Harald Vogt
Department of Computer Science
ETH Zurich, Switzerland
vogt@inf.ethz.ch
We also assume a synchronous system, by which we frequency, could bear important information.
Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW’05)
1545-0678/05 $20.00 © 2005 IEEE
We will not consider attacks that emanate from outside message travels only on one physical path. They also im-
of the network, for example from a powerful device that has pose easier requirements on node deployment, since inter-
a wide radio range (compared to devices in the network) leaved authentication is possible even if only one physical
and superior computational power. We assume that all di- communication path exists.
rect communication links are secured (authenticated and en-
crypted) through locally shared keys. 3.1 Local Key Agreement
We will also rule out simple denial of service attacks,
since their value is limited to an adversary and they can be We assume that any two nodes are in principle able to
easily recognized. We assume that a major goal of the at- agree on a shared secret key. Generally, this is achieved
tacker is to prevent the user (i.e. consumer of reports issued through the help of a central, trusted party or a key pre-
by the sensor network) from learning that an attack is going distribution scheme [2, 4]. If the context of network de-
on. Only then it is possible to fool the user into accepting ployment allows for it, we can assume a time frame within
reports from the network that are manipulated by the adver- which no attack is possible and therefore all communication
sary. can be considered safe from eavesdropping and manipula-
tion. Within this time frame, nodes could exchange keys in
3 Interleaved Authentication plaintext, but after it has been closed, no further key agree-
ment would be possible.
In this section, we describe the Canvas communication Pre-distribution of keys enables each pair of nodes to es-
protocol for protecting the integrity of messages travelling tablish a common key (at least, with high probability). Gen-
through a network. The core idea of the protocol is to re- erally, this is affordable for two arbitrary nodes only if they
strain malicious nodes from manipulating messages by im- are either close to each other (which induces only a small
plicitly monitoring their actions. Interleaved authentication communication overhead) or, for distant nodes, if the over-
can handle sets of collaborating nodes up to a certain size, head pays off due to special requirements. Shared keys be-
depending on a parameter . This parameter determines the tween very distant nodes are thus likely to be scarce.
neighbourhood of a node, i.e. a node must share keys with Before the Canvas protocol is used for communication,
all nodes within a radius of hops. For example, for , nodes agree with their neighbours on pairwise shared secret
keys. The number of keys a node has to store depends on
every node shares a distinct secret key with all other nodes
that are one or two hops away, i.e. direct neighbours and the topology of the network. In a grid network, for , a
their neighbours. node would have to store 24 such keys.
When communicating, a node relaying a message gener- In a static network, this key negotiation phase would take
ates authentication codes, for the next nodes on the path place only once. In networks where nodes can be replaced
towards the target. Such a path is shown in Figure 1. A re- or are mobile, key agreement would take place whenever a
ceiving node expects authentication codes from different node appears in another node’s range. This event is then
nodes in order to accept a message. If at least one of them propagated to all nodes within a -hop distance, which
doesn’t match the message content, the message is rejected, would then also initate a key agreement with the new node.
so nodes have to agree on the message content to convince
the receiver that a message is genuine. This means that sets 3.2 Communication
of up to collaborating malicious nodes are prevented
from manipulating messages without being detected. When a message transmission is initiated, the message
source selects the first two hops on the path towards the tar-
get. How exactly these hops are chosen depends on the rout-
ing algorithm. In a static network using geographic rout-
ing, the source can choose the next hops independently,
since the positions of all neighbours within a -radius can
Figure 1. A communication path with inter- be assumed to be known (e.g., exchanged during key setup).
leaved message authentication ( ) Under other routing regimes or under different network dy-
namics, it might be necessary to negotiate the next hops
step-by-step. However, we will not elaborate on this pro-
We note that interleaved authentication paths are essen- cedure in this paper. For the presentation of the Canvas
tially equivalent to multiple communication paths on which protocol we will fix a parameter , but the extension to
node-to-node authentication is employed. Their properties other values is straightforward.
