E
F
M
10

11.  Two attackers, connected by a high-speed off-channel
link, are strategically placed at different ends of a
network.
 These attackers then record the wireless data they overhear,
forward the data to each other, and replay the packets at the other
end of the network
Wormhole attack
11

12. S
D
A
B
C
E
F
M1
M2
12

13.  The attacker creates a large number of half-opened
Transmission Control Protocol (TCP) connections with a
victim node, but never completes the handshake to fully
open the connection.
 The nodes are allowed to communicate only when the
connection is fully opened. If the connection is half
opened, that prevents any farther communication.
SYN flooding attack
Source Sink
13

14.  Caused by viruses, worms, spyware, and Trojan
horses. They can attack both operating systems and
user applications. These malicious programs usually
can spread them through the network and cause the
computer system and network to slow down or even
be damaged.
 In WAN, an attacker can produce attacks similar to
those of the mobile system of the ad-hoc network.
Malicious code attacks
14

15.  Code that breaks your security policy.
 Characteristics :
 Attack vector –
• Social engineering- (Make them want to run it)
• Vulnerability exploitation – (Force your way in the system)
• Piggybacking – (Make it run when other programs run)
 Payload - Make use of flaws in software input handling,
eg. Buffer overflow attacks.
Viruses, worms, trojans, …
15

16.  When a malicious user listen in on network traffic and
identify the MAC address of a computer with network
privileges.
 Most wireless systems allow some kind of MAC
filtering to only allow authorized computers with
specific MAC IDs to gain access and utilize the
network.
 However, a number of programs exist that have
network “sniffing” capabilities.
Identity theft (or MAC spoofing)
16

17.  Attacker entices computers to log into a device which is
set up as a soft AP (Access Point).
 Once this is done, the hacker connects to a real access
point through another wireless card offering a steady flow
of traffic through the transparent hacking computer to the
real network.
 The hacker can then sniff the traffic. One type of man-in-
the-middle attack relies on security faults in challenge and
handshake protocols to execute a “de-authentication
attack”.
Man-in-the-middle in wireless LAN
17

18.  Prevent legitimate users of a service from using that
service
 A selfish node is not actually keen to attack the other
nodes.
 It expects other nodes to forward packets on its
behalf. The reason behind this is “saving one’s own
resource” by saving of battery power, CPU cycles, or
protecting wireless bandwidth in a certain direction.
Denial of Service Attack
19

19. DOS attack
Unintentional
(Interference)
Unintentional
(Interference)
Intentional
(jamming)
MAC Layer
Physical Layer
Intentional
(Masquerading)

20. Jamming attack
 Perpetrated using a broadband jammer device that
essentially consumes the supposed bandwidth signals
having relatively high amplitude.
 A jamming device or a compromised node relentlessly
transmits radio signals with the intention of blocking
legitimate access to the medium and/or to interfere with
reception at receiving nodes.
 The intention of the attacker is to cause disruption in the
data communion resulting in excessive power
consumption and long waiting times.

21. Jamming techniques
 Constant jamming wherein radio signals are emitted
continuously. This type of jamming causes two things:
 The signals from the jammers keep the medium busy
and therefore transmissions are deferred at the
transmitting node, and/or
 At the receiving node reception is interfered with due to
the signals transmitted by the jammers.
 Deceptive jamming wherein the radio signals are
continuously transmitted with regular intervals.

22. Counter-jamming
 Avoidance, detection and mitigation.
 Avoid it completely by switching over to a wired
medium or moving the AP and/or devices away from
the range of jamming devices.

23. Solution: Continuous monitoring
 The mechanism consists of a subset of nodes as network monitors and a
detection algorithm at each monitoring node.
 Probability of collision is observed at each monitoring node to detect
the presence of jamming.
 A period of normal network functioning under the absence of jammer is
considered for training.
 During this training period, the probability of collision is carefully
studied as a long-term average of the ratio of number of slots in which
there was collision over the total number of slots in training period.
 During the real-time operation, the probability of collision observed is
compared with the learned long-term average from the training period.

