Securing Neighbor Discovery the wormhole attack centralized and - - PowerPoint PPT Presentation

Security and Cooperation in Wireless Networks

Georg-August University Göttingen

Securing Neighbor Discovery

 the wormhole attack  centralized and decentralized wormhole detection mechanisms

Georg-August University Göttingen

Securing Neighbor Discovery

Introduction

• many wireless networking mechanisms require that the nodes be aware of their

neighborhood (i.e. to know which other nodes they can communicate with directly)

• The procedure used to acquire this knowledge is called neighbor discovery
• If two nodes are in each other’s radio range (are able to hear each other) they

would be considered as neighbors

• a simple neighbor discovery protocol:

– every node broadcasts a neighbor discovery request – each node that hears the request responds with a neighbor discovery reply – messages carry node identifiers  neighboring nodes discover each other’s ID

• an adversary may try to thwart the execution of the protocol

– prevent two neighbors to discover each other by jamming – create a neighbor relationship between far-away nodes

• by spoofing identity of legitimate nodes and to establish neighbor

relationships with other nodes (can be prevented using entity authentication mechanisms)

• by installing a wormhole (cannot be prevented by cryptographic

techniques alone)

2

Georg-August University Göttingen

Securing Neighbor Discovery

What is a wormhole?

• a wormhole is an out-of-band connection, controlled by the adversary, between

two physical locations in the network

– the adversary installs radio transceivers at both ends of the wormhole – it transfers packets (possibly selectively) received from the network at one end of the wormhole to the other end via the out-of-band connection, and re-injects the packets there into the network

wormhole attack: the two wormhole ends (adversarial transceivers) WE1 and WE2 transmit (tunnel) the neighbor discovery messages heard in their radio rage to each other (possibly selectively)  result: A and B which are far away from each other will believe to be neighbors (because they actually hear each other through the wormhole)

• notes:

– adversary’s transceivers are not regular nodes (no node is compromised by the adversary) – adversary doesn’t need to understand what it tunnels (e.g., encrypted packets can also be tunneled through the wormhole) – it is easy to mount a wormhole and it may have devastating effects on routing

3

Georg-August University Göttingen

Securing Neighbor Discovery

Effects of a wormhole

• at the data link layer: distorted network topology
• at the network layer:

– routing protocols may choose routes that contain wormhole links

• typically those routes appear to be shorter
• flooding based routing protocols (e.g., DSR, Ariadne) may not be able to discover other routes

but only through the wormhole

– adversary can then monitor traffic or drop packets (DoS)

4

x y (a) x y (b) x y (c) x y (d) x y (e) x y (f) A set of nodes are randomly placed in the area; the gray disk: radio range of x Neighbor relationships between the nodes Shortest possible path from all other nodes to x The wormhole: black rectangles are the attacker’s transceivers As the result of the wormhole attack x and y become neighbors because the attacker relays their neighbor discovery messages Shortest possible path from all other nodes to x after the attack happens: many nodes reach node x through the wormhole

Georg-August University Göttingen

Securing Neighbor Discovery

Wormholes are not specific to ad hoc networks

5 access control system: gate equipped with contactless smart card reader contactless smart card contactless smart card emulator smart card reader emulator fast connection wormhole user may be far away from the building

Georg-August University Göttingen

Securing Neighbor Discovery

Classification of wormhole detection methods

• centralized mechanisms

– data collected from the local neighborhood of every node are sent to a central entity – based on the received data, a model of the entire network is constructed – the central entity tries to detect inconsistencies (potential indicators

• f wormholes) in this model

– can be used in sensor networks, where the base station can play the role of the central entity

• decentralized mechanisms

– each node constructs a model of its own neighborhood using locally collected data – each node tries to detect inconsistencies on its own – advantage: no need for a central entity (fits well some applications) – disadvantage: nodes need to be more complex

6

Georg-August University Göttingen

Securing Neighbor Discovery

Statistical wormhole detection in sensor networks

• each node reports its list of believed neighbors to the base

station

• the base station reconstructs the connectivity graph (model)
• a wormhole always increases the number of edges in the

connectivity graph

• this increase may change the properties of the connectivity

graph in a detectable way

• detection can be based on statistical hypothesis testing

methods

7

Georg-August University Göttingen

Securing Neighbor Discovery

Examples

8

5 10 15 20 25 30 35 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

node degree number of nodes

• The gray bars show the expected number
• f nodes with different node degrees
• The black bars show the observed node

degrees in the experiment when there is a wormhole

• The black histogram shows there are

some nodes with an unexpectedly high node degree.

