1 / 35

Smart Sensors and Sensor Networks

Smart Sensors and Sensor Networks. Lecture 13 Security and privacy. Smart Sensors and Sensor Networks. Security Network designers have to implement security goals: Confidentiality: information should only be revealed to authorized entities;

gtammy
Download Presentation

Smart Sensors and Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Smart Sensors and Sensor Networks Lecture13 Security and privacy

  2. Smart Sensors and Sensor Networks Security • Network designers have to implement security goals: • Confidentiality: information should only be revealed to authorized entities; • Data integrity: the information must not be modified during transit; • Accountability: the entity requesting a service, triggering an action, or sending a packet must be uniquely identifiable; • Availability: legitimate entities should be able to access a certain service/ information and to enjoy proper operation; • Controlled access: a service or information access should only be granted to authorized entities. • Some common security threats: eavesdropping, masquerading, authorization violation, forgery, repudiation and sabotage; • Countermeasures are usually based on cryptography; • Cryptographic algorithms combine data with key values; • Key management;

  3. Smart Sensors and Sensor Networks • Security in WSNs differs from security in other networks because: • The network infrastructure of a WSN: • Is made of small, cheap nodes spread over a possibly hostile area; • It can be assumed that nodes are captured by attackers and they are able to read the nodes’ memories and influence their software; • Special secure memory solutions would be needed to prevent data capture but they will be rarely be present in cheap sensor nodes; • The limitations in memory and computational capabilities are obstacles in implementing cryptographic algorithms; • Cryptography can be considered too heavyweight for small processors; • A solution can be the use of cryptographic block ciphers; • When in-network processing is to be performed: • Intermediate nodes need to access and modify the information contained in packets; • A large number of parties is involved in information transfers; • The energy limitations of sensors is a main vulnerability; • An attacker can continuously access a sensor until exhausting its energy;

  4. Smart Sensors and Sensor Networks • Security mechanisms • System-level security • Solutions for conventional networks: firewalls, honeypots and intrusion detection mechanisms; • Firewalls: a firewall is a policy enforcement point for a part of a network designed to restrict access from and to that subnetwork; • Honeypots: are systems placed on networks specifically for the purpose of being attacked or compromised; they exist only to detect and collect information about security attacks; • Intrusion detection mechanisms: aim at recognizing statistical or pattern irregularities in the incoming or outgoing traffic; • Mobile code • Once deployed, access to the nodes in a WSN for management and code updates poses security threats and drains resources; • Despite difficulties, mechanisms that allow changes in application and system code on the nodes are necessary; • A solution for remote configuration and code update is the mobile code; a legitimate code is injected into the network through several nodes and then spread throughout the network;

  5. Smart Sensors and Sensor Networks • This allows also security attacks through: viruses, Trojan horses, buffer overflow and covert communication channels; • Three major approaches for mobile code security have emerged: code signing, sandboxes and proof-carrying code; • Code signing follows a typical client and server-authenticated handshake protocol, such as SSL or WTSL; • A sandbox separates running programs; its goal is to protect the application against malicious users and the host from malicious applications; it can be implemented in a security layer; • Proof-carrying code is a mechanism that allows a host computer to determine if a program can be executed with certainty despite being provided by an untrusted source; • Metering • As WSNs become more advanced and versatile, the notions of user access, application-specific sensor designs and licensing of network usage become an issue; licensing is the most common approach to protecting software; • Metering is one approach to handle these types of issues; • Although many of these approaches are too computationally or memory intensive for WSNs, they provide a starting point for development of WSN techniques.

  6. Smart Sensors and Sensor Networks • Denial-of-service attacks • Denial-of-service (DoS) is the result of any action that prevents any part of a WSN from functioning correctly or in a timely manner; • DoS attacks can try to: disable services or deplete service providers, for example, by overusing the service; • To disable a SN’s service, an attacker might simply destroy nodes; although SNs have some resilience to node failures, the attacker can distort the network by destroying a large number of nodes or by focusing on especially important nodes, for example, sensor nodes in the vicinity of sinks that are needed for forwarding; • DoS attacks usually has the following properties: • Malicious: the act is performed intentionally, not accidentally; accidental failures are in the domain of fault tolerance and reliability; • Disruptive: a successful DoS attack degrades or disrupts some capability or service in the WSN; if the effect is not measurable, for example, if it is prevented, one may still say that an attack has occurred but DoS has not; • Asymmetric: often the effect of an attack is much greater than the effort required to mount it; for example, sending a forged packet that overflows a remote buffer takes little effort but may crash the server until the operator intervenes; • Remote: an attacker usually can, and wishes to, carry out an attack over the network;