24. MAC Layer
Authentication
Flooding
De-authentication
Flooding
De-association
Flooding
Resource Exhaustion
Masquerading
Probe request
flooding
Association
Flooding

25. Resource exhaustion attacks
 A wireless client regularly scans the wireless environment
around to find out the presence of APs in the vicinity by
broadcasting probe requests.
 On receiving a probe request from a client, APs respond to
probe requests by sending out information about their
wireless network to facilitate the client to authenticate and
then associate with them.
 An attacker targets APs by sending out large volumes of
probe requests by faking MAC address in each request

26. Probe-request flooding
 This tricks APs to believe that they have been receiving
probe requests from several wireless clients.
 APs forced to respond to these requests which in turn
increases processor and memory utilization.
 When legitimate clients send probe requests, response to
such request is delayed.
 Eventually when all the memory and processing resources
are consumed, requests from legitimate clients are no
longer served.

27. Authentication flooding
 Attacker can inundate APs with requests by sending
bursts of request frames, each holding a spoofed
MAC address.
 Each such frame tries to authenticate a client to an
AP.
 AP commits its processor to serve the requests,
allocates memory to maintain state table.
 APs fail to respond to authentication requests coming
from legitimate clients.

28. De-authentication Flooding attack
 Client has to authenticate itself with the AP.
 De-authentication message is part of the whole authentication
process through which client and APs can request to de-
authenticate from each other.
 There is no secure authentication method employed for this.
Therefore an attacker can easily spoof a de-authentication
message.
 An attacker sends a spoofed de-authenticate messages to an AP
with the MAC address of its clients.
 receiving this message an AP de-authenticates and then de-
associates the client whose MAC address is specified in the de-
authentication message.

29.  De-authentication message from AP to client(s), which
essentially means that AP is terminating the connection, is
also spoofed.
 In order to carry this out, an attacker must first spoof the
MAC address or the BSSID of the AP.
 The former is used to target a particular client while the
latter is used to target multiple clients.
 A sustained attack can prevent client(s) from connecting
to an AP
 De-authentication flooding attack is used as the first stage
of a multi-level attack.

30.  This attack is carried out for many reasons.
 To capture hidden SSID because sometimes SSID are
cloaked and not broadcasted.
 To capture authentication handshaking between client(s)
and AP.
 To generate ARP frames for carrying out WEP replay
attack.
 To trick clients into connecting to a rogue AP or honey
point AP. These attacks are carried out at the higher layers
of network protocol.

31. Dis-association Flooding attack
 an association message is exchanged between a client and AP to
associate client to AP.
 A dis-association message when sent or exchanged dis-associates a
client from AP.
 There is no authentication in place for exchanging these messages.
 This vulnerability is exploited in a similar fashion to that in the
authentication protocol.
 An attacker sends a spoofed message to an AP, on receiving the
message; AP dis-associates the client whose MAC address is mentioned
in the message.

32. Sybil attack
 At the physical layer
 Nodes are vulnerable to tampering or physical harm.
 A single node duplicates itself and presented in the
multiple locations. The Sybil attack targets fault tolerant
schemes such as distributed storage, multipath routing
and topology maintenance.
 In a Sybil attack, a single node presents multiple identities
to other nodes in the network.
 Authentication and encryption techniques can prevent an
outsider to launch a Sybil attack on the sensor network

33. Flooding & de-synchronization attack
 In case of Flooding, many connection requests are sent
until the resources required by each connection are
exhausted or reach a maximum limit.
 Eventually the node’s resources are exhausted and render
it useless.
 In the de-synchronization attack, the attacker repeatedly
forges the messages to one or both end points which
request transmission of missed frames.
 These messages are again transmitted and if the attacker
maintains a proper timing, it can prevent the end points
from exchanging any useful information.