• (node degree: no. of neighbors of a node)

Georg-August University Göttingen

Securing Neighbor Discovery

Examples

• a wormhole is usually a shortcut that decreases the length of the shortest paths

in the network  distribution of the length of the shortest paths will be distorted  This experiment shows that when a wormhole is there the shorter paths are more likely than longer ones

9

500 1000 1500 2000 2500 3000 3500 4000 4500 5000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

path length number of shortest paths

Georg-August University Göttingen

Securing Neighbor Discovery

Multi-dimensional scaling

• the nodes not only report their lists of neighbors, but they also estimate

(inaccurately) their distances to their neighbors

• connectivity information and estimated distances are input to a multi-

dimensional scaling (MDS) algorithm

• the MDS algorithm tries to determine the possible position of each node

in such a way that the constraints induced by the connectivity and the distance estimation data are respected

– the algorithm has a certain level of freedom in “stretching” the nodes within the error bounds of the distance estimation

• let us suppose that an adversary installed a wormhole in the network

– if the estimated distances between the affected nodes are much larger than the nodes’ communication range, then the wormhole is detected – hence, the adversary must also falsify the distance estimation  distances between far-away nodes become smaller – this will result in a distortion in the virtual layout constructed by the MDS algorithm

10

Georg-August University Göttingen

Securing Neighbor Discovery

Example 1

• in 1D:

11

a b c d e f g c d b e f a g

Real replacement of the nodes reconstructed virtual layout

wormhole

• A virtual layout of the network is constructed based on the neighborhood information obtained by

the nodes.

• In the real connectivity graph:
• the gray disk: the radio range of node b;
• dashed lines: the neighborhood relationships of the nodes;
• red line: a fake neighbor relationship created by the wormhole
• In the virtual layout of the network constructed using MDS from the inaccurate distance

measurements of the neighboring nodes.

• B and f must be neighbors, so the distance between them should be smaller than the

communication range

• This makes it impossible to fit the nodes on a straight line which helps to detect the attack

(assuming that we know in advance that the nodes are located on a straight line).

Georg-August University Göttingen

Securing Neighbor Discovery

Example 2

• in 2D:

12 wormhole

• A virtual layout of the network is constructed based on the neighborhood information obtained by

the nodes.

• In the real connectivity graph:
• Grid lines: the neighborhood relationships of the nodes;
• red line: a fake neighbor relationship created by the wormhole
• In the virtual layout of the network constructed using MDS from the inaccurate distance

measurements of the neighboring nodes.

• A and C must be neighbors, so the distance between them should be smaller than the

communication range --- > MDS brings them together

• This makes it impossible to fit the nodes on a flat surface which helps to detect the attack.

Georg-August University Göttingen

Securing Neighbor Discovery

Packet leashes

• packet leashes ensure that packets are not accepted “too far” from their

source

• geographical leashes

– each node is equipped with a GPS receiver – when sending a packet, the node puts its GPS position into the header – the receiving node verifies if the sender is really within communication range

• temporal leashes

– nodes’ clocks are very tightly synchronized – when sending a packet, the node puts a timestamp in the header – the receiving node estimates the distance of the sender based on the elapsed time and the speed of light dest < vlight(trcv – tsnd + Dt) Dt : clock synchronization error – note: vlight Dt must be much smaller than the communication range

13

Georg-August University Göttingen

Securing Neighbor Discovery

Packet leashes

• Both geographical and temporal leashes require packet

authentication and integrity: otherwise the adversary can modify or forge the leash

• There are two solutions:

– Digital signatures: uses asymmetric key cryptography – MAC (Message authentication Code): uses symmetric key cryptography

• Only digital signatures can be used for broadcast messages:

neighbor discovery beacons are broadcast messages;

– but asymmetric key cryptography is computationally expensive

• Solution: using TESLA with Instant Key-Disclosure (TIK) to

authenticate temporal leashes in packets

14

Georg-August University Göttingen

Securing Neighbor Discovery

TESLA with Instant Key-Disclosure (TIK)

• A summary of TESLA (A protocol for broadcast authentication)

– The sender has a one-way key chain (the elements of a hash chain) – The elements of the key chain are disclosed in a reverse order as with normal hash chain – For each broadcast message the sender calculates a MAC value using the next element of the key chain (which is not released by the sender yet) – The receiver can not verify the MAC right after a message is received because it does not know the key yet; it must cash the message and wait until that key is released – When the key is released the receiver verifies the MAC and also verifies if the key disclosed by the sender belongs to the chain (in a similar way with hash chains) – The authentication of the last element of the key chain (which is used and released first) is done using digital signature or a MAC value – Also when receiving a message the receiver needs to ensure that the key has not been disclosed by the sender yet (otherwise it may have been reused by the attacker): it should know the disclosure schedule of the sender and they need to have synchronized clocks

