Elsevier

Computers & Security

Volume 32, February 2013, Pages 36-55
Computers & Security

A confidential and DoS-resistant multi-hop code dissemination protocol for wireless sensor networks

https://doi.org/10.1016/j.cose.2012.09.012Get rights and content

Abstract

Due to the open environment in which Wireless Sensor Networks (WSNs) are typically deployed, it is important to be able to authenticate transmitted data. In some applications it is also required that the data be kept confidential in spite of message interception. Authentication and confidentiality are typically implemented through cryptographic operations which may be expensive in power consumption, making a protocol with these features vulnerable to attack by an adversary who transmits forged data, so forcing nodes to waste energy in identifying it as invalid. Additionally, in multi-hop code dissemination protocols, a sensor node is required to broadcast its program image when requested by its neighbors. An adversary could repeatedly send spurious program image requests to its neighbors, making them exhaust their energy reserves. In this paper, we present a new approach to achieve confidentiality in multi-hop code dissemination. We propose countermeasures against both these types of attack. Our approach is based on Deluge, an open source, state-of-the-art code dissemination protocol for WSNs. We provide theoretical analysis and simulation/experimental results which show that our approach outperforms earlier attempts when a malicious code injector is present, as well as a performance evaluation of latency, energy consumption, dissemination rate, and other factors (Liu and Ning, November 2006).

Introduction

Code dissemination is the process of propagating a new program image or related commands to sensor nodes via wireless communication. This feature is necessary in Wireless Sensor Networks (WSNs) to provide bug fixes or new functionalities after the WSN has been deployed (Akyildiz et al., 2002).

Early code dissemination protocols (Jonathan et al., 2004; Stathopoulos et al., November 2003; Jeong and Culler, 2004; Reijers and Langendoen, 2003; Kulkarni and Arumugam, November 2004) concentrated on reliable program image transmission and minimal end-to-end update latency, but provided no security mechanisms. The lack of authentication of a program image broadcast imposes a vulnerability to the installation of arbitrary program images in WSNs. An adversary can simply capture one sensor node in a WSN and use it to inject a malicious program image into the network. Without a proper authentication mechanism, an adversary can take control of the entire WSN with minimal effort (i.e., with a single sensor node compromise).

Though authenticity is arguably the most important requirement in a secure code dissemination protocol, confidentiality is also imperative in some applications. For example, in environmental monitoring applications for military use, the updated program images should be kept secret as adversaries might gain information by examining new program images transmitted to the sensor nodes. In addition, even though digital signature has recently been shown to be feasible on sensor hardware platforms (Liu and Ning, 2008), it is still an expensive operation in wireless sensor nodes with respect to power consumption. Hence, when digital signature is used for authentication in code dissemination protocols (Dutta et al., 2006; Lanigan et al., 2006; Deng et al., 2006), an adversary can repeatedly broadcast forged data packets with an invalid signature to exhaust the power resources of the sensor node by causing spurious signature verifications (i.e., a signature-based DoS attack). Another DoS attack is similar to the Distributed DoS attack in the Internet (Handley and Rescorla, November 2006): in multi-hop code dissemination protocols, sensor nodes must broadcast their own program image to their neighbors in response to a request. Hence, an adversary can repeatedly send program image requests to its neighbors, making them rebroadcast the same program image, until the power resources of the request recipients are depleted (i.e., a request-based DoS attack). The goal of this paper is to present the design and implementation of a new approach to guarantee confidentiality as well as robustness against both of these types of DoS attack in multi-hop code dissemination protocols.

Section snippets

Review of code dissemination protocols

Deluge (Jonathan et al., 2004), currently distributed as part of TinyOS, is the de facto standard code dissemination protocol. In Deluge, a program update is divided into fixed-size blocks called pages. Each page is further divided into fixed-size packets, which are the basic transmission units. Deluge employs a three-stage (advertise-request-update) process to propagate program updates among sensor nodes. Pages are disseminated in a pipelined fashion, whereby the nodes are allowed to forward

Assumptions

Our scheme makes the following assumptions.

  • The base station cannot be compromised and it has effectively unlimited computational power compared with sensor nodes. The base station has a private and public key pair. Each sensor node is pre-configured with the public key of the base station.

