CSC 774 Advanced Network Security. Outline. Related Work

(1)

1

Computer Science

CSC 774 Advanced Network Security

Topic 6.3 Secure and Resilient Time

Synchronization in Wireless Sensor Networks

2

Computer Science

Outline

• Background of Wireless Sensor Networks

• Related Work

• TinySeRSync: Secure and Resilient Time

Synchronization

• Conclusion and Future Work

Related Work

• NTP and GPS are not practical for sensor networks.

• Recent time synchronization techniques.

– Single-hop Pair-wise Time Synchronization. • Receiver-Receiver based schemes.

– Elson et al., ACM SIGOPS’02; • Sender-Receiver based schemes.

– Ganeriwal et al., SenSys’03; – Global Time Synchronization.

• Clock distribution schemes, – Maroti et al., SenSys’04; • Clock agreement schemes. – Li and Rus, INFOCOM’04;

S R t1 t2 t4 t3 Sender-Receiver based S 1 2 S 1 2 t1 t2 t2 t1 Sender-Receiver based

(2)

4

Computer Science

Threats

• Single-hop Pair-wise Time

Synchronization.

– No message authentication.

• Manzo et al., SASN’05; Ganeriwal et al., Wise’05

– Time sensitive.

• Jam and Replay attacks: Ganeriwal et al., Wise’05

• Global Time Synchronization.

– Insider attacks

S Malicious Node Victim Nodes 5 Computer Science

Our Contributions

• TinySeRSync:

– Phase I

• Secure

single-hop pair-wise

time synchronization

– Phase II

• Secure and resilient

global

time synchronization

Phase I:

Secure Single-hop Pair-wise Time

Synchronization

(3)

7

Computer Science

Overview

• Goal:

– Achieve time difference between two neighbor

nodes in hostile environment.

• Existing work

– Secure TPSN

(Ganeriwal et al., Wise’05)

– Problems with secure TPSN

• Our work:

– Prediction-based MAC layer timestamp.

– Hardware-assisted, authenticated MAC layer

timestamp.

8

Computer Science

Secure TPSN

• Ganeriwal et al., Wise’05

• Estimate time difference and

transmission delay.

– Security condition:

• d < maximum expected delay.

– KAB : secret key shared between A

and B.

– MIC: message integrity code

M1={A,B,t1,Req, MIC[K AB](A,B,t1,Req)} A B t1 t2 t4 t3 time

M2={B,A,t2,t3,Rep, MIC

[KAB](B,A,t2,t3,Rep)}

2 1 4 3

( ) ( )_{is the time difference.} 2

t!t !t!t " =

2 1 4 3

( ) ( )_{is half of the transmission delay.} 2

t t t t d= ! + !

Problems in Secure TPSN

• Authenticated MAC layer timestamp.

– MIC must be available when radio sends the MIC field.

• Software solution in Secure TPSN

– Calculate MIC using TinySec (Karlof et al. SenSys’04)

– Works for low data rate radio (e.g., 38.4 kbps in CC1000 used by MICA2).

– Does not work for high data rate radio (e.g.,

250kbps in CC2420 used by MICAz). MICCRC …... a1 1 a2 2 3 a3 4 a4 b1 b2 b3 b4 5 6 7 8 Vcc1 0 GND 0 CPU

(4)

10

Computer Science

Prediction-based MAC Layer Timestamp

• Sender side:

– When channel is clear, it add sending time = current time + constant delay △. △ = 399.29 us.

• Receiver side:

– When the SFD field is received, it records the time as receiving time.

11 Computer Science

Delay Uncertainty

cpu Radio Antenna

Accessing and adding timestamp , then send STXON command

Encoding symbol periods and preamble

cpu Radio Antenna Decoding of SFD Interrupt handling Propagation of SFD Accessing timestamp Sender Receiver t2 t3 Encoding of SFD Propagation of SFD Decoding of SFD Interrupt handling Accessing timestamp Encoding SFD

Accessing and adding timestamp , then send STXON command

Encoding symbol periods and preamble

Hardware-assisted, Authenticated MAC

Layer Timestamp

• Hardware security support in CC2420

– Two modes

• stand-alone mode: 128 bit AES encryption on message

in stand-alone buffer.

• in-line mode:

– begin encryption when message are being sent out; – begin decryption after the whole message is received.

• Using in-line mode, CC2420 can generate a

(5)

13

Computer Science

Distribution of Secure Single-hop Pair-wise

Synchronization Error

• Experimental result (1 tick = 8.68us)

0.00% 0.01% 0.71% 8.43% 67.76% 19.84% 3.15% 0.09% 0.01% 0% 10% 20% 30% 40% 50% 60% 70% 80% -4 -3 -2 -1 0 1 2 3 4

Synchronization Error (tick)

Percentage

14

Computer Science

Phase II:

Secure and Resilient Global Time

Synchronization

Overview

• Goal: a network-wide time synchronization.

• The algorithm.

• Local broadcast authentication

– uTESLA (

Perrig et al., IEEE S&P’01

)

– Our work: short delayed uTESLA

(6)

16

Computer Science

Secure and Resilient Global Time

Synchronization Algorithm

 Each node i maintains a local clock time Ci.

1 2 3 5 6 4 7 8 9 S 17 Computer Science

Secure and Resilient Global Time

Synchronization Algorithm

 For each neighbor node j, node i maintains a

single-hop pair-wise time difference δi,j.

1 2 3

5 6

4

7 8 9

S

Secure and Resilient Global Time

Synchronization Algorithm

 A source node S broadcasts its local time CS

periodically. 1 2 3

5 6

4

7 8 9

(7)

19

Computer Science

Secure and Resilient Global Time

Synchronization Algorithm

periodically.