15

Georg-August University Göttingen

Securing Neighbor Discovery

TESLA with Instant Key-disclosure (TIK)

idea: authentication delay of TESLA can be removed in an environment

where the nodes’ clocks are tightly synchronized

 The MAC of the packet is sent just before the packet and the key is sent just after the packet

• by the time the sender reveals the key, the receiver has already received the

MAC

• The TESLA condition is satisfied if the receiver receives the MAC earlier than

the time that sender starts revealing the TESLA key

• security condition: tr + tmax < ts – Dt + tmax + tpkt tr < ts – Dt+ tpkt
• ts is known to the receiver from the temporal leash
• The clock synchronization error Dt must be very small, otherwise the key can

not be accepted

16

MAC packet K MAC packet K time at sender time at receiver

ts ts + mac + pkt tr tr + mac mac pkt mac ts - Dt + mac + pkt

Georg-August University Göttingen

Securing Neighbor Discovery

Mutual Authentication with Distance-bounding (MAD)

• Let u and v are two nodes and kuv is the symmetric key

shared between them; let mackuv be the message authentication function controlled by kuv

• Initialization phase:

– u generates two random numbers r and r’ and v generates two random numbers s and s’ such that r and s are l bits long and r’ and s’ are l’ bits long – Using a one-way hash function u computes cu=H(r,r’) and v computes cv=H(s,s’) and send them to each other

17

Georg-August University Göttingen

Securing Neighbor Discovery

Mutual Authentication with Distance-bounding (MAD)

• Distance bounding phase:

– Let the bits of r and s are denoted by ri and si (i=1,2,…,l) – The steps shown in the next figure will be repeated l times (for i=1,2,…,l):

• In each step a node sends the next bit of its first random number in

combination with the previous bit received from the other party

• Each node calculates its distance to the other node based on the delay

measured between each bit it sends and the next bit received from the

• ther party
• The purpose of combining the next bit to be sent with the last bit

received is to prevent a malicious party from sending her bits too early and thus falsifying the distance estimation. For instance, v could send the bits of s before receiving the corresponding bits of r. As a result, u would measure a shorter distance to v than their real distance.

18

Georg-August University Göttingen

Securing Neighbor Discovery

Mutual Authentication with Distance-bounding (MAD)

• Authentication phase:

– U computes the bits si = αi + βi (i=1,2,…,l) and the MAC μu =mackuv(x||y||r1 ||s1 ||…||rl ||sl) – v computes the bits ri = αi + βi-1 (i=1,2,…,l) and the MAC μv = mackuv(x||y||s1||r1 ||…||sl||rl) – U sends r’|| μu and v sends s’|| μv to u – U verifies if the μv and the commitment cv are correct and v verifies if the μu and the commitment cu are correct – If the verifications are successful the nodes would know that the distance measurements they performed are valid

19

Georg-August University Göttingen

Securing Neighbor Discovery

Mutual Authentication with Distance-bounding (MAD)

• MAD allows distance bounding without synchronized clocks
• Disadvantage: requires rapid bit exchange (requires special hardware)

20

Georg-August University Göttingen

Securing Neighbor Discovery

Using position information of anchors

• anchors are special nodes that know their own positions (GPS)
• there are only a few anchors randomly distributed among regular nodes
• two nodes consider each other as neighbors only if

– they hear each other and – they hear more than T common anchors

• anchors put their location data in their messages
• transmission range of anchors (R) is larger than that of regular nodes (r)
• wormholes are detected based on the following two principles:
• 1. a node should not hear two anchors that are 2R apart from each other
• 2. a node should not receive the same message twice from the same anchor;

the messages sent by the anchors are encrypted and each anchor includes a

• ne-time password in every message that it sends

21

Georg-August University Göttingen

Securing Neighbor Discovery

Principle 1

22

x Ax AO R 2R O D Ax' AO'

Georg-August University Göttingen

Securing Neighbor Discovery

Principle 1

• Therefore the probability that there is at least one anchor in an area of

size S is (1-e-l*S), where l* is the density of anchors

• Let P1 be the probability that x hears two anchors that have a distance

larger than 2R from each other

• If there is at least one anchor in each shaded area x will hear at least

such two anchors

• P1  (1-e-l*S’x)(1-e-l*S’O), where S’x is the size of A’x and S’O is the size of

A’O

– (1-e-l*S’x): the probability that there is at least one anchor in S’x – (1-e-l*S’O): the probability that there is at least one anchor in S’O

23

Georg-August University Göttingen

Securing Neighbor Discovery

Principle 1

24

Lower bound on the probability of attack detection, P1, as a function of the distance between x and O

Georg-August University Göttingen

Securing Neighbor Discovery

Principle 2

• when x and O are closer than 2R, the discs Ax and AO overlap
• if there is an anchor in the intersection AxO, then the messages of that

anchor is heard twice by x

– first directly and then from transceiver D who receives it from O through the wormhole