  • The sensor nodes can perform a limited number of asymmetric cryptographic operations such as signature verification in TinyECC (Liu and Ning, 2008), but they cannot afford to perform many such operations due

Design and implementation

This section provides the design of our new secure code dissemination scheme. As described in section 2.1, Deluge has a hierarchical organization of the program images (program images → pages → packets). Our scheme works at the granularity of packets. It consists of three phases: (1) bootstrapping and initialization; (2) packet pre-processing; (3) packet verification.

Firstly, the notations used in describing our scheme are listed in Table 1.1

Discussion

In this section, we will further discuss potential attacks that an adversary could launch against our scheme. We divide the attacks into two categories, depending on whether node compromise is required: external attacks, which do not require node compromise, and insider attacks. An external attacker might attempt to retrieve the content of program image through brute force cryptographic or traffic analysis, approaches which are analyzed in Section 5.1 Brute-force attack, 5.2 Traffic analysis,

Simulation results

We implemented our scheme in TinyOS and evaluated it with TOSSIM (Levis et al., 2003), the built-in simulator distributed with TinyOS.

In Section 6.1.1, we compare our scheme with the original Deluge (Jonathan et al., 2004) and secure-Deluge (Dutta et al., 2006) in terms of end-to-end latency. In Section 6.1.3, we further investigate our scheme with respect to power consumption compared with the original Deluge and secure-Deluge through PowerTossim (Shnayder et al., 2004), a plug-in software

Conclusion and future work

In this work, we proposed a new security scheme to provide confidentiality and DoS-resistance in a multi-hop WSN code dissemination protocol. We proposed the use of session keys derived from hashing data packets to encrypt these same data packets. The re-keying process between one sender and multiple receivers can be done in this way on the reception of the data packets without requiring any additional energy-expensive mechanisms. We also described a Cipher Puzzle as a weak authenticator to

Hailun Tan received the MS degrees in telecommunication engineering and information technology from the Australian National University in 2004 and 2005, respectively, and the PhD degree from the University of New South Wales (UNSW) with financial support from the Information Communication Technology (ICT) Center, Commonwealth Scientific Industrial Research Organization (CSIRO), Australia, in 2010. From 2004 to 2005, he worked as a part-time software engineer for the joint hardware demonstrator

References (48)

  • Syed T. Ali et al.

    Secure key loss recovery for network broadcast in single-hop wireless sensor networks

    Ad Hoc Networks

    (August 2010)
  • Wen Hu et al.

    Deploying long-lived and cost-effective hybrid sensor networks

    Ad Hoc Networks

    (November 2006)
  • 802.15.4 Zigbee Standard. IEEE standard for information technology- telecommunications and information exchange between...
  • I.F. Akyildiz et al.

    A survey on sensor networks

    Communications Magazine, IEEE

    (2002)
  • Mihir Bellare et al.

    Authenticated encryption: relations among notions and analysis of the generic composition paradigm

    Journal of Cryptology

    (October 2008)
  • Mihir Bellare et al.

    Optimal asymmetric encryption – how to encrypt with rsa

  • Claude Castelluccia et al.

    Shake them up!: a movement-based pairing protocol for cpu-constrained devices

  • P. Cheng et al.

    Test cases for hmac-md5 and hmac-sha-1

    (October 2001)
  • Richard Clayton

    Brute force attacks on cryptographic keys

    (October 2001)
  • Jing Deng et al.

    Secure code distribution in dynamically programmable wireless sensor networks

  • Dennis K. Nilsson et al.

    Key management and secure software updates in wireless process control environments

  • Qi Dong et al.

    Pre-authentication filters: providing dos resistance for signature-based broadcast authentication in sensor networks

  • John R. Douceur

    The sybil attack

  • X. Du et al.

    Defending DoS attacks on broadcast authentication in wireless sensor networks

  • Prabal K. Dutta et al.

    Securing the deluge network programming system

  • D. Eastlake et al.

    Us secure hash algorithm 1 (sha1)

    (September 2001)
  • A. Hamieh et al.

    Detection of jamming attacks in wireless ad hoc networks using error distribution

    (June 2009)
  • Handley et al.

    Internet denial-of-service considerations

    (November 2006)
  • Y.C. Hu et al.

    Packet leashes: a defense against wormhole attacks in wireless networks

  • Wen Hu et al.
    (August 2010)
  • Sangwon Hyun et al.

    Seluge: secure and dos-resistant code dissemination in wireless sensor networks

  • Sangwon Hyun et al.

    Mitigating wireless jamming attacks via channel migration

  • Jaein Jeong et al.