 Each direct neighbor node i of node S can

obtain a source clock difference δi,S from node

S directly. Then, it broadcasts δi,S.

1 2 3 5 6 4 7 8 9 S 20 Computer Science

Secure and Resilient Global Time

Synchronization Algorithm

periodically.

obtain a source time difference δi,S from node S

directly. Then, it broadcasts δi,S.

 For other nodes, to tolerate up to t malicious

neighbor nodes, each node i needs to obtain at

least 2t+1 source time differences through

different neighbor nodes. Node i chooses the

median one as δi,S . Then it broadcasts δi,S.

1 2 3

5 6

4

7 8 9

S

Secure and Resilient Global Time

Synchronization Algorithm

periodically.

obtain a source time difference δi,S from node S

directly. Then, it broadcasts δi,S.

 For other nodes, to tolerate up to t malicious

neighbor nodes, each node i needs to obtain at

least 2t+1 source time differences through

different neighbor nodes. Node i chooses the

median one as δi,S . Then it broadcasts δi,S.

 Each node i can estimate the global clock CS by

CS = Ci+δi,S. 1 2 3 5 6 4 7 8 9 S

(8)

22

Computer Science

How to Distribute Global Synchronization

Messages?

• Unicast

– Messages authenticated by secure pair-wise key.

–

Conclusion: too heavy communication overhead

and substantial message collisions. Scalability

problem

• Broadcast

– Can reduce the communication overhead.

– Require local broadcast authentication.

• Digital signature is too expensive for sensor nodes.

• uTESLA

23

Computer Science

Overview of uTESLA

• Perrig et al., IEEE S&P’01

• Sender:

– Generate one-way key chain, Ki=F(Ki+1), 0 ≤ i ≤n-1

– Release the commitment K0

– Use key Ki for all messages sent in time interval Ii, and disclose Ki in

Ii+d

• Receiver:

– Security condition: the key has not been disclosed by the sender when the messages are received.

– Verify Ki=F(Ki+1) Time ... I1 In-1 In T1 T0 T2 Tn-2 Tn-1 Tn I2 Kn Kn-1 K1 K0 F F K2 F ... F F

Using uTESLA in Time Synchronization?

• Problems:

1. uTESLA itself requires loose pair-wise time

synchronization.

2. Delayed authentication causes clocks drift away

again.

(9)

25

Computer Science

Short Delayed uTESLA

• Tight single-hop pair-wise time synchronization.

• Too short time intervals waste a lot of keys in a key

chain.

• Interleaved short and long intervals.

– Short interval (r) : A sender broadcasts authenticated synchronization message.

– Long interval (R) : A sender discloses the key used in last short interval.

Mi Ki Time Sender A Receiver B ti r R r R r R r R Time 26 Computer Science

Short Delayed uTESLA (Cont.)

• Receiver:

– Security condition: the message is sent in the sender’s last

short interval.

(t

i

-T

0

+△+δ

max

) < i*(r+R)+r.

△: single-hop pair-wise time difference

δmax: maximum synchronization error

– Verify K

i

=F(K

i+1

)

Security Property

• External attacks

– Message authentication.

– Security condition.

• Internal attacks

– Use the median of

2t+1

source clock differences

through different neighbors to tolerate up to

t

insiders.

(10)

28

Computer Science

Experimental Evaluation

• Software package

– TinySeRSync

• MICAz motes running TinyOS

• 35 files

• Providing 8 interfaces

• Code size in MICAz

• Parameters

1 second

uTESLA long interval

100 key chain length

4 seconds pair-wise

synchronization interval

10 ms

uTESLA short interval

0, 1, 2, 3, 4 Tolerance (t) 10 seconds global synchronization interval 60 # of MICAz nodes 1961 RAM 24814 Program memory Bytes Memory 29 Computer Science

Network Deployment

Data Collection

• Sink node

– Broadcast reference messages to all the nodes.

– Query each node one by one at different time.

• All the nodes

– When receiving a reference message

• Records the current global time when the message is

received at MAC layer.

– When receiving a query message

• Send the buffered global time information to the sink

node.

(11)

31

Computer Science

Synchronization Error

• Precision achieved: tens of microseconds

0 2 4 6 8 10 12 14 16 0 1 2 3 4 Tolerance (t) Synchronization Error (tick)

Avg. Error Max. Error

1 tick = 8.68 us

32 Computer Science

Synchronization Rate

• When t=4, 95% in 3 rounds

60 65 70 75 80 85 90 95 100 0 1 2 3 4 Tolerance (t) P er ce n ta g e One Round Two Rounds Three Round

Communication Overhead

10440 9720 9200 9400 9600 9800 10000 10200 10400 10600 5 10

Global synchronization interval (seconds)

Number of messages

(12)

34

Computer Science

Incremental Deployment

• Average synchronization error (left Y-axis)

• Synchronization rate when t=2 (right Y-axis)

1.E+00 1.E+01 1.E+02 1.E+03 1.E+04 1.E+05 1.E+06 1.E+07 1.E+08 1.E+09 1.E+10 0:0 9:000:09:100:09:200:09:300:09:400:09:500:10:000:10:100:10:200:10:300:10:400:10:500:11:000:11:100:11:200:11:300:11:400:11:500:12:00 time (hh:mm:ss) microseconds 0 10 20 30 40 50 60 70 80 90 100 percentage

Avg Sync Error Sync Rate

35

Computer Science

Conclusion

• TinySeRSync:

– Secure single-hop pair-wise time synchronization

• Between two nodes

• The building block of global time synchronization.

– Secure and resilient global time synchronization

• In the whole network