  7. Smart Sensors and Sensor Networks • WSNs vulnerabilities to DoS attacks: • Limited resources: there is a risk of resource consummation under normal circumstances; the situation is worse in case of an attack; • Remote location: networks that are distant or unmonitored have a greater response time in case of physical intervention; • Cost-sensitive applications: for a large-scale deployment to be cost-effective, the per-unit cost of sensor devices must be low; this is a supplementary pressure to hardware and software development costs; this translates in hasty designs and numerous implementation errors; • Application specificity: resource constraints may dictate that well-defined and uncoupled network layers are compressed or merged, reducing code modularity; unforeseen interactions between network layers and services give rise to new vulnerabilities; • Attractive target: the systems monitored or controlled by the WSN may be safety critical of highly visible with significant consequences for failure; this may be the profile of an attractive target; • Uncontrolled access: ubiquitous, wide-scale and replenishable deployments may require relatively unfettered physical access to nodes; odds or casual tampering or vandalism increase; • Middleware services: as services are distributed among all or most nodes of the network, every device is potential target for attack;

  8. Smart Sensors and Sensor Networks • DoS attacks can take place at each network layer; • Physical-layer and link-layer attacks: • Physical-layer jamming: • An attacker distorts radio communication; • One way to achieve this is to place attacker nodes somewhere into the network and let them continuously send radio signals in the network’s frequency band; • A single attacker node can distort many neighbors at once and, by strategically placement of a number of attacker nodes, the whole SN can be disabled; • Countermeasure 1: the use of modulation schemes with some robustness against interference, for example, frequency hopping or direct sequence spread-spectrum techniques; • Countermeasure 2: the uncompromised sensor nodes reduce their duty cycle upon detecting such an attack; the attacker will exhaust its energy in a finite time; • Countermeasure 3: by the routing protocols; if the attacker jams only a limited area, packets may be routed around; • Link-layer jamming: • The attacker takes knowledge about the protocols into account to save energy; • MAC protocol is a good candidate; • Examples: protocols based on RTS/CTS exchanges or on immediate acknowledgement;

  9. Smart Sensors and Sensor Networks • Network-layer attacks: • Black hole attack: • Attacker nodes behave similar to normal nodes, they participate in routing protocols or dissemination of interests with the goal of directing routes to itself and to drop packets later on; • The forged route advertisement attracts lots of traffic around the attacker causing increased congestion levels and contention; • Misdirections: • The adversary creates wrong routes, for example, by sending wrong route advertisement packets or by falsely answering route request packets; • A wrong route can, for example, contain a loop and cause waste of energy; • An adversary can also create unnecessary routes, for example, by issuing route lookup requests; all nodes participating in route selection waste their energy; • Neglect and greed: • An attacker node can drop other nodes’ packets and forward only its own packets; • The attacker node can drop packets in a random fashion or all of them; • Routing or data dissemination protocols that cache routes are vulnerable to this attack; • When this behavior has been detected, the network may set up alternate routes or a source node can send multiple copies of a packet over node – disjoint routes from the beginning;

  10. Smart Sensors and Sensor Networks • Homing: • The attacker seeks to determine the geographic location of certain important nodes in the network, for example clusterhead nodes; this information can be obtained from eavesdropping location – centric protocols; • Then, the attacker direct all the attacks to these nodes; • Solutions: • Authentication and/or authorization mechanisms to restrict routing protocols only to trustworthy nodes; • Encryption of location information; • Transport layer and application attacks • If the transport layer uses explicit connections between identifiable nodes, either end of the connection needs to maintain some form of connection control block (CCB); an attacker can issue a large number of connection setup requests and cause exhaustion of memory at the end nodes because of large numbers of unneeded CCBs; • Desynchronization: • It can be applied to transport protocols resting on sequence numbers • By issuing forged packets with wrong sequence numbers, the attacker can cause wasteful retransmissions or even cause the participants to end the connection; • In sensor networks deployed to detect certain environmental events, an attacker node can generate sensor data indicating this event, causing nodes in vicinity or even the whole network to wake up and start various activities;

