1 / 64

Wireless Sensor Network Security: The State of the Art

Wireless Sensor Network Security: The State of the Art. Credit: Yee Wei Law The University of Melbourne. Roadmap. Primer to cryptography and WSNs Secure data aggregation Key management Other areas: secure remote reprogramming secure localization energy-efficient jamming attacks.

ronny
Télécharger la présentation

Wireless Sensor Network Security: The State of the Art

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Sensor Network Security:The State of the Art Credit: Yee Wei Law The University of Melbourne

  2. Roadmap • Primer to cryptography andWSNs • Secure data aggregation • Key management • Other areas: • secure remote reprogramming • secure localization • energy-efficient jamming attacks Information Assurance Protection Detection Reaction

  3. Introduction to security • Security threats: either somebody wants to steal something from you or sabotage you • Information assurance (IA) is a set of measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and re-action capabilities. Information assurance Information security Operation security

  4. Primitives • Security objectives: • Confidentiality • Integrity • Authentication • Non-repudiation • Encryption / decryption • Symmetric-key: E(K, M) / D(K, M) • Asymmetric-key: E(PK, M) / D(SK, M) • Signature / verification • Symmetric-key: message authentication code (MAC), denotedMAC(K, M) • Asymmetric-key: digital signature, denotedSign(SK, M), Ver(PK, M) Notation: Public key = PK Private key = SK

  5. Common usage Diff keys for encryption and authentication • E(K1, M) || MAC(K2, E(K1, M)) • E(K1, M) || Sign(SK, h(E(K1, M))) Integrity, authentication Confidentiality Signing on hash is more efficient Confidentiality Integrity, authentication, non-repudiation

  6. Challenges in WSNs Constraints Implications Sensor node hardware, resource constraints Algos must be energy- and storage-efficient Nodes operate unattended Adversary can compromise any node Nodes not tamper-resistant Adversary can compromise any node’s keys No fixed infrastructure Cannot assume any special-function node in vicinity No pre-config’ed topology Nodes don’t know neighbours in advance Communicate in an open medium Communications are world-readable and world-writeable by default

  7. Security design principles • Favour computation over communication • Communication 1000 times more energy-consuming than computation • Minimal public-key crypto • Tate pairing costs 5s (54mJ) on a Tmote Sky (fastest recorded by [Szczechowiak et al. 08]) • Favour resilience (tolerance) over absolute security • Strength in number

  8. Part One Secure data aggregation

  9. Data aggregation aggregate aggregate aggregate Purposes: • Save bandwidth (limited data rate) • Save energy (limited energy) Reason why we put a processor on every node in the first place

  10. Phase 1: Query dissemination Sample query: SELECT AVERAGE(temperature) FROM sensors WHERE floor = 6 EPOCH DURATION 30s

  11. Phase 2: Data aggregation aggregate aggregate aggregate Types of aggregation: (1) basic aggregation, (2) data compression, (3) parameter estimation

  12. Phase 3: Result verification (optional) “Did you really report this?” “Did you really report this?” “Did you really report this?” “Did you really report this?” “Did you really report this?” “Did you really report this?”

  13. Security goals of data aggregation So the average is 251.5… Oh wait a minute • Robustness: Byzantine corruption of data would not make aggregation result totally meaningless • Confidentiality: To ensure that other than the sink and the sources, no intermediate node should have knowledge of the raw data or the aggregation result perform averaging 1 1000 3 2 What the hell am I forwarding? sink What the hell am I aggregating? sources

  14. Securing data aggregation: multipronged defence 4 1 2 3

  15. Resilient aggregation • Objective: To bound the effect of data corruption • Corruption can be arbitrary – Byzantine • By convention, we denote the number of corruptions as k • Methods: • Robust statistics (1-hop networks) • RANBAR (1-hop networks) • Quantiles aggregation (multi-hop networks)

  16. Robust statistics Say an aggregation function is actually an estimator Say we are estimating a parameter Θ and there are k rouge nodes An aggregation function is (k,)-resilient if That is, the RMS error as a result of k-corruption, must be bounded by a constant factor of the original RMS error We win if we can limit The attacker wins if he manages to unbound 

  17. Examples of (k,)-resilient aggregation functions y y=y+ Non-resilient, example: Average rms(y)> rms(y) AVG AVG x1 x1 x2 x3 x2 x3 x4 x4+4 Resilient, examples

