Transcript Agents with Pull - SRI International

Intrusion Tolerance
for NEST
NEST 2 Kickoff Meeting
November 4, 2002
Bruno Dutertre, Steven Cheung
SRI International
1
Administrative
• Project Title: Intrusion Tolerance for Networked Embedded Sys.
• PM: Vijay Raghavan
• PI: Bruno Dutertre and Steven Cheung
• PI phone # : (650) 859-2717, (650) 859-5706
• PI email: [email protected], [email protected]
• Institution: SRI International
• Contract #: F30602-02-C-0212
• Award start date: 9/20/2002
• Award end date: 12/20/2004
• Agent name & organization: Raymond Liuzzi, AFRL/Rome
2
Subcontractors and Collaborators
• Collaborators:
– Hassen Saïdi
– Ulf Lindqvist
– Joshua D. Levy
3
Problem Description, Project Overview
• Objective:
– Low-cost, intrusion-tolerant authentication and key
management for NEST (resource-limited wireless
devices)
• Impact:
– Fundamental building blocks on which higher-level
security services can be implemented
– Enable the secure deployment of sensor networks, or
other NEST applications.
• Success criteria:
– Demonstrate deployment on a representative
network of small wireless sensors (Motes)
– Relevant metrics: network size, fraction of
compromised sensors, overhead
4
Intrusion Tolerance for NEST
Problem and Challenge
Intrusion-tolerant key-distribution services for large
networks of microsensors
Self organizing
protocols
Low cost
cryptography
Detect/respond
to DoS attacks
New Ideas
Build low-cost key-management services for
sensor networks:
 Localized authentication protocols for
bootstrapping
 Chains of trusted intermediaries for
 Secret sharing + disjoint paths for tolerating
compromised nodes
Intrusion detection for motes:
 Detect denial-of-service attacks
 Detect misbehaving nodes
Impact
Enable deployment of sensor networks in hostile
environments
Support other security services for wireless sensor
networks:
 Confidentiality and integrity of communication
 Robust NEST services
Schedule
FY03
FY04
FY05
2QFY03: Design Bootstrapping Protocols
3QFY03: Baseline Intrusion Detection
4QFY03: Design Inturion-tolerant Key-Distribution Protocols
1QFY04: Experimental Validation and Demo
1QFY05: Integration and Final Demo
Outline
• Existing approaches to authentication
and key management
– PKI, Diffie-Hellman, trusted servers
• Proposed approach:
– Local authentication and initial key
establishment
– Leveraging local trust
– Intrusion detection and response
• Plan
6
Objective
• Low-cost key management
for large-scale networks of
small wireless devices
• Constraints:
– Limited memory, processing
power, and bandwidth
– Networks too large and not
accessible for manual
administration/configuration
7
Traditional Key Management
• Decentralized approaches:
– Public-key infrastructure,
certificates
– Diffie-Hellman style key
establishment
• Approaches based on
symmetric-key cryptography
– Trusted authentication
and key distribution server
(e.g., Kerberos)
Too expensive
Limited scalability
High administrative
overhead to set up
long-term keys
Vulnerable to server
failure
Server may be a
bottleneck
8
Proposed Approach
• Goals:
– Intrusion-tolerant architecture for key management in NEST
– Use only inexpensive cryptographic algorithm
– Decentralized (no server) and self organizing
• Approach:
–
–
–
–
Build initial secure local links
For nonlocal communication, rely on chains of intermediaries
Use secret sharing when intermediaries are not fully trusted
Develop complementary intrusion detection methods to
locate nontrustworthy nodes
9
Bootstrapping
• Establish secure local links between
neighbor devices quickly after
deployment
– Weak authentication is enough (need only to
recognize that your neighbor was deployed
at the same time as you)
– Exploit initial trust (it takes time for an
adversary to capture/compromise devices)
– Focusing on local links improves efficiency
10
Basic Bootstrapping Scheme
• For a set S of devices to be deployed
– Construct a symmetric key K
– Distribute it to all devices in the set
• K enables two neighbor devices A and B
– To recognize that they both belong to S (weak
authentication)
– To generate and exchange a key K ab for future
communication
• Possible drawback:
– Every device from S in communication range of A
and B can discover K ab. More robust variants are
possible.
11
Leveraging Local Trust
B
K ab
K bc
C
K cd
K ce
A
K ae
D
K de
E
• To establish keys between distant nodes:
– use chains of trusted intermediaries
• To tolerate compromised nodes:
– disjoint chains and secret sharing
12
Tradeoffs
• Security increases with
– the number of disjoint paths
– the number of shares
but these also increase cost
• Challenges:
– Implement cheap secret sharing techniques
– Quantify the security achieved
– Find the right tradeoff for an assumed fraction of
compromised nodes
13
Intrusion Detection
• Goals:
– Detect compromised nodes (to remove
them from chains)
– Detect other intrusions: denial-of-service
attacks, attempt to drain power
– Cryptography is ineffective against these
14
Intrusion Detection Approach
• Develop models of attacks and relevant
signatures:
– What must be monitored?
– How to collect and distribute the data?
• Develop diagnosis methods:
– Identify the source of the attack if possible
• Possible responses:
– Avoid nodes that are considered compromised
– Hibernation to counter DoS or power-draining
attacks
15
Experimental Evaluation
• Platform:
– “motes” with TinyOS
– 20-30 nodes with upto 20% compromised
nodes
– Objective: show feasibility, measure
overhead
• Experiment scenario remains to be
defined
16
Project Status
• Participating in the security minitask
• Identifying security threats for a NEST
environment
• Getting familiar with the TinyOS
platform and the NEST Challenge
• In the process of setting up a sensor
network testbed; motes ordered
17
Schedule
18