can be expected to be similar. However, interleaved paths For , the source, let’s call it ½ , computes two
are cheaper with regard to communication cost, since each authentication codes, one targeted at each of the follow-
Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW’05)
1545-0678/05 $20.00 © 2005 IEEE
ing hops. Thus, the source authenticates the message to- simply when there are no more nodes left to which the mes-
wards two distinct nodes. The message will then be passed sage could be sent. Otherwise, a destination address, such
on along the communication path only if both these nodes as a geographic location, could be included in . If a node
agree on the content of the message. close enough to this location receives the message, it would
In order to send a message on its way, the message terminate the protocol and start processing .
source ½ performs the following steps:
Compute two authentication codes: 3.3 Limits of Interleaved Authentication
½
MAC
and
MAC Given a parameter , interleaved authentication can tol-
. Send to :
I NIT
erate up to consecutive nodes on a communication
path. That means that for , single, isolated malicious
First, two authentication codes are computed using the
keys shared between and the next nodes on the path, nodes without malicious, cooperating neighbours, have no
and . Here, the authentication code comprises the mes-
effect on the network’s operation. However, larger groups
sage content
and the identity of . Next, sends a
of compromised nodes could manipulate messages.
message to , containing all information allowing and Since there is no direct authentication of a message be-
constructed by , performs the following steps:
mised nodes acting in the network. For example, the re-
ceiver of a message could occasionally send an acknowl-
Check if MAC matches the
edgement back to the source, including a hash code of a
recent message, deliberately choosing a path physically dif-
value contained in the message. If it
does, compute MAC
ferent from the path over which the original message ar-
and MAC . Send to :
rived. If such a path exists and can be used, and unless this
PASS
path has been compromised, the sender will learn whether
PASS
the Canvas protocol is a partitioning attack. An attacker
would have to break into a very limited number of nodes
only, comprising a narrow band of width that separates the
Here, we make no assumptions about when the protocol two parts, in order control all messages being sent between
terminates. In fact, the protocol could be seen as broadcast- the two parts. All paths between the partitions would lead
ing the message along the path, since all nodes have access through this band and would be subject to manipulation.
to the content of . The protocol would then terminate A node located in one part of the network could receive
Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW’05)
1545-0678/05 $20.00 © 2005 IEEE
no authentic messages from the other part any more. We simulations with the following parameters: 250 nodes, ran-
therefore propose the shortcuts as an extension to the basic domly placed on a units area, communcation
Canvas protocol, described in the following subsection. range 100 units, 10 shortcuts per node (if applicable). The
neighbourhood was given by . The simulations were
3.4 Shortcuts run 10 times and the results averaged.
Fig. 3 compares the effectiveness of different authenti-
Shortcuts are links that are established between distant cation schemes under the partitioning attack. Each com-
nodes, i.e. nodes that are not in their mutual neighbourhood. promised node breaches a set of paths: all paths that end
Each node stores a certain, small, number of these keys that at that node, plus those paths that pass through the node
“re-enforce” the Canvas path from a message source to its and are controlled by the attacker. The left axis shows the
destination. When a message is sent, it is first routed to fraction of end-point-breached paths to all breached paths.
the shortcut node that is closest to the message target. On This means that under an end-to-end authentication scheme,
its way from the shortcut node to the destination, the mes- the value would always be 1 (only end-point-breached paths
sage is authenticated with the basic Canvas protocol. This are breached). To partition the network, the attacker com-
“last mile” is therefore much more weakly protected, but promises one node after the other in a band that goes verti-
the impact of such a short compromised path is much more cally through the area in the middle of it. As one can see,
localized than with basic Canvas only. the Interleaved (i.e., interleaved shortcuts) and the Short-
We can also build interleaved paths from shortcuts, as cut/Canvas schemes come close to the optimum. The others
for example shown in Fig. 2, to span very large distances. are much worse, i.e. an additional single compromised node
They can be built by local information only: Each node on has much greater impact. Of these others, basic Canvas per-
a segment from A to B (A and B sharing a key) looks if it forms best for few compromised nodes. (Hop-to-hop au-
finds an own shortcut node closer to the target than B. The thentication means that only traffic between neighbours is
MAC for the “best” such pair is then passed on by B. If no authenticated. This scheme performs worst of all and can
further shortcut node can be found, the last segment, which be slightly improved through shortcuts.)
is very short in most cases, can be bridged by basic Canvas.