  11. Smart Sensors and Sensor Networks • Taxonomy of DoS attacks • A taxonomy provides a classification system that ideally suggests ways to mitigate attacks by prevention, detection and recovery; it can aid risk management by identifying vulnerabilities and making attacker characteristics explicit; • Ideally, a taxonomy can predict future attacks by exposing unguarded areas; • Every DoS attack is perpetrated by someone; the attacker has an identity and a motive and is able to do certain things in or to the WSN; • An attack targets some service or layer, exploiting a vulnerability; • An attack may be thwarted or it may succeed with varying results; • A taxonomy should answer the following questions: • Who is the attacker? • What is the attacker capable of? • What is the target? • How is attacked? • What are the results?

  12. Smart Sensors and Sensor Networks

  13. Smart Sensors and Sensor Networks • Attacker • Classification: • Passerby: motivated by spontaneity, not determined, very little knowledge, few resources; • Vandal: desires to inflict damage, moderately determined, little knowledge, few resources; • Hacker: desires access, motivated by curiosity and interest, highly determined, highly knowledgeable, moderate resources; • Raider: driven by personal or organizational monetary and/or political gain, highly determined, moderately to highly knowledgeable, moderate resources; • Terrorist of foreign power: causes real – world damage by compromise of critical systems, motivated by enmity, highly knowledgeable, very well resourced with time, money and manpower; • Other classification: • Insider: • It could refer to the owner, operators, controllers or monitors of the WSN; • It could also refer to all processes executed on behalf of these users by sensors; if commands are not guaranteed to be authentic by the security architecture of the WSN, these processes may include execution of malicious code by legitimate or subverted nodes on behalf of an adversary; • Insiders: permanent, part – time and temporary staff, contractors, developers and others; • Outsider;

  14. Smart Sensors and Sensor Networks • Capability: • All possible vulnerabilities cannot be eliminated within resource and cost constraints; • System designs are targeted to address the threats most likely to be seen; • Determining this real – world risk and selecting mitigation strategies depends partially on an enumeration of attacker capabilities; • Number of attackers: • Some solutions that work against one attacker may fail if, for example, enough attackers are available to partition the network; • Coordination of attackers: • When multiple attackers are present, their coordination may vary; • The attackers may be independent, each attempting to cause DoS according to his individual motivations; • If the attacks are similar, they may be aggregated and considered as N separate instances of the same attack; • Attackers may be working at cross – purposes, in which case there are N different attacks, possibly interfering with each other; multiple attackers may be centrally controlled; • Area of influence:

  15. Smart Sensors and Sensor Networks • The area of an attacker’s influence varies depending on the WSN and on the attacker’s capabilities; • An individual adversary with power and radio resources similar to a WSN node may only be able to affect a localized region; • Access to packet routing in the network gives the adversary the ability to affect remote nodes; • Technical capability: capabilities in increasing order of power or complexity: • An attacker may only be able to receive wireless radio transmissions; limited to passive eavesdropping, the attacker cannot perform a DoS unless through other channels; • Along with receiving, if an attacker can transmit in the wireless channel used by the WSN, it can interact with sensor devices; it may impersonate a legitimate node by replaying an old message; • An attacker that can falsely authenticate itself to the WSN poses an even greater hazard; this may be possible through forgery or theft of legitimate credentials, or insider collusion; depending on the authorization of the impersonated node, the attacker may have full access to all WSN services; • A side channel may be available to the attacker for communication and coordination with other adversaries; wired networks, other wireless channels and optical communication allow the attacker to coordinate attacks despite disruption in the WSN’s routing; • An attacker may have a more powerful class of devices than exist in the WSN; these includes higher bandwidth links, side channels, superior computational facilities, wireline electric power and mobility; it will more difficult to overcome this kind of capability asymmetry;

