badly if the radius of the wormhole is small. We note, however, that a smaller wormhole radius has smaller effect on the system in terms of the number of sensors that send measurement data to the base station through the wormhole. In order to illustrate this, we constructed the minimum spanning tree rooted at the base station, and counted the number of shortest paths between the base station and the sensors that contain a link created by the wormhole. The result is shown in Figure 17. As it can be seen, when the radius of the wormhole is 16 m, the number of concerned paths is between 0 and 50, whereas in the case of a 50 m radius, the number of concerned paths is between 100 and 200. Thus, the adversary can monitor the measurements of more sensors when the radius of the wormhole is larger, but in that case, it can also be detected more accurately by the NNT algorithm.
Figure 17: The effect of the wormhole on the number of the controlled shortest paths plotted against the radius of the wormhole
Results of the all distances test (ADT)
The results of the ADT algorithm are shown on Figures 18 and 19. Figure 18(a) shows the accuracy of the detection as a function of the sensors’ radio range when the radius of the wormhole is 50 m, whereas Figure 18(b) shows the same when the radius of the wormhole is 16 m. Similar to the NNT algorithm, the ADT algorithm performs better when the radius of the wormhole is larger. However, unlike the NNT algorithm, the ADT algorithm is not completely unusable in the case when the radius of the wormhole is 16 m. Rather, its performance depends on the distance between the areas affected by the wormhole: the higher this distance is, the more accurate the detection is. Moreover, when the distance between the affected areas is 400 m, the accuracy is close to 100% . The explanation for this is quite obvious: a longer wormhole reduces the length of the shortest paths between more distant nodes, and thus overall, it represents a larger decrease in the average length of the shortest paths between all pairs of nodes.
Regarding the percentage of the false positive alarms (Figure 19), the ADT algorithm per-forms quite well except for small radio ranges.
(a) (b)
Figure 18: Detection accuracy plotted against the radio range of the sensor nodes. The different curves belong to different distances between the areas affected by the wormhole with a radius of 50 m (a) and 16 m (b)
Figure 19: Percentage of false positive wormhole detections plotted against the radio range of the sensor nodes
electro-magnetic waves propagate nearly with the speed of light and with current technology it is easy to measure local timings with nanosecond precision. The distance bounding technique essentially consists of a series of rapid bit exchanges between the two nodes. Each bit sent by the first node is considered to be a challenge for which the other node is required to send a one bit response immediately. By locally measuring the time between sending out the challenges and receiving the responses, the first node can estimate its real physical distance to the other node, assuming that the messages travel with the speed of light and the processing delay at the other node is negligible.
Note that the estimated distance is only an upper bound on the real distance between the nodes, because the second node could be closer, but it can delay the responses in order to appear to be further. Even if the nodes are trusted for not delaying their responses, an active adversary can delay the messages between the parties, and hence, the estimated distance will still be just an upper bound on the real distance. However, in the case of a wormhole attack, the adversary’s goal is not to make the two nodes believe that they are far away from each other. On the contrary, the adversary wants the two nodes to believe that they are within each
other’s range, when in reality they are not. In order to achieve that the estimated distance is smaller than the nodes’ real distance, the adversary should arrange that the messages travel faster than the speed of light, which is impossible. Thus, distance-bounding can be used for wormhole detection.
We slightly modify the above described distance-bounding technique such that it allows both nodes to measure the distance between them simultaneously and it uses symmetric key cryptographic primitives for authentication purposes. In order for this to work, it is assumed that each pair of nodes share a symmetric key. We call the resulting protocol Mutual Authenticated Distance-bounding, or shortly MAD.
Letx and y denote the two nodes in the protocol, and let their shared key be kxy. We will denote the message authentication function controlled by the key kxy bymackxy. The operation of the protocol is summarized in Figure 20, and it is explained as follows:
Initialization phase:
Both xand y generate uniformly at random two numbers. The numbers ofx are denoted by r and r0, and the numbers of y are denoted by s and s0. Numbers r and s are ` bits long, and r0 and s0 are `0 bits long (i.e., r, s ∈ {0,1}` and r0, s0 ∈ {0,1}`0) Both x and y compute a commitment to the generated numbers by using a collision resistant one-way hash function H: cx = H(r||r0) and cy =H(s||s0). Finally, x sends cx to y and y sends cy to x. Note that the random numbers can be generated and the commitments can be computed well before running the protocol.
Distance-bounding phase:
Let the bits ofrandsbe denoted byri andsi (i= 1,2, . . . , `), respectively. The following two steps are repeated` times, fori= 1,2, . . . , `:
– x sends bitαi to y immediately after it receivedβi−1 from y (except for α1 which is sent without receiving any bit from y), whereα1=r1 andαi =ri⊕βi−1 fori >1;
– y sends bit βi=si⊕αi tox immediately after it receivedαi from x.
x measures the times between sending αi and receiving βi, and y measures the times between sending βi and receiving αi+1. From the measured times, they both estimate their distance.
Authentication phase:
Node x computes the bits si =αi⊕βi, and the MAC
µx=mackxy(x||y||r1||s1||. . .||r`||s`)
Similarly, y computes the bits r1 =α1 and ri =αi⊕βi−1 fori >1, and the MAC µy =mackxy(y||x||s1||r1||. . .||s`||r`)
Finally, x sends r0||µx toy and y sends s0||µy to x. Nodex verifies that the commitment cy and the MACµy ofy are correct, andy verifies that the commitmentcx and the MAC µx of x are correct.
In the above protocol, the MAC ensures the authenticity of the exchange: bothx andy can believe that they ran the distance-bounding phase with the other, and thus, the distance that they estimate is really the distance betweenxandy. Committing tor andsin the initialization phase ensures that the protocol is successful only if exactly the bits of r and s are exchanged.
As r and s are random, an adversary cannot try to cheat x by predicting the bits of s and
x y
generate random numbers generate random numbers r∈ {0,1}`,r0∈ {0,1}`0 s∈ {0,1}`,s0∈ {0,1}`0
compute commitmentcx=H(r||r0) compute commitmentcy=H(s||s0)
cx
−→
cy
←−
— start of distance-bounding phase —
the bits ofrarer1, r2, . . . , r` the bits ofsares1, s2, . . . , s`
α1=r1 α1
−→
β1
←− β1=s1⊕α1
· · · αi=ri⊕βi−1
αi
−→ measure delay betweenβi−1 andαi
measure delay betweenαiandβi βi
←− βi=si⊕αi
· · · α`=r`⊕β`−1
α`
−→ measure delay betweenβ`−1andα`
measure delay betweenα`andβ` β`
←− β`=s`⊕α`
— end of distance-bounding phase —
compute MAC compute MAC
si=αi⊕βi(i= 1, . . . , `) r1=α1 andri=αi⊕βi−1 (i= 2, . . . , `) µx=mackxy(x||y||r1||s1||. . .||r`||s`) µy=mackxy(y||x||s1||r1||. . .||s`||r`)
r0||µx
−→
s0||µy
←−
verifycy andµy verifycxandµx
Figure 20: The Mutual Authenticated Distance-bounding (MAD) protocol.
responding earlier thany, and similarly it cannot cheaty either. More precisely, the probability that such an attack succeeds is 2−` and hence decreases exponentially in`.
The advantage of MAD is that it does not require the localization of the nodes or the synchronization of their clocks. MAD still requires, however, special hardware in the nodes in order to quickly switch the radio from receive mode into send mode. In addition, it needs a special medium access control protocol that allows for the transmission of bits without any delay.