Researcher: Adrian Perrig
Research Area: Next Generation Secure and Available Networks
Secure Communication in Sensor Networks
Today, wireless sensor networks are in use for a wide variety of applications: ocean and wildlife monitoring, earthquake monitoring, manufacturing, building safety monitoring, and many military applications. An even wider spectrum of future applications can be envisioned, such as real-time traffic monitoring, pollution tracking, home surveillance, fire and people sensors in buildings and other smart environments, wildfire tracking, water quality sensors, and continuous heart-rate monitoring. A major benefit of these systems is that they can perform in-network processing to reduce large streams of raw data into useful aggregated information. It is critical to protect this information.
It is also exciting to realize that since wireless sensor networks are in their infancy we have the opportunity to design security into the systems from the beginning. This is not an easy problem and many challenges exist. Sensor networks pose unique new challenges, resisting direct application of traditional security techniques. First, to make sensor networks economically viable, sensor devices are very limited in their energy, computation, and communication capabilities. Second, in contrast to traditional networks, sensor nodes are often deployed in physically accessible areas, presenting a risk of physical attacks. Third, sensor networks interact closely with their physical environment, posing new security problems.
Sensor networks’ main tasks are to collect information from a large number of sensors and send it to the base station or other sensors for further processing or answering queries. Broadcast and point-to-point communication are the two fundamental communication primitives. Much research has been done in this area, but most of previous research assumes a trusted environment where sensor nodes cooperate in the absence of malicious attackers. However, many sensor networks require secure communication primitives, especially applications in national security, critical infrastructures, and the military.
Ensure message delivery, even when under attack In current sensor network broadcast and routing protocols, an attacker can easily inject false routing information that could prevent other nodes from communicating. With a few exceptions, all sensor network routing protocols designed to date assume a trusted environment and cannot function under attacks. We plan to systematically investigate how to secure different types of routing protocols in sensor networks, including spanning-tree-like node-to-base-station protocols, protocols based on directed diffusion, cluster-based routing protocols, and geographic routing protocols. In our preliminary work, we have designed new security mechanisms that provide the first efficient solution for spanning-tree-like node-to-base-station routing that is secure against blackhole attacks. We plan to extend our preliminary results and build security solutions for other types of routing protocols in sensor networks as well. We also plan to investigate quantitative metrics for evaluating security routing protocols.
Ensuring message delivery is one of the most essential requirements in sensor network communication. Researchers have proposed different approaches to provide efficient routing for point-to-point communication [1, 6, 10, 12, 13, 15, 18, 20, 21] and broadcast communication [2, 5, 16, 17, 19]. However, these previous works on sensor network routing assume a trusted environment, where all sensor nodes cooperate and no attacker is present. So far, very little work has been done in secure sensor network routing protocols , and we are not aware of any published work to provide efficient broadcast that is resilient to attacks.
Our focus in this research is to explore new approaches that enable efficient routing and broadcast in the presence of attackers.
Considering the network topology graph of a sensor network, we say a routing protocol ensures message delivery if whenever there exists a path from a sender to a receiver that consists of only legitimate nodes, the routing protocolwill always ensure that the message reaches the receiver (within a reasonable time delay).Ensuring node-to-node and broadcast message delivery is an extremely challenging task, as an attacker can easilyinject malicious routing information to perturb the routing or broadcast protocol. Almost all previous routing protocolsfor sensor networks rely on correct routing information to enable message delivery. However, in the presence of anattacker, it is an extremely challenging task to ensure correct routing information: the attacker could inject maliciousrouting information or altering routing setup/update messages from legitimate nodes; even when route setup/updatemessages are authenticated, compromised sensor nodes can supply wrong routing information of their own and cripplethe routing infrastructure. Bogus routing information from compromised sensor nodes is one of the most severerouting attacks against almost all existing routing protocols in sensor networks, as also shown in other researchers’studies . In our previous work and other researchers’ previous work, we have identified several severe routingprotocol attacks [7, 11], and so far no routing protocols are secure against all the following attacks: form a routingloop, general DoS attacks, the Sybil attack , the blackhole attack, the wormhole attack , and the rushing attack .
Denial of service could also occur by physically tampering with captured nodes, possibly even extracting sensitive material such as cryptographic keys. The captured node might be rendered unavailable or, worse, be used for further denial-of-service or other security attacks. After inserting new nodes or capturing existing nodes, an adversary can instigate many other denial-of-service attacks. The adversary can cause a collision among packets by ignoring the MAC protocol and transmitting while a neighbor is also transmitting. The adversary can exhaust the energy of a node in many ways, e.g., by continuously requesting channel access with a RTS (request-to-send) thereby eliciting a CTS (clear-to-send) response. A node can subvert the routing protocol by misdirecting packets, discarding packets, sending redundant packets, giving high priority to its own packets, or advertising that it has a zero path cost to destinations causing a routing black hole in the network.
Secure Routing.Current routing protocols suffer from many security vulnerabilities . For example, an attacker can easily perform denial-of-service attacks on the routing protocol, often preventing communication. The simplest attacks consist in injecting malicious routing information into the network that results in routing inconsistencies.
Simple authentication can guard against such injection attacks, but some routing protocols are even susceptible to replay of legitimate routing messages by the attacker .
We plan to investigate systematically how to secure different types of routing protocols in sensor networks. Different applications require different types of routing protocols, and different types of routing protocols have different attacks and weaknesses that require different security mechanisms. We will study how to efficiently secure spanning-tree-like node-to-base-station routing protocols, directed diffusion protocols, geographic routing protocols, and cluster-based routing protocols.
Ensuring packet delivery for broadcast communication. Guaranteeing message delivery for broadcast protocols is essential. Efficient sensor network broadcast protocols rely on setting up frameworks for forwarding information, for example clusters [5, 6, 13, 17] or minimum-weight spanning trees [2, 16, 19]. However, the problem of ensuring delivery of broadcast messages and preventing attacks has not yet been considered.