Random Key Predistribution Schemes for Sensor Networks

1. Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers February 28, 2008

2. The Big Idea • Three key bootstrapping protocols for large sensor networks • Alternatives to public key cryptosystems • Each protocol trades a different drawback in exchange for the security it provides

3. Outline • Background • The problem with sensor networks • Related work • Three schemes • q-composite keys scheme • Multipath-reinforcement scheme • Random pairwise keys scheme • Future directions

4. The Bootstrapping Problem • Initialization process • Creating something from nothing

5. Bootstrapping Security in Sensor Networks • Especially challenging because of the limitations of sensor networks: • Constrained resources • Physical vulnerability • Unpredictability of future configurations • Temptation to rely on base stations

6. Related Work • Previously proposed solutions often depend on: • Asymmetric cryptography • Arbitration by base stations (e.g., SPINS) • Some even require physical contact with a master device or assume that attackers do not arrive until after key exchange

7. Finding a Solution • Authors’ proposed schemes are based on the basic random key predistribution scheme • Basic scheme is modified to meet the appropriate design goals

8. What Makes a Key Predistribution Scheme Good?

9. Key Predistribution Scheme Design Goals • Secure node-to-node communication • Must not rely on base stations for decision-making • Adaptable to addition of nodes after initial network setup

10. Key Predistribution Scheme Design Goals, Cont. • Prevent unauthorized access • No assumptions about which nodes will be within communication range of each other • Resource-efficient and robust to DoS attacks

11. Evaluation Metrics • Resilience against node capture • Resistance against node replication • Revocation of misbehaving nodes • Scalability

12. The Basic Scheme

13. The Basic Scheme • Three phases of operation: • Initialization • Key setup • Graph connection

14. The Basic Scheme – Initialization • Pick a random key pool, S • For each node, randomly select m keys from S (this is the node’s key ring) • The size of S is chosen so that two key rings will share at least one key with probability p

15. The Basic Scheme – Key Setup • Nodes search for neighbors that share a key • Broadcast short IDs assigned to each key prior to deployment • Keys verified through challenge-response

16. The Basic Scheme – Graph Connection • Nodes then set up path keys with any unconnected neighbors through existing secure paths • # of secure links a node must establish during key setup (degree, d) to form a connected graph of size n with probability c is: d = [(n-1)/n][ln(n) – ln(-ln(c))]

17. The Basic Scheme – Graph Connection • The probability, p, that two nodes successfully connect is p = d/n′ where n′ is the expected number of neighbor nodes within communication range of A ½

18. Extensions of the Basic Scheme • q-composite Random Key Predistribution • Multipath Key Reinforcement • Random Pairwise Keys

19. q-composite Random Key Predistribution Scheme

20. q-composite Scheme • Instead of one key, a pair of nodes must share q keys to establish a secure link • Key pool must be shrunk in order to maintain probability p of two nodes sharing enough keys

21. Initialization and Key Setup • Similar to basic scheme • Each node has m keys on key ring • Two nodes must discover at least q common keys in order to connect • Before connecting, a new key is created as a hash of the q shared keys • Broadcasting IDs is dangerous, however

22. Evaluation • Much harder for an attacker with a given key set to eavesdrop on a link • Necessary reduction in key pool size makes large-scale attacks even more powerful

23. Evaluation • Compromising a given # of nodes is more damaging • Harder to compromise nodes, however

24. Evaluation • Dangerous under large-scale attack • Absolute # of compromised nodes vs. fraction of compromised communications

25. Multipath Key Reinforcement Scheme

26. Multipath Key Reinforcement Scheme • Initialization and key setup as in basic scheme • Key update over multiple independent paths between nodes • Key update is damage control in the event that other nodes are captured

27. Evaluation • Better resistance against node capture • Significantly higher maximum network size • Comes at cost of greater communication overhead

28. Random Pairwise Keys Scheme

29. Random Pairwise Keys Scheme • Key feature is node-to-node identity authentication • Ability to verify node identities opens up several security features

30. The Basics • Sensor network of n nodes • Pairwise scheme: • Each node holds n-1 keys • Each key is shared with exactly one other node • Random pairwise scheme: • Not all n-1 keys are needed for a connected graph • Only np keys are needed to connect with probability p

31. Initialization • n • # of unique node IDs • m • keys on each node’s key ring • p • Probability of two nodes connecting • n = m/p

32. Initialization • Each node ID pairs with m other random & distinct node IDs • Each pair is assigned a key • Nodes store key-ID pairs on key rings

33. Key Setup • Node IDs are broadcast to neighbors • Verified through cryptographic handshake

34. Multi-hop Range Extension • Node IDs are small • Can be re-broadcast at low cost • Neighbors forward IDs during key setup • Increases communication radius • Increases max. network size

35. Distributed Node Revocation • Faster than relying on base stations • Public votes are broadcast against compromised nodes • Offending node is cut off when votes reach threshold

36. Scheme Requirements • Compromised nodes can’t revoke arbitrary nodes • No vote spoofing • Verifiable vote validity • Votes have no replay value • Not vulnerable to DoS

37. The Voting Process • A node’s voting members are those that share a pairwise key with it • All voting members are assigned a voting key • Votes are verified through a Merkle tree • Voting members keep track of votes received up to a threshold, t

38. Voting Threshold • If too high • A node may not have enough voting members to be revoked • If too low • Easy for a group of compromised nodes to revoke many legitimate nodes

39. Resisting Revocation Attacks • Node B’s revocation key for node A must be activated before use • Hashed with secret value known only by A • A gives B its secret value only after the two establish communication • Other DoS attacks are more practical

40. Resistance to Node Replication and Node Generation • Place a cap, dmax , on the degree of a node • dmax is some small multiple of d • Nodes keep track of degree and node IDs using same method as vote counting

41. Evaluation • Perfect resilience against node capture • All pairwise keys are unique, so capturing one node reveals no information about communications outside of the compromised node’s

42. Evaluation, Cont. • Maximum network size suffers slightly

43. Evaluation, Cont. • Resistance to revocation attack • Small number of compromised nodes only compromises a small portion of communications • Compromising large number of nodes is not economical

44. Summary • Three efficient schemes for secure key bootstrapping • Each scheme has trade-offs • q-composite: good for small attacks, bad for large • Multipath-reinforcement: improved security, more communication overhead • Random pairwise: max. network size is smaller

45. Future Work • How does the random pairwise scheme perform in small networks? • Can the random pairwise scheme be modified to handle larger networks?