  18. RANBAR • Based on RANdom SAmple Consensus, which originates in computer vision (hence the name RANBAR = RANsac-Based AggRegation [Buttyán et al. 06]) • Step1: Use as few samples as possible to determine a preliminary model • Step 2: Use the preliminary model to identify samples that are consistent with the model • Step 3: Refine the model with all the samples that are found to be consistent

  19. Quantiles aggregation (extending resilient aggregation to multihop) 4 6 Median Median 10 2 2 Median Median Median 1 2 3 4 16 1 2 3 4 16 Actual median = 3 This approach suggests that instead of taking a median every hop on the way, we should compress the data judiciously at each hop

  20. Quantiles aggregation count tree nodes are numbered Rules for deriving a q-digest: Rule (A): count(node) + count(parent) + count(siblings) ≥ n/k + 1 Rule (B): count(node) n/k q-digest in this example: {<8,2>,<9,2>,<1,1>}

  21. Quantiles aggregation count tree nodes are numbered Derived median = data value represented by node 9 = 3.5 Actual median = 3

  22. Resilient aggregation guidelines Two approaches actually: • estimate by minimizing effects of outliers • detect outliers and estimate without outliers

  23. Progress so far… 4 1 2 3

  24. malicious Voting “is mean = 61.4 reasonable?” malicious 3 300 2 1 malicious 1 Alright, 61.4 is not reasonable! No Yes No No Resource-intensive, only good for mission-critical, small-scale networks No

  25. Progress so far… 4 1 2 3

  26. Progress so far… 4 1 2 3

  27. Privacy homomorphism (PH) • First proposed by Rivest et al. in 1978 to process encrypted data without decrypting the data first • A function is (,)-homomorphiciff(x) f(y) = f(xy)where ‘’ is an operator in the range and ‘’ is an operator in the domain. • If f is an encryption function and the inverse function f-1 is the corresponding decryption function, then fis a PH.

  28. Types of PHs • There are three main approaches to PHs in WSNs so far: • PHs that are based on polynomial rings, e.g., Domingo-Ferrer’s scheme • PHs that are based on one-time pads • homomorphic public-key cryptosystems Insecure under known-plaintext attacks Attacks involve only computation of gcd and linear algebra [Wagner 03]

  29. PHs based on one-time pads One-time pad • Encryption: • Decryption by sink: • Drawbacks: • Use of the addition operator in place of the XOR operator in the plaintext space is unproven in terms of security • Synchronization of keys causes scalability problem m1+m2+m3+k1+ k2+k3 m1 + m2+ k1 + k2 m1+m2+m3+m4+k1+ k2+k3+k4 m1 + k1 m3 + k3 sink m4 + k4 m2 + k2

  30. Part Two aggregate aggregate Key management aggregate In Secure Data Aggregation, we secure one-way traffic. generalized In Key Management, we secure generic traffic.

  31. Components Protocol verification 1 Key management Key establishment 2 Key refreshment 3 Key revocation 4

  32. Protocol verification • Verification gives us indication and confidence of security • If we simulate unbounded sessions, verification of secrecy and authentication is undecidable • If we limit number of parallel sessions, we can use constraint solving for verification • Model: strand space model • Tool: CoProVe implements the strand space model using constraint solving (Prolog)

  33. Strand space model

  34. Node-to-node key establishment Awants to establish a secure channel withBvia a common trusted nodeS: AB: NA || ABS: NA || NB || A || B || MAC(KBS, NA || NB || A || B)SA: E(KAS, KAB) || MAC(KAS, NA || B || E(KAS, KAB))SB: E(KBS, KAB) || MAC(KBS, NB || A || E(KBS, KAB))AB: Ack || MAC(KAB, Ack)

  35. Node-to-node key establishment E(KBS, KAB) || MAC(KBS, NB || A || …) NA || NB || A || B || MAC(KBS, …) E(KAS, KAB) || MAC(KAS, NA || B || …) NA || A Ack || MAC(KAB, Ack)

  36. Components Protocol verification 1 Key management Key establishment 2 Key refreshment 3 Key revocation 4

  37. Key establishment Key transport Key agreement Key pre-distribution Key establishment • Definition: a process or protocol whereby a shared secret key becomes available to two or more parties, for subsequent cryptographic use • Types: A key agreement protocol whereby the resulting established keys are completely determined a priori by initial keying material