Partitioning attack
End-point breached vs all breached paths
1
0.9
0.8
Figure 2. An long-distance interleaved au-
thentication path 0.7
0.6
0.5
The assignment of shortcut nodes can be made randomly 0.4
before the network is deployed, or nodes select their short- 0.3
cuts during operation, performing normal key agreement 0.2
with distant nodes they choose randomly, possibly based 0 5 10 15 20 25 30 35 40 45 50
on the traffic in the network. Pre-assignment, however, has Compromised nodes
Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW’05)
1545-0678/05 $20.00 © 2005 IEEE
ready compromised nodes. 5 Related Work
Under the partitioning attack, the Canvas/Shortcut per-
forms nearly optimal (the optimum is all uncompromised Interleaved authentication was studied in [11] in a
nodes). The Interleaved scheme is not shown here, since slightly different context than ours. There, groups of sensor
its graph overlaps with the Canvas/Shortcut scheme almost node agree on a common value that is sent along a com-
completely. Thus, we have found an effective countermea- munication path towards a base station. Interleaved authen-
sure against the partitioning attack. tication is applied on the communication path, allowing it
to drop messages that have been manipulated. Interleaved
The concentrated attack (Fig. 4(b)) was carried out un- communication was, to our knowledge, first introduced in a
til more than ½ ¿ of all nodes were compromised. At paper by Craig and Reed [3] in order to increase network ef-
that point, consensus is not possible anymore. Both Inter- ficiency and reduce routing costs, but without any reference
leaved and Shortcut/Canvas can withstand such an attack to security or reliability.
very long.
6 Conclusion and Future Work
Shortcut/Canvas
150 Canvas Future work includes more and improved simulation sce-
Shortcut/Hop-to-hop
Hop-to-hop narios, protocol verification, investigation of applications
100 for interleaved authentication, and the general connection
between small-world [5] properties and security.
50
References
0
0 5 10 15 20 25 30 35 40 45 50
Compromised nodes [1] Paul Baran. On Distributed Communications Net-
works. IEEE Transactions on Communications Sys-
(a) Consensus (partitioning attack) tems, 12(1):1–9, 1964.
Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW’05)
1545-0678/05 $20.00 © 2005 IEEE
Computing and Networking (MobiCom), pages 56–67.
ACM, 2000.
[7] B. Karp and H. T. Kung. GPSR: Greedy Perimeter
Stateless Routing for Wireless Networks. In Proc. of
MobiCom. ACM Press, 2000.
[8] Leslie Lamport, Robert Shostak, and Marshall Pease.
The Byzantine Generals Problem. ACM Trans. Pro-
gram. Lang. Syst., 4(3):382–401, 1982.
[9] Harald Vogt. Exploring Message Authentication in
Sensor Networks. In Proc. of European Workshop
on Security of Ad Hoc and Sensor Networks (ESAS),
LNCS. Springer-Verlag, 2004.
[10] Harald Vogt. Integrity Preservation for Communica-
tion in Sensor Networks. Technical Report 434, ETH
Zürich, Institute for Pervasive Computing, February
2004.
[11] Sencun Zhu, Sanjeev Setia, Sushil Jajodia, and Peng
Ning. An Interleaved Hop-by-Hop Authentication
Scheme for Filtering False Data Injection in Sensor
Networks. In IEEE Symposium on Security and Pri-
vacy. IEEE, 2004.
Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW’05)
1545-0678/05 $20.00 © 2005 IEEE