• the probability P2 of detection is equal to the probability that there is at

least one anchor in AxO

• P2 = 1-e-l*SxO

25

AxO O R x D Ax AO

Georg-August University Göttingen

Securing Neighbor Discovery

Principle 2

26

Probability of detection P2 as a function of the distance between x and O

Georg-August University Göttingen

Securing Neighbor Discovery

Wormhole detection with directional antennas

• Assume that each node is equipped with a directional antenna and each antenna

has n non-overlapping zones

• When a message is received the node determines on which zone the signal is

stronger; it will communicate to the sender of that message on the detected zone

• when two nodes are within each other’s communication range, they must hear

each other from opposite directions (all antennas have the same orientation)

• if x and y communicate through a wormhole this condition may not be always

satisfied (i.e. Zyx  Zxy ):

• Notations:
• Zyx means the zone by which node y hears node x
• Zxy means the zone by which node x hears node y
• With 6 zones for instance zone 1 is opposite to zone 4 and zone 3 is opposite to zone 6
• Zxy means the zone opposite to the zone in which node x hears node y

27

1 2 3 4 5 6

y

1 2 3 4 5 6

x

Georg-August University Göttingen

Securing Neighbor Discovery

Wormhole detection with directional antennas

• but sometimes it might be satisfied (by chance) (i.e. Zyx = Zxy ):

– And this would prevent the nodes from detecting the presence of the wormhole

• To solve this problem the nodes can cooperate and help each other to

detect wormholes

28

1 2 3 4 5 6

y

1 2 3 4 5 6

x v

Georg-August University Göttingen

Securing Neighbor Discovery

Using verifiers

 Using verifiers:

• Idea: if x and y are real neighbors, then every third node that both x and

y can communicate with should be able to run the protocol successfully with both x and y

• Assume that y wants to verify the neighborhood of x
• if y and x are not real neighbors (hear each other through wormhole),

then there may be a node v with which both x and y can communicate (possibly via the wormhole) but v can not run the neighbor discovery protocol with either x or y (i.e. Zvx  Zxv or Zvy  Zyv )

• such a v can be used by y to detect the wormhole

29

Georg-August University Göttingen

Securing Neighbor Discovery

Conditions for being a verifier

• Assume that y wants to verify the neighborhood of x
• if node y hears v in the same zone in which it hears x, then y may hear

both x and v through the wormhole  Condition 1: for a valid verifier v, y must hear v and x from different zones (i.e., Zyv  Zyx must hold)

• if v hears x in the same zone in which y hears x (i.e., Zvx = Zyx), then

they may both hear x through the wormhole’s transceiver

• if, in addition, x happens to hear the other transceiver of the wormhole

in zone Zyx, then x can establish neighbor relationships with both y and v  Condition 2: for a valid verifier v, v must hear x from a zone different from the one in which y hears x (i.e., Zvx  Zyx must hold too).

30 y x

4 1

v

1

v y x

4 4 1

Georg-August University Göttingen

Securing Neighbor Discovery

Using verifiers – the mechanism

• y accepts x as a neighbor if

– they hear each other from opposite zones – there’s at least one valid verifier v such that x and v hear each other from opposite zones

• how does this detect wormholes ?

– let us assume that y hears x through the wormhole  one end of the wormhole is near to x, the other end is in zone Zyx – let us further assume that v is a valid verifier  first condition (Zyv  Zyx) is satisfied (because v is a valid verifier)  y hears v directly (since y hears v from a zone different from Zyx)  x hears both y and v through the wormhole  second condition (Zvx  Zyx) is satisfied (because v is a valid verifier)  x and v cannot hear each other from opposite zones

• let’s assume they can, i.e. Zxv = Zvx
• we know that x hears both y and v through the wormhole  Zxy = Zxv
• in addition, we know that Zxy = Zyx (otherwise y would not consider x as a potential neighbor)
• Zvx = Zxv = Zxy = Zyx  Zvx = Zyx (contradicts the second condition)

 If ty and x hear each other through wormhole no valid verifier v exists such that x and v hear each other from opposite zones  y will not accept x as a neighbor

31

Georg-August University Göttingen

Securing Neighbor Discovery

Summary

• a wormhole is an out-of-band connection, controlled by the adversary,

between two physical locations in the network

• a wormhole distorts the network topology and may have a profound

effect on routing

• wormhole detection is a complicated problem

– centralized and decentralized approaches

• statistical wormhole detection
• wormhole detection by multi-dimensional scaling and visualization
• packet leashes
• distance bounding techniques
• anchor assisted wormhole detection
• using directional antennas

– many approaches are based on strong assumptions

• tight clock synchronization
• rapid bit exchange
• GPS equipped nodes
• directional antennas
• …
• wormhole detection is still an active research area

32