  38. Protocol design by communication modes • Global broadcasts: • Authenticated broadcast using μTESLA • Local broadcasts: • Passive participation • Unicast: • Only consider neighbour-to-neighbour • Multihop can be secured hop by hop • Random key pre-distribution schemes • LEAP+ • EBS

  39. Global broadcast: μTESLA • “Micro” version of the Timed, Efficient, Streaming, Loss-tolerant Authentication Protocol Authenticated broadcast keys are generated in reverse order Ki-1 = h(Ki) K1 K2 K3 K4 …… Kn keys are released in forward order

  40. μTESLA example (1) (3) Generate one-way reverse key chain on the base station (1) Generate one-way reverse key chain on the base station h() K3 K1 K2 K4 (2) Give K1 to everybody M K2 MAC(K3, …) K1 K1 K1 K1

  41. μTESLA example (2) (5) Base station later sends K3 that can be used to authenticate message M (4) K2 is genuine because h(K2) = K1 but packet tagged with MAC(K3, M||K2) still needsto be authenticated M2 K3 MAC(K4, …) M MAC(K3, …) K2 Authentication steps: (a) K3 is genuine because K2 = h(K3) (b) M is genuine because K3 is genuine and K3 authenticates M M MAC(K3, …) K2

  42. Local broadcast: Passive participation A is just transmitting a similar data to I have, so I shall not transmit. D C E B Passive participation: nodes B, C, D, E suppress their transmissions when they find A transmitting about the same data To secure passive participation, A uses a cluster key and a one-way key chain to achieve encrypted and authenticated local broadcast A

  43. If only the key chain is used, the keys in the key chain would have to be broadcast in the clear, and in the absence of time interval differentiation, a cluster-outsider would be able to forge messages using these keys If only the cluster key is used, authentication of the sender cannot be achieved But if used together, the cluster key can be used to encrypt messages as well as to hide the key chain keys from cluster-outsiders; and at the same time, the key chain keys can be used for authentication Local broadcast: Passive participation D C B A

  44. Securing unicast • Random key pre-distribution schemes • LEAP+ • EBS

  45. Random key pre-distribution (RKP) at random ‘Keying material’ at random Pool Able to establish session key? P = pool size (4 in this example) K = key ring size (1 in this example)

  46. Random key pre-distribution (RKP) • Different types: Type 1 Type 2 Type 3 Symmetric key [Eschenauer & Gligor 02] Symmetric bivariate polynomial [Liu et al. 05] Part of a matrix [Du et al. 05]

  47. Symmetric-key-based RKP I’ve got keys 1, 2, 3, 4 1 1 I’ve got keys 1, 5, 6, 7 2 5 3 6 4 7 OK, so our session key can be derived from key 1 OK, so our session key can be derived from key 1 Although not all neighbouring pairs of nodes can establish a session key (aka pairwise key), the network will remain connected, with a suitable choice of K and P. K = key ring size (4 in this example) P = key pool size (7 in this example)

  48. Symmetric-key-based RKP Pr{connectivity ≥ k} vs k K = 4, P = 15, RMSE = 0.0427 K = 4, P = 30, RMSE = 0.0436 Pr{connectivity ≥ k} Expected connectivity Derived from results of random geometric graphs [Law et al. 07]

  49. Polynomial-basedRKP f1(x, y) = 1+2y+3y2+2x+xy+4xy2 +3x2+4x2y+x2y2 f2(x, y) = 2+3y+5y2+3x+2xy+7xy2 +5x2+7x2y+2x2y2 I’ve got f1(), f2() f3(x, y) = 3+4y+5y2+4x+3xy+6xy2 +5x2+6x2y+3x2y2 I’ve got f2(), f3() Node 1 Pool f1(1, y) = 6+7y+8y2 Node 2 OK, so our session key can be derived from f2() f2(2, y) = 28+35y+27y2 f2(1, y) = 10+12y+14y2 OK, so our session key can be derived from f2() f3(2, y) = 31 + 34y + 29y2 In this example,t = 2, K = 2, P = 3 The pairwise key is f2(1,2) = f2(2,1) = 10 + 24 + 56 = 28 + 35 + 27 = 90 *In reality, the value must of course be as large as normal crypto keys Storage requirement: K(t + 1) coefficients, where t is the threshold

  50. Matrix-basedRKP N = number of nodes = number of columns this seed can be used as an ID Vandemonde-like generator matrix Random symmetric matrices D2 D3 D4 D1 M1=(D1G)T M2 M3 M4

More Related