34. Application Layer specific Attacks
 Path based DoS, Overwhelm attack, Deluge or reprogram attack.
 Path based DoS attack involves sending extra or replayed
packets into the network on the leaf nodes. This occupies the
resources of the entire network and starves the legitimate
traffic.
 In Overwhelm attack, an attacker might attempt to overwhelm
network nodes with sensor stimuli, causing the network to
forward large volumes of traffic to a base station.
 This attack also consumes network bandwidth and drains node
energy.
 In Deluge (reprogram) attack, Network programming system
lets you remotely reprogram nodes in deployed

35. Security Management Schemes
Low-Level
 Key Establishment
 Robustness in Communication
 Secrecy & authentication
 Privacy
 Secure Routing
 Resilence

36. High Level
 Secure Data sggregation
 Intrusion Detection
 Secure Group Management

37. Key-establishment
 Setting up of the symmetric keys.
 Communication patterns can be unicast, local
broadcast and global broadcast. T
 Node keys, cluster keys and network keys.
The disadvantage of this approach is that there is no
tamper resistance and the attackers can generate all
the keys and break the privacy of the network.

38. Secrecy & Authentication
 Cryptography is the standard technique for defense.
 For point-to-point communication, end-to-end
cryptography achieves a high level of security but
requires that keys be set up among all end points and
be incompatible with passive participation and local
broadcast.

39. Privacy
 Like other traditional networks, the sensor networks
have also to enforce privacy concerns. There are
many risks to sensor networks like the illegitimate
users accessing the network for unanticipated ways.
Providing awareness of the presence of sensor nodes
and data acquisition is particularly important. A lot of
research needs to be done in this area so as to
provide valid security schemes for protecting the
sensor networks.

40. Robustness to communication denial
of service & Secure Routing
 Sensor networks should already be designed to continue
functioning even in the presence of faults. This robustness
against physical challenges may prevent some classes of
DoS attacks.
 Current sensor routing protocols suffer from many security
vulnerabilities such as jamming of the network.
 Sensor networks are particularly susceptible to node-
capture attacks. The simplest attacks involve injecting
malicious routing information into the network, resulting in
routing inconsistencies.

41. Resilience to node capture
 Most applications deploy sensors in the locations that are
easily accessible to attackers.
 An attacker can have illegal access to the network and
might capture sensor nodes, extract cryptographic secrets,
modify their programming, or replace them with malicious
nodes under the control of the attacker.
 Some of the defense techniques are Tamper-resistant
packaging, Algorithmic solutions, Hashing technique, and
gathering of multiple redundant views of the environment
to cross check them for consistency.

42. Secure group management
 Due to the nature of communication, limited computing
power and the kind of data the sensors are going to
handle, it is important to have the capability in the network
to establish trusted communication.
 the formation of secure groups in sensor network with a
low communication complexity and provide an efficient
solution to maintain such multicast group is important.
 In-network data aggregation and analysis can be
performed by groups of nodes.

43. Intrusion detection
 An intrusion can be defined as a set of activities that
can lead to an illegitimate access or alteration of
information in a certain system.
 Intrusion Detection Systems monitor the networks,
detect any possible intrusions and send the alert
message to the user.

44. 49

45. Philip R. "Phil" Zimmermann, Jr. is the creator of
Pretty Good Privacy, the most widely used email
encryption software in the world.
VoIP encryption protocols, notably ZRTP and
Zfone
PGP

46.  Authentication, confidentiality, compression, e-mail
compatibility, and segmentation.
 authentication = digital signatures
 Confidentiality = encrypting messages to be transmitted
or to be stored locally as files.
Services
GP

47. •Digital signatures used for introduction.
•When any user signs for another user's key, he or she
becomes an introducer of that key.
•As this process goes on, a web or trust is established.
Self-issued certificates distribute certificates by users
themselves without the involvement of any certificate
authority.
Web-of-trust authentication model

48. 1. One-time session conventional keys
2. Public keys
3. Private keys
4. Pass -phrase conventional keys
Session Key Generation
1. Each session key is associated with a single message
and is used only for the purpose of encrypting and
decrypting that message.
Keys

49.  PGP provides a pair of data structures at each node, one
to store the public/private key pairs owned by that node
and one to store the public keys of other users known
at this node.
These data structures are referred to, respectively, as
private-key ring and the public-key ring.
Timestamp: the date/time when this key pair was
generated.
Key ID: The least significant 64 bits of the public key for
this entry.

50. •The message encryption/decryption is done with a
symmetric encryption algorithm: CAST-128, IDEA (128 bits),
TDEA (168 bits).
•The PGP session keys are obtained from a random
number generator called ANSI X5.17(See appendix 5C, p.
167)
•An encrypted message is accompanied by an encrypted
form of the session key that was used. The session key
itself is encrypted with recipient’s public key. Hence, only
the recipient will be able to recover the session key and
therefore recover the message.

