over asymmetric ones because of the computational advantage and the com-paratively small key sizes. The problems arise in the setup phase of the network where shared secrets need to be distributed either by the manufac-turer at production time or by clever protocols at deployment time [4, 79].
For stronger adversaries, active attacks like impersonation and node cap-ture must be taken into account. Ideally, sensor nodes should be made tam-per proof to prevent node capture, e.g., by applying technology known from smart cards or secure processing environments. There, memory is shielded by special manufacturing techniques which makes it more difficult to physi-cally access the stored information [3]. Similarly, sensor nodes could be built in a way that they loose all their data when they are physically tampered with by unauthorized entities.
For large sensor networks, cost considerations will demand that sensor nodes are not tamper proof. Therefore, node capture must be taken into account. A first step to protect a sensor network from node capture against a local or partially present adversary is to use locally distributed protocols that can withstand the capture of a certain fraction of nodes in the relevant parts of the network. We give examples of such protocols in Chapters 5 and 6 of this thesis.
2.7 Conclusions
We have described security goals, adversary models and protection mecha-nisms which are relevant and specific for sensor networks. There are a lot of interesting problems and open questions in this area:
Realistic adversary models should be derived with respect to existing and future applications. Here, experiences with GSM and WLAN security (and security failures) can be used as a guideline, but every application needs to define its own adversary model to be able to talk about security.
What other attack possibilities exist for sensor networks and how much effort do they cost to be pursued? For example, are software-based node capture attacks a real threat? Are side-channel attacks on sensor nodes possible? We believe both to be true, but we are unaware of any work which has tried it.
As cross-layer integration is especially important for resource-constrained sensor nodes, careful design decisions must be taken concerning which
security means to put into which layer. For example TinySec [84], a link layer encryption and message integrity protection mechanism, is integrated into the radio stack of MICA Motes.
Building secure sensor networks, especially with respect to active ad-versary, remains a challenge. Can it be done by combining existing solutions, such as random key predistribution, secure routing, secure data aggregation, or would it be too expensive in terms of energy?
Overall, we speculate that probabilistic algorithms which exploit the redundancy of the sensor network to cause high effort for the adversary will be good candidates to establish security in such networks. These algorithms are not suitable to establish perfect security, but offer better scalability and save resources. The security goals of sensor networks will be probabilistic and depend on the strength of the adversary.
Chapter 3
Access Control Issues in Wireless Sensor Networks
3.1 Introduction
In contrast to traditional types of computer networks, sensor networks are supposed to be application-specific. This means that the design of a sensor network will depend on its application area. Moreover, resource-efficiency will ask for cross-layer optimization rather than for clearly layered protocol design of the ISO/OSI or TCP/IP style. Therefore, the intended application of the sensor network will affect many aspects of the network, from hard-ware and radio communication to topology control, routing mechanisms and communication patterns. Sensor networks for habitat monitoring, home au-tomation, wildfire detection, supply chain management etc. will differ con-siderably from each other. Thus, it is difficult to design security solutions for an “abstract” sensor network. On the other hand, it would be useful to have security solutions for specific design patterns which are likely to be present in many sensor networks.
In this thesis, we assume that the considered sensor networks operate according to the following paradigm. The sensor network is spread over some geographic area (it can also be a building) and consists of a large amount of nodes. The maintainer of the sensor network offers services to a large number of users. The users can post queries to the sensor network. These queries are propagated into the network, the requested data is collected and sent back to the user. We believe this paradigm to be generic and useful for many applications.
In a formal notation, we describe the procedure for the user U to get the 35
service from the sensor network WSN as follows:
U → WSN : q WSN → U : a(q)
The user sends a query q to the WSN, and receives the answer a(q) to this query.
With the security goals from Section 2.3 in mind, a robust, confidential and mutually authenticated communication channel should be implemented between the user and the WSN. This channel would guarantee authenticity of the communication partners and integrity, confidentiality and availability of the messages.
One of the most obvious methods to set up such a channel is to set up individual channels between the user and every single sensor node. How-ever, this solution contradicts the concept of sensor networks which includes cooperation between the sensor nodes such as multi-hop communication, in-network data processing and aggregation of the requested data while it is transported to the user. A secure authenticated channel between two en-tities implies that nobody can interfere in the channel, which excludes any cooperation.
Therefore, other solutions are required in sensor networks. In the fol-lowing, we consider an interesting subproblem that arises in securing sensor networks with the described communication pattern: access control to the sensor network data.
The problem of access control can be considered as restricting access to resources to privileged entities [106]. That is, only legitimate users should be able to access the data.
Which possibilities does an adversary have for gaining unauthorized ac-cess to the data? On the one hand, the adversary can try to impersonate a legitimate user. Thus, the sensor network should implement an access control procedure for the users. On the other hand, the adversary can also attack other mechanisms and protocols of the sensor network. This means that the access control mechanism for the users (outside security, see Sec-tion 2.3) as well as internal mechanisms, e.g., routing, in-network processing and data aggregation (inside security), should be secure against the consid-ered adversary type.
The most severe security breach with respect to access control to the data is the possibility for the adversary to send arbitrary queries to the sensor network. In this case, the adversary would receive the same service as legitimate users. In this thesis we consider the mechanisms that prevent