Mitigating DoS Attacks against Signature-Based Broadcast Authentication in Wireless Sensor Networks

Broadcast authentication is a critical security service in wireless sensor networks. There are a number of benefits to provide broadcast authentication with digital signatures, such as immediate authentication capability and the ease of managing cryptographic keys, compared with the alternative of TESLA-based approaches. Though previously considered infeasible, recent results have demonstrated that it is possible to perform public key cryptography on resource constrained sensor nodes efficiently. However, using digital signatures for broadcast authentication still faces a great challenge of denial of service (DoS) attacks: An attacker can inject bogus broadcast packets to force sensor nodes to perform expensive signature verifications, and thus exhaust their limited battery power. This paper presents an efficient mechanism called message specific puzzle to mitigate such DoS attacks. In addition to a digital signature, this approach adds a weak authenticator in each broadcast packet, which can be efficiently verified by a regular sensor node, but takes a computationally powerful attacker a substantial amount of time to forge. Upon receiving a broadcast packet, each sensor node first verifies the weak authenticator, and performs the expensive signature verification operation only when the weak authenticator is valid. A weak authenticator cannot be pre-computed without a non-reusable key disclosed only in a valid broadcast packet. As a result, an attacker cannot start the expensive computation to forge a weak authenticator without seeing a valid broadcast packet. Even if an attacker has sufficient computational resources to forge one or more weak authenticators, it is difficult to reuse these forged weak authenticators. Thus, this weak authentication mechanism substantially increases the difficulty of launching successful DoS attacks against signature verifications. This paper also reports an implementation (called TinySigGuard) of the proposed techniques on TinyOS, as well as the experimental evaluation in a network of MICAz motes.