51. A user may have several public/private key pairs.
For this reason PGP associates an identifier with
each public key that is unique at least within one
user.
Timestamp : the time at which the signature was
made.
Leading two octets of message digest: To enable
the recipient to determine if the correct public
key was used to decrypt the message digest.

52.  Partially-distributed certificate authority makes use of
a (k,n) threshold scheme to distribute the services of
the certificate authority to a set of specialized server
nodes.
 Fully-distributed certificate authority extends the idea
of the partially-distributed approach by distributing
the certificate services to every node

53. Principles
1. To achieve availability, takes adavantage of
redundancies in the network topology
2. Distribution of trust to an aggregation of nodes
 No single node is trustworthy
 Assume: any t+1 nodes are improbable to all be
compromised, consensus of at least t+1 nodes is
trustworthy
Zhou L, Haas ZJ (1999) Securing Ad Hoc Networks. In: IEEE Network special
issue on network security. USA: 13(6): 2430

54. • A public key infrastructure may be adopted.
• Each node has a public/private key pair.
• Public keys are distributed to other nodes.
• Private keys are confidential to individual nodes.
• Usually with such an infrastructure, there is a trusted entity known as a
Certificate Authority (CA).
Zhou L, Haas ZJ (1999) Securing Ad Hoc Networks. In: IEEE Network special
issue on network security. USA: 13(6): 2430

55. • This authority has a public/private key pair.
• It signs certificates binding public keys to nodes
 E registers its public key with CA.
 E provides “proof of identity” to CA.
 CA creates certificate binding E to its public key.
 certificate containing E’s public key digitally signed by CA: CA
says “This is E’s public key.”

56.  The CA has to stay online to reflect the current bindings because the
bindings can change
 The CA is vulnerable point of network
• It may not be possible to maintain a single CA online.
• Compromise of CA could lead to disaster.
• Furthermore, if CA is down, nodes cannot get the current public keys
of other nodes.
• One solution is : replicate the CA.
• But a blind replication could lead to more problems – more
vulnerability
• distribute trust to a set of nodes by letting these nodes share the key
management responsibility
Zhou L, Haas ZJ (1999) Securing Ad Hoc Networks. In: IEEE Network special
issue on network security. USA: 13(6): 2430

57. • Distributed public key trust management service. – Threshold cryptography
• An (n,t+1) threshold cryptography scheme allows n parties ( n servers, t
compromised servers) to share the ability to perform a cryptographic
operation (such as a digital signature),
• Assumptions:
• No bounds on message delivery and message processing times.
• Reliable Links – no fading or such.
• The system as a whole has a public/private key pair.
• All nodes in the network have this pubic key.
• They are able to decrypt messages that are encrypted (signed) using the
private key and trust that these messages are authentic.
• Nodes can submit “query” requests to obtain other clients’ public keys.
Zhou L, Haas ZJ (1999) Securing Ad Hoc Networks. In: IEEE Network special
issue on network security. USA: 13(6): 2430

58. • There are “n” special nodes that are called
shareholders
• Each server has its own key pair and stores the public
key of all nodes in the network.
 (t+1) out of n shareholders have the ability to
compute the private-key by combining their partial
keys but not less then (t+1).
 In order to obtain the private-key, (t+1) nodes must
be compromised.
The Configuration

59. • The private key of the service is now divided into n
shares (s1, s2, ... sn).
• Each server gets one share. Each server has also a key
pair Ki /ki (public and private key)
• For the service to sign a certificate each server
generates a partial signature for the certificate using
its private key share.
• This is then submitted to a combiner.