  16. Smart Sensors and Sensor Networks • Target: • The target of a DoS attack is defined to be the service that is being denied; • Attacks may be mounted predominantly against one layer or service in the network; they may also exploit service interactions; • In a layered architecture, disrupting the lower layers is most advantageous for an attacker because most or all of the upper layers depend on it to function; • Services include typical layers found in a network stack: physical, link – layer, network, routing, transport and application; • Other WSN specific services are also possible targets: localization, time synchronization, group management, directory services, entity tracking, power management, event detection, topography discovery, code download and aggregation; any application – specific service may be targeted; • Critical services should be well protected against all forms of security violations, including DoS: • Critical services are those without which the WSN cannot function adequately: the loss of key services such as routing or event detection; • Other services may be desirable but not critical, the network can achieve most or all of its purposes, although at a degraded level; optimal function of the network is inhibited; for example: complete sensing coverage or equalized power consumption may be unattainable;

  17. Smart Sensors and Sensor Networks • Vulnerability: • Vulnerabilities are weaknesses in the network, through which an attacker may gain or unduly exercise privilege; they arise due to conflicting requirements, cost constraints, designer shortcuts and other reasons; • Physical: • Part or all of the WSN node may be damaged; • Overt damage is easily detectable but more subtle physical tampering may go unnoticed: for example, the node is physically modified; • Logical: • Design flaws; • Implementation flaws; • Configuration errors; • Resource exhaustion; • Result: • An attack may only be a nuisance if the targeted service is not harmed due to prevention mechanisms; • Network performance may be degraded during the attack but not stopped; services may continue to function in the network as a whole; • A severe attack may result in a disabled service.

  18. Smart Sensors and Sensor Networks • Vulnerabilities and defenses • Without vulnerabilities the attack chain is broken and the WSN is perfect secure; • Vulnerabilities are the only part of an attack under the control of the WSN designer; • Complexity is a cause of insecurity and the solution is simplicity; • Jamming: • Is a deliberate interference with radio reception to deny the target’s use of a communication channel; • Constant transmission of a jamming signal is an expensive use of energy; an attacker limited in energy, as the WSN devices are, may use sporadic or burst jamming instead; • Defense: • The use of spread-spectrum communication: frequency hopping and direct-sequence spread spectrum; • If alternate modes of communication are available (optical, acoustic, infrared), a node may switch to one of these schemes when the radio is jammed; • Surrounding the jammed area;

  19. Smart Sensors and Sensor Networks • Tampering: • Tampering includes damage, destroying and perverting nodes; • Destruction of the node could cause gaps in sensor or communication coverage; • More well-equipped attackers can interrogate a device’s memory, steal its data or cryptographic keys or replace its code with malicious program, potentially undetectable to neighboring nodes; • Defense: • The physical distribution: most such attacks require at least brief physical presence near the targeted node; • To construct sensor devices with tamper – resistant packaging; • To prevent detection of nodes: camouflaging the packaging, hiding the device and using of low probability of intercept radio techniques; • Collisions: • An attacker can cause collisions or corruption at the link layer; by detecting and parsing radio transmissions near the victim the attacker can disrupt key elements of packets (checksums or other fields); • Defense: • Standard collision avoidance do not help because they are cooperative; • Error-correcting codes;

  20. Smart Sensors and Sensor Networks • Exhaustion and interrogation: • An attacker may be able to inflict DoS on a network by inducing repeated retransmission attempts; • The attacker need only corrupt a small part of a much longer message or perhaps jam an acknowledgement from a neighbor; it will result in energy exhaustion; • At various levels in the network, small messages may elicit much larger responses; for example, an attacker may be able to reply a broadcast initialization command, causing nodes throughout the network to perform localization or time synchronization procedures; • This repeated solicitation of energy – draining responses is called interrogation; • Defense: • Services can require that requests be authenticated, otherwise refusing to answer with even a negative acknowledgement; this may cause confusion with legitimate clients, who receive no indication of whether the service provider has failed or is ignoring them; • To limit the rate of the response even for properly authenticated nodes; excessive requests will be queued or ignored; the rate must be high enough to provide sufficient bandwidth and timeliness for authorized users;