    Incremental network programming for wireless sensors

  • Jonathan W. Hui et al.

    The dynamic behavior of a data dissemination protocol for network programming at scale

  • Cited by (34)

    • REATO: REActing TO Denial of Service attacks in the Internet of Things

      2018, Computer Networks
      Citation Excerpt :

      Code dissemination is the process of propagating program images or related commands to sensor nodes in a WSN. This task is used to provide bug fixes or new functionalities after the WSN itself has been deployed [11]. presents a new approach for guaranteeing confidentiality as well as robustness against DoS attacks in multi-hop code dissemination protocols.

    • FEC-Seluge: Efficient, reliable, and secure large data dissemination using erasure codes

      2017, Computer Communications
      Citation Excerpt :

      The approaches in [61,62] replaces public key cryptographic operations for data authentication with either symmetric key cryptographic operations based on multiple one-way key chains or Merkle’s one-time signature scheme [63]. The approaches in [64,65] additionally provide the confidentiality protection of disseminated data. The approaches in [66,67] addressed secure data dissemination from multiple sources, each of which has a different data to deliver to a different subset of network nodes.

    • A novel joint logging and migrating traceback scheme for achieving low storage requirement and long lifetime in WSNs

      2015, AEU - International Journal of Electronics and Communications
      Citation Excerpt :

      While in the strategy of logging, the data packets are logged in the node when reaching certain length. In general speaking it also deteriorating the lifetime of the sensor network [19,23,25]. Besides the characteristic of many-to-one routing-to-Sink, which causes that the node nearer to Sink's hotspot area has larger probability of logging, requiring more storage space.

    • RoSym: Robust Symmetric Key Based IoT Software Upgrade Over-the-Air

      2022, CPSIoTSec 2022 - Proceedings of the 4th Workshop on CPS and IoT Security and Privacy, co-located with CCS 2022
    View all citing articles on Scopus

    Hailun Tan received the MS degrees in telecommunication engineering and information technology from the Australian National University in 2004 and 2005, respectively, and the PhD degree from the University of New South Wales (UNSW) with financial support from the Information Communication Technology (ICT) Center, Commonwealth Scientific Industrial Research Organization (CSIRO), Australia, in 2010. From 2004 to 2005, he worked as a part-time software engineer for the joint hardware demonstrator project of the ICT Centre, CSIRO, and Energy Technology, CSIRO. From 2005 to 2006, he worked as a research assistant for Smart Road and Traffic (STaR project) in National Information Communication Technology for Excellence (NICTA), Australia. His main research interests are in security protocol design in wireless mesh networks and wireless sensor networks. He is a student member of the IEEE.

    Diethelm Ostry is a Research Scientist in the Network Technologies Laboratory, Information and Communication Technology Centre, CSIRO Australia. His recent research interests have been in the areas of network traffic characterization, optical packet networks and security in wireless sensor networks.

    John Zic is the Trustworthy Systems Research Team Leader at the ICT Centre, CSIRO. He is the Australian Chair of Standards Australia Committee on Distributed Application Platforms and Services, has advised to the NSW Government Information Security Working Group, and was an invited expert evaluator for the EU Framework 7 Objective 10.4 “Trustworthy ICT” in Brussels, May 2012.

    Previously, John was Research Director for the Networking Technologies Laboratory and has held research positions at the Smart Internet CRC, Motorola's Australian Research Centre, and been a faculty member at UNSW and Sydney University.

    Sanjay Jha received the PhD degree from the University of Technology, Sydney, Australia. He is a professor and the head of the Network Group in the School of Computer Science and Engineering at the University of New South Wales. His research activities cover a wide range of topics in networking, including wireless sensor networks, ad hoc/community wireless networks, resilience/Quality of Service (QoS) in IP networks, and active/programmable networks. He has published more than 100 articles in high-quality journals and conferences. He is the principal author of the book Engineering Internet QoS and a coeditor of the book Wireless Sensor Networks: A Systems Perspective. He was a member-at-large of Technical Committee on Computer Communications (TCCC) and IEEE Computer Society for a number of years. He has served on program committees of several conferences. He was the technical program committee member of the IEEE Local Computer Networks (LCN) 2004 and ATNAC 2004 conferences, and the cochair and general chair of the Emnets-1 and Emnets-II workshop, respectively. He was also the general chair of ACM Sensys 2007 Symposium. He is a senior member of the IEEE.

    View full text