Security Issues for Distributed Sensor Networks - CiteSeerX

Download PDF
3 downloads 18299 Views 106KB Size Report
Comment
ios in which these sensor networks might excel. Just to mention a ... vacy, key distribution, etc. II. Security ... of a ticket or certificate: the traditional solutions no longer apply. 3. ... Power consumption of these building blocks is critical in energy ...
Security Issues for Distributed Sensor Networks Stefaan Seys? and Bart Preneel Abstract— A distributed sensor network or DSN is an autonomous system of thousands of mobile devices connected by wireless links. The devices are free to move randomly and organize themselves arbitrarily; thus, the network’s wireless topology may change rapidly and unpredictably. This paper gives an overview of the security aspects of these sensor networks, consisting of ultra-low power devices, with limited communication and computational means. The security demands for these networks are similar to those of more common networks such as the Internet: authentication, privacy, robustness, etc. However, the properties and design constraints of a security architecture for low power ad-hoc DSNs are very different. Keywords— Sensor Networks, Security, Cryptography

I. Introduction

T

HE recent advance in micro electro-mechanical systems (MEMS) and wireless communication technology makes it a pragmatic vision to deploy large-scale, low power, inexpensive distributed sensor networks (DSNs) [1][2]. During the past few years, lots of effort have been directed to turn this vision into reality. Research prototype sensor nodes [3][4] are being designed and manufactured, energy efficient MAC protocols [5], topology control protocols and routing schemes are implemented and evaluated [6]; various enabling techniques such as time synchronization, localization and tracking are being studied. An inspired reader can easily imagine a multiplicity of scenarios in which these sensor networks might excel. Just to mention a few: environmental control in office buildings, monitoring of seismic activity, integrity of civil structures, robot control and guidance, drug administration in hospitals, interactive toys, etc. These DSNs, consisting of thousands of ultra-low power nodes, with limited communication means, pose unique challenges when trying to include basic security functions such as authentication, access control, data integrity, privacy, key distribution, etc. II. Security threats, requirements and challenges A. Security threats Do there exist sensor specific attacks that do not exist in other distributed networks, such as the Internet? In general, the answer is negative. The main difference is that for sensor networks, energy will be drained and the sensor nodes can die irrevocably while in general networks the performance will drop, but is usually restored after the ? Stefaan Seys is with the Department Electrical Engineering (ESAT)–SCD/COSIC at the Katholieke Universiteit Leuven, Belgium. E-mail: [email protected]. He is funded by a research grant of the Flemish Institute for the Promotion of Industrial Scientific and Technological Research (IWT). This work was supported by the Concerted Research Action (GOA) Mefisto-2000/06 of the Flemish Government.

source of attack is removed. Secondly, the very nature of distributed sensor networks makes that the devices are physically accessible at every node. Thus traditional access control mechanisms such as firewalls can not be applied, as these systems assume a few well controlled access points through which all traffic to and from the “outside” world is channeled. In a sensor network, there is no inside and outside. What can happen if no security is provided in the system? - A denial-of-service attack specific to sensor networks is battery power exhaustion. Battery life is the critical parameter for the nodes in a sensor network and many techniques are used to maximize it; in one technique, for example, nodes try to spend most of the time in a sleep mode in which they only turn on the radio receiver, or even the processor, once in a while. In this environment, energy exhaustion attacks are a real threat: without sufficient security, a malicious node could prohibit another node to go back to sleep causing the battery to be drained [7]. - Eavesdropping of wireless communication is fairly easy. This means that without security an adversary could easily extract useful information from conversations between nodes. - Without proper authentication mechanisms unauthorized people or devices could request services or data of the unprotected sensor nodes. In many cases these services or data may not be public. Malicious users could also try to join the network undetected by impersonating as some other, trusted node. As a “trusted” node, it will now have access to private data or it can disrupt the normal network operations. - Without proper security measures it is possible to trace the actions of any node in the network. If one or more of the sensor nodes are carried by a user (for example a monitoring node carried by a doctor), an adversary is able to pinpoint the location of the doctor at any given time. B. Security requirements From the security threats we can deduce the fundamental security requirements. As in most security sensitive applications there are four basic properties that need to be addressed: 1. Availability means ensuring that the service offered by the node will be available to its users when expected. As mentioned above, the sleep deprivation torture is a real threat and has to be prevented. 2. Authenticity of origin is ensuring that the principals with whom one interacts are the expected ones. In most security sensitive applications, authenticity is essential. Granting resources to, obeying an order from, or sending confidential information to a principal whose identity is