  21. Smart Sensors and Sensor Networks • Selective forwarding: • Selective forwarding attacks refer to routing; • A subverted sensor can neglect to forward certain messages; a random dropping policy raises the local loss rates and may induce costly end – to – end recovery mechanisms; • An attacker may also drop messages to or from certain victims, such as base stations or other servers; • At an extreme, a node can create a routing blackhole; • Defense: • Multiple disjoint routing paths, diversity coding; this sends encoded messages along multiple paths so that the originals can be reconstructed to conceal message loss, without the cost of full duplication; • Periodic end – to – end probing; • Misdirections: • Forwarding messages along wrong paths; • An attacker can also forge a source address when sending a request so that the response will return to the victim, confusing or flooding it; • Defense: • Routing updates should be authenticated to prevent malicious modifications;

  22. Smart Sensors and Sensor Networks • Sinkholes: • An attempt is made to lure traffic from the sensors to adversary; • Low-cost routes may be erroneously flooded to lure the traffic or a wormhole attack could be mounted to provide a low-cost route; • The objective of the attacker is to be positioned so that other selective forwarding attacks or eavesdropping are easier to do; • Defense: • To use routing algorithms resistant to arbitrary configurations, such as geographic forwarding; • Communication parties may also use end-to-end verification of advertised latency or quality to detect when a party may contain an unwarranted diversion; • Wormholes: • Adversaries cooperate to provide a low-latency side channel for communication; for example, two attackers may possess a second radio for communicating over a higher power long-range link; • Messages between attackers are transmitted as if only one hop exist; neighboring nodes may favor the attackers for routing; • Defense: • To use routing schemes that do not favor wormholes, for example geographic routing in which each message is forwarded individually choosing the next hop node to be the neighbor closest to the ultimate destination;

  23. Smart Sensors and Sensor Networks • Sybil attacks: • An attacker presents multiple identities; this means an attacker can appear to be in multiple places at the same time; • By creating fake identities of nodes located at the edge of communication range all round a victim, chances are high that the attacker will be chosen as the next hop in geographic routing; • Defense: • Proper authentication and location verification; • Flooding: • A flooding attack overwhelms a victim’s limited resources, whether memory, processing cycles or bandwidth; for example, an attacker forges the victim’s address as the source of a widely and easily distributed request; all nodes receiving the request will reply to the victim, flooding its link; • Defense: • Protocols should avoid allocating resources for unauthenticated traffic; • To require the clients of services to commit significant resources before connections are established; client puzzles is one such method; • To provide a way to detect the source of the flooding using a traceback mechanism; mechanisms for WSNs: in-network auditing, periodic return-path messages etc.

  24. Smart Sensors and Sensor Networks • HELLO floods: • A HELLO flood is a single broadcast by a powerful adversary to many members of the WSN, announcing false neighbor status; many protocols use the exchange of HELLO messages to establish local neighboring tables; • The result of a HELLO flood is that every node thinks the attacker is within one-hop communication range; • Defense: • Authentication: neighbors should be verified before forwarding messages to them; • Algorithmic complexity attack: • Several conditions must be present for a successful attack; • First, a service must use some algorithm and data structure with worst-case behavior; the attacker must control the inputs; the attacker must be able to compute values that will evoke worst-case performance and be able to deliver these values to the service; once the data structure is primed, the attacker rapidly sends data that take a long time to process; during this time, processor cycles at the victim are consumed; • Defense: • Removing any of the preceding requirements will disrupt the attack; when possible, services should use algorithms with efficient worst-case performance.

  25. Smart Sensors and Sensor Networks • Security architectures • From the security point of view, the WSN system architectures can be broadly divided in two categories: • Cell-based WSNs: consist of low-power low-cost sensor nodes and base stations, operating in relatively friendly environments of houses and office buildings, or in easily accessible outdoor areas; • Ad hoc WSNs consisting only of low-cost sensor nodes distributed in an ad hoc manner into remote and inhospitable environments without any wireless infrastructure; • Cell-based WSNs: • The nodes are organized around one or more base stations that have more computing and energy resources than the regular sensor nodes; • These networks are most often used for user and object tracking systems in home and commercial building environments as well as in outdoor perimeter-monitoring systems; generally, it is easy to add new nodes, remove nodes and even recharge nodes; • The base stations collect information from the network and provide a link between the WSN and the outside world; • However, the nodes can still be captured or damaged and unauthorized nodes can be added;