60. • Any server could be a combiner  to ensure that a
compromised node cannot prevent a signature from
being generated one can think of doing the
combining at at least t+1 nodes
• For the service to tolerate t compromised servers we
employ a (n, t+1) threshold cryptography scheme.
 With (t+1) partial signatures the combiner is able to
compute the signature for the certificate
The Method: Threshold Cryptography

61. • We have 3 servers i.e., n = 3.
• Each has a share of the key
k.
• We can tolerate up to 1
failure.
• Correct servers 1 2 and 4
generate partial signatures
but 3 does not.
• C is still able to generate
the signature of m signed by
the service private key k.
S1
S3
S2
C
server 1
server 2
server 3
combiner
S3
server 4
m

62. • Incorrect partial signatures can be identified by the
combiner using the public key of the service.
• If any of the first (t+1) shares that the combiner
chooses fails, it chooses a different set and tries to
construct the correct signature.
• It continues until it can do so.

63.  Key management service also employs the share
refreshing to tolerate ’mobile’ adversaries and
adapt its configuration to changes in the network
 Mobile adversary temporarily compromise a
server and then move to the next victim
 Mobile adversary might be able to compromise all
the servers over a long period of time (e.g. Viruses)
Share Refreshing

64.  Compromised servers may be detected and excluded,
but the adversary could still gather more than t shares of
the private key from compromised servers over time
That would allow the adversary to generate any valid
certificates signed by the private key
 Countermeasure: proactive threshold cryptography
scheme

65. • Mobile adversaries may temporarily compromise a server and
move to the next victim and so on.
• Over time, it is possible that the adversary may achieve the
compromise of more than t servers.
• In order to countermeasure mobile adversaries, shared
refreshing may be used.
• Shared refreshing enables servers to compute new shares from
old ones in collaboration without disclosing the service private
key to any server.
• After this process, servers remove the old shares and use new
ones to generate partial signatures.
Continued

66.  A proactive threshold cryptography scheme uses
share refreshing
 That enables servers to compute new shares from
old ones in collaboration without exposing the
service private key to any server
 The new share compose a new (n, t+1) sharing of
the service private key

67.  Refreshing is done periodically
 Servers remove the old shares after refreshing and
starts to use new shares
The adversary has to compromise t+1 servers
every time after refreshing, again and again …

68. • Each server that is correct randomly generates shares of a
key (si1, si2,..... sij,... sin) which is a (n, t+1) sharing of its key.
• The newly generated share sij is now sent to server j via a
secure link
• When server j gets the sub-shares si1, si1,...., si1, it can
generate a new share from these sub-shares and its old
share s’j= sj + i=1Sn si1.
• This is based on a property that this new key has the same
sharing properties
Working of shared refreshing

69. • This share refreshing can be done even if the number
of sharing servers is different i.e., n’ instead of n. Now
a (n’ t’+1) sharing is achieved.
• This allows dynamic changing of the key sharing
service  required in an ad hoc network.

70.  Pre-establishment of a distributed central authority
requires huge computational complexity, and
asymmetric key cryptographic operations consume
huge battery power.
The Problem?

71. Ant Algorithms

72. Natural behaviour of ants

73. • Artificial 'ants' - locate optimal solutions by moving
through a parameter space representing all possible
solutions,
• lay down pheromones to direct each other to
resources.

74. Trust Document Distribution

75. Ant-Based Evidence Distribution
(ABED) –Certification Table

76. Types of Ants

77.  special Reinforcement
 Rule that is comparable with a learning rule, which is
the heart of the
 ABED, backward ants have the ability to induce
certificate table modifications
 to perform changes.
ABED reinforcement rules

78. Distributed Trust Computation Model

79. Simple distributed trust computation
Policy

80. Trust Graph

81. Trust Revocation

82. • We have talked about intrusion prevention schemes.
• This means that these schemes are proactive in nature; they
know that there are adversaries and try to prevent them from
creating chaos in the system.
• But this is not enough
• We have not even come close to overcoming some of the
attacks that might occur in ad hoc networks.
• If the attacks do occur, there has to be methods of detecting
them and recovering from them.
• This is usually referred to as Intrusion Detection.

83. • So far nothing done to prevent denial of service attacks at
MAC layer.
• Ad hoc routing protocols are co-operative. They are
therefore vulnerable – network operations can go topsy
turvy upon attack.
• How is the secure link established in the first place for
sharing of keys ?
• Are there even attacks that we have not yet thought of ?
• Questions that are yet to be answered
Still more problems

84. 89
Dziękuję Wam