unsure is not the best strategy for protecting the other security properties. Assuring correct authentication is the most challenging task in a wireless ad-hoc environment, due to the absence of online servers. When a new node comes within range, it cannot connect to an authentication server (like in the Kerberos system) to check the validity of a ticket or certificate: the traditional solutions no longer apply. 3. Authentication of data (integrity). Besides authentication of the origin, it is also necessary to guarantee the authenticity (or integrity) of the data. We need a means to assure that the data we receive is valid and that it is not altered by an adversary. 4. Confidentiality (privacy) is a matter of encrypting the messages with a key that is usually made available by the authentication process. Because sensor networks are physically accessible, tamper-resistance is also needed next to these four basic security requirements. This will be a difficult task, especially within the cost constraints of these small sensor nodes [8]. The redundancy of the system should help in detecting false nodes because they are inconsistent with the surrounding nodes. C. Challenges - Security protocols and encryption algorithms have to operate at ultra-low energy budgets. Current state-of-the-art protocols and algorithms are not being developed for this purpose. Next to this, communications in the form of radio transmissions have to be weighted against computations. Traditional security protocols only consider computational requirements. - There might be large amounts of nodes, thousands in, e.g., building environments. This means that ad-hoc peer to peer communications are established, without the availability of a trusted higher authority that oversees distribution of keys or verifies identities.

tructure) can be made very flexible and robust. Broadcast authentication is extensively described in [13]. 3. The security policy defines the “rules” that the nodes have to obey. For example “only send the blood pressure information of this patient to that doctor’s device”, etc. Obviously setting a policy is difficult and will have to be continuously reviewed. Stajano and Anderson propose a policy for ad-hoc networks based on the behavior of ducklings: the first node a new node (duckling) connects to becomes his master (mother). From then on it will only listen to this mother node [7]. IV. Conclusions In this paper we have discussed the most important issues concerning security for distributed sensor networks. We have shown that addressing these issues proves to be a challenging task. Existing security mechanisms have not been designed for the highly restricted resources of the sensor nodes and thus new designs are required. Next to this the ad-hoc and dynamic character of DSNs make life hard for the designers as they can no longer rely on fixed control points such as firewalls or trusted key distribution centra. Finally we have provided some pointers to the state-of-theart in DSN network security. References [1] [2] [3] [4] [5]

[6]

III. A security architecture for DSNs A security architecture consists of all security measures and techniques that are put into place in order to protect some system. Such an architecture can be seen as a layered structure in which the measures in the higher levels use the services provided by the lower levels: 1. Cryptographic primitives are building blocks that are used by all higher level security protocols. Symmetric key block ciphers and digital signatures are well known examples. Power consumption of these building blocks is critical in energy constrained environments such as DSNs [9]. 2. Key management and authentication are probably the most important security protocols as they are necessary for more advanced protocols such as secure routing systems [10]. A key management scheme should provide functionality to securely distribute secret keys between the different nodes in the network. For example in [11][12] a distributed CA (Certification Authority) is proposed. Using the different properties of advanced secret sharing schemes, the distributed CA and the resulting PKI (Public Key Infras-

[7]

[8] [9] [10]

[11]

[12] [13]

“Center for embedded networked sensing (CENS),” http:// cens.ucla.edu/. “Picoradio, the berkeley wireless research center picoradio project,” http://bwrc.eecs.berkeley.edu/Research/Pico_ Radio/. “Wireless integrated network sensors (WINS),” http://www. janet.ucla.edu/WINS/. “MIT µAMP (µ-adaptive multi-domain power aware sensors) project,” http://www-mtl.mit.edu/research/icsystems/ uamps/. Wei Ye, John Heidemann, and Deborah Estrin, “An energyefficient mac protocol for wireless sensor networks,” in Proceedings of the 21st International Annual Joint Conference of the IEEE Computer and Communications Societies (INFO´ COM 02), New York, NY, USA, June 2002. I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensor networks,” IEEE Communications Magazine, 2002. Frank Stajano and Ross Anderson, “The resurrecting duckling: Security issues in ad-hoc wireless networks,” in Proceedings of the 7th International Workshop on Security Protocols, B. Christianson, B. Crispo, and M. Roe, Eds. 1999, Lecture Notes in Computer Science, Springer-Verlag. R. Anderson and M. Kuhn, “Tamper resistance–a cautionary note,” in Proceedings of the 2nd USENIX Workshop on Electronic Commerce, Oakland, California, Nov. 1996, pp. 1–11. Stefaan Seys and Bart Preneel, “Cost evaluation of efficient digital signature schemes for low power devices,” Internal Report STS–0301, K.U.Leuven, ESAT, SCD/COSIC, 2003. Vesa K¨ arpijoki, “Security in ad hoc networks,” in Seminar on Network Security. Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory, 2000, Online: http://www.tml.hut.fi/Opinnot/Tik-110.501/2000/. Stefaan Seys and Bart Preneel, “Authenticated and efficient key management for wireless ad hoc networks,” in Proceedings of the 24rd Symposium on Information Theory in the Benelux, Veldhoven, The Netherlands, May 2003, pp. 195–202. L. Zhou and Z. Haas, “Securing ad hoc networks,” IEEE Network Magazine Special Issue on Network Security, vol. 13, no.6, Nov./Dec. 1999. Adrian Perrig and J.D. Tygar, Secure Broadcast Communication in Wired and Wireless Networks, Kluwer Academic Publishers, 2003.