  26. Smart Sensors and Sensor Networks • The presence of base stations in a WSN offers at least two significant benefits • Base stations represent a trusted base that cannot be compromised; they can be used as a safe source of mobile code and configuration parameters, which enables safe bootstrapping and configuration of the network as well as the addition of new nodes; • Base stations offer computational resources that can be used in asymmetric security protocols in which they perform the majority of intensive computations; such protocols allow stronger security while not exhausting the limited resources of regular sensor nodes; • An example: • The network consists of a trusted backbone of base stations with unlimited power supply and a large number of motes, distributed in the area covered by the base stations; the operation of the network is fully controlled from the base stations; • A routing structure is formed as a set of routing trees; each base station is the root of one such tree; • The traffic mainly consists of requests initiated at the base stations and sent down to the nodes and the responses sent from the nodes back to the base stations; when the same request is sent to all nodes, the communication is most efficiently performed through broadcast messages; if a base station needs to send a unicast message to a particular node, source routing is used; • The protocol suite assumes that the base stations share a unique key with each node in the network;

  27. Smart Sensors and Sensor Networks • The system architecture and security protocols require that the base station keep track of the route to each node and of the secret key; all other keys that the base station and a node use for communication are derived from the master key; • Even though the base station is a single point of failure, it is trusted, implying no one can capture the station and recover the keys; • The security architecture efficiently uses the resources of the base stations; to keep a separate key for each node would not be possible in an architecture in which all nodes have limited resources; also, this solution is not applicable to networks in which any two nodes are likely to communicate directly; • However, because the bulk of traffic in the network is between the base station and the nodes, the inability of the nodes to communicate securely without involvement of the base station is of limited importance; • Ad hoc sensor networks: • Suitable when deployed in remote and inhospitable environments without any wireless infrastructure; nodes must self-organize and bootstrap a network without any support from base stations; • Any node in such an architecture can be a source of or a destination for messages; • Even more than in other networks, the nodes in such systems are exposed to a danger of capture or destruction; the most dangerous physical threat regarding security is physical possession of a node by an adversary;

  28. Smart Sensors and Sensor Networks • Sensor nodes may contain keys that allow the adversary to decrypt the messages and even to inject false messages into the network; • In circumstances in which long-term security of all nodes in a network cannot be guaranteed, the best solution is to extend the lifetime of the network as much as possible; • There are two aspects of extending the lifetime of a network: • The time period from when the network is deployed to the moment a node is compromised should be as long as possible; • An adversary can determine the positions of nodes using various technologies; • The easiest way is to listen to the messages exchanged between the nodes because they usually contain the locations of nodes that detected an event; • A countermeasure is to protect the location with separate encryption algorithm; • The alternative is trilateration, but more effort and equipment are necessary; • Once some of the nodes are detected, the keys that these nodes contain can be extracted and used to decrypt previously exchanged messages as well as future ones; key distribution mechanisms in WSN and secure protocols must be designed so that the security exposure is minimized when any of the cryptographic keys is compromised; • In a system architecture in which all nodes are potential senders or receivers, symmetric cryptography suits the low-power nodes better than public cryptography;

  29. Smart Sensors and Sensor Networks • Because symmetric cryptography assumes that keys are shared, the design space between two extreme solutions remains: • All nodes share only one key embedded in them before the deployment; • Each pair of nodes share a unique key; • The first solution: • Is simple, requests small memory space and supports broadcast; • When one node is compromised, the adversary can decrypt all messages from the network; • The second solution: • Has a perfect security property: if a node is compromised, the recovered keys are useless because no other nodes use those keys; • The memory space for all keys for thousands of nodes is not available on most sensor platforms; • Even if only a handful out of thousands of keys is actually used when a network is deployed, the nodes must store them all because their exact physical locations are not known before the deployment and they cannot know which nodes will be located close to each other; • Additionally, sending broadcast messages is not possible, so each broadcast message must be replaced with multiple unicast messages and the energy consumption is multiplied accordingly;

  30. Smart Sensors and Sensor Networks • The key distribution algorithms proposed for WSNs try to find a trade-off among the various requirements; • The important factors for the key distribution algorithms are: • Impact of compromise of one or more nodes on security of the traffic in the network; • Ability of algorithm to include additionally deployed nodes into the security infrastructure; • No single point of failure; • Spatial and temporal variation in keys to reduce encrypted material for cryptanalysis; • Support for broadcast; • Most key distribution mechanisms shy away from key distribution after the nodes are deployed; • Such schemes exist for wired and wireless networks and are based on key distribution servers; they consider self-organized wireless network with no security infrastructure; therefore, no central authority, no centralized trusted party and no other centralized security service provider exist; • The solution used in wireless networks with more capable nodes employs public key cryptography to ensure authenticity of messages; however, the public key algorithms are considered too expensive in terms of memory and processing requirements for being used in WSNs except as a one-time protocol for exchange of private keys;

  31. Smart Sensors and Sensor Networks Privacy protection • In many WSNs, especially in military and law enforcement systems, sensor nodes and communication between them are the most exposed part of the network; in such networks, secure communication the most important; • In other WSNs, those intended for use in commercial settings, the privacy protection of individuals observed by a WSN, in their living and working places, is as important as protection of application; • It is still necessary to ensure secure communication channels in order to prevent unauthorized access to the personalized information; • However, even if the communication security architecture ensures that the personal information is protected during the transfer, once such information is collected to a point, the data is protected as much as the data hosting system is; • Commercial systems tend to have lower security protection; examples:.. • Additional mechanisms are needed for a certain level of privacy protection without interfering with the functionality of WSNs;

  32. Smart Sensors and Sensor Networks • Privacy of location information: • Protection of the location information is highlighted for three main reasons: • The most frequent tasks for WSNs are concerned with detection of location of an event; even if the goal of an application is to perform a more complex task, the location information is present as a part of the individual observations generated by sensor nodes; • The privacy protection of location information for users observed by a WSN is a prime example of the importance of data protection because, with access to the location of data for a user, an adversary can infer additional private information, such as medical conditions, shopping habits etc. • Generally, location discovery systems are often capable of locating users within meters indoors and within tens of meters outdoors; in many cases, that level of protection is more than necessary, so it is acceptable to reduce the precision of the information in order to achieve a required level of privacy protection; privacy and accuracy are opposite goals; • The general system architecture for which privacy protection solutions are described is:

  33. Smart Sensors and Sensor Networks • The crucial part of the privacy protection framework for WSNs is the location server; • The server is a part of a trusted zone which in this context means that the server adheres to the same security policies and is controlled by the same entity as the accompanying network of sensor nodes; • The responsibility of the location server is to transform the locations of users observed into a representation that keeps the level of location privacy protection above a certain threshold; • The transformed location information is then forwarded to any of servers offering location-based services (LBS);

  34. Smart Sensors and Sensor Networks • In many applications, users send information about their locations to an LBS to update their locations or to request services offered in their vicinity; • Without transformation performed in a location server, each user request or update would be accompanied with a precise location information as the location discovery technology used allows; • In automotive applications, precision is defined by the precision of the GPS receiver, while in indoor environment location precision depends on the density of the sensor network; • If the information from these location discovery services is compromised, the location precision allows for easy recovery of user’ movements by LBS; • The first step to protect users’ privacy is to disconnect the location information from the explicit user identification; • The location server does this by assigning an alternative identification or a pseudonym to each user; some kind of identification is necessary because a response to each request among a possible large number of requests handled by a location server must be forwarded to the original user; • For many LBSs, it is not necessary for a service to be aware of a user’s real identity; the service can be triggered based on the user’s current location;

  35. Smart Sensors and Sensor Networks • However, two problems occur with privacy protection through anonymity of identifications: • The possibility that if a user uses the same pseudonym when connecting to various LBSs, the combined data from all LBSs can give a full overview of that user’s activities; • That problem can be solved simply by using different pseudonyms for various LBSs; • A user can be easily identified despite different pseudonyms, if requests for LBSs are coming from specific locations that can be directly connected to the user; in the case of a request for a road map that an LBS issued from a location that can be identified as a private garage, the anonymous identification can be attached to the owner of the garage and then all the movements of that ID can be personalized; in the same way, in an office environment, an ID that spends most of the time in a particular office can be connected to the regular occupant of that office; • In some applications, it is necessary to maintain relationships between an individual and his profile at a data collection point on an LBS; an example is Networkcar service; • A user of the service can log on to the service through the Web and examine the current location of the car, the conditions of its engine etc.; • The owner of the car can receive a message if it has been stolen or has left a certain area; • In such applications, a certain relationship between accuracy and privacy must be maintained;

More Related