Sensor Network Security Dijiang Huang Arizona State University
Agenda • Sensor and Networks Overview • Security Attacks • Key Management in Sensor Network
Security • Complex, many aspects to consider • General, complete solution is unlikely • Opportunity to address this properly – from the start! • Targeted solutions for targeted attacks • Reasonably secure WSN
General Security Issues • New (severe) constraints (memory, bandwidth, cpu processing speeds, power, …) • Lightweight solutions required • Symmetric cryptography (asymmetric crypto is too expensive) • Physical Environment • Faults versus attacks • Cheap to attack
Specific Security Problems • Routing and/or Backbone Disruption • Denial of service • Jam • Prevent wake-up • Prevent sleep (dies soon) • Modify group management information
Specific Security Problems • System Initialization (re-sync messages and centralized base stations) • Clock Sync • Neighbor Discovery • Localization • Etc.
Communication Scenarios • Confidentiality (eavesdrop) Node2 Base Station Msg Node1 Adversary
Communication Scenarios • Integrity Base Station Msg1’ Msg1 Node1 Adversary
Communication Scenarios • Authenticity I am the Base Station Node 1 Base Station Node 2 Adversary Node 3 Reprogram system Reset system parameters Node 4
Summary- Basic Problems • Initial trust establishment (efficient key management solution) • Vulnerability of channels (eavesdrop and inject fake messages) • Vulnerability of nodes (capture, modify messages, re-route) • Absence of infrastructure (e.g., no centralized certification authorities) • Dynamically changing topology (difficult to distinguish between dynamics and attacks) • Minimum capacity devices • Drain batteries • Real-Time – slow packets down
Key Graph • Solid links represent direct keys • Node 1 needs to establishindirect keys with nodes4,5,6,7, and 8.
Initial Key Agreement • Main categories of existing solutions: • Purely Random Key Predistribution (P-RKP) • Structured Key-pool RKP (SK-RKP)
Phases in RKP Schemes • Key Predistribution • Select and install keys in sensors • Sensor Deployment • Place the sensors • Shared-key Discovery • Sensors find common (shared) key(s) • Pairwise Key Establishment • Those who don’t find shared key(s), take help from others.
Existing RKP Schemes (Phase 1) • P-RKP K11 K1 K16 K14 K23 K6 K3 K4 K20 K21 K18 ID K22 K7 K10 K19 K5 K13 K15 K17 K9 K8 K24 K12 K2 Sensor – m keys KEY POOL – Size n m << n
Existing RKP Schemes (Phase 1) • SK-RKP K11 K1 K16 K14 K23 K6 K3 K4 K20 K21 K18 ID K22 K7 K10 K19 K5 K13 K15 K17 K9 K8 K24 K12 K2 Sensor – m keys KEY POOL – Size n m << n
Proposed Scheme (Phase 1) F ( ) = K12 F (K12) = K19 F (K19) = K23 … K11 K1 K16 K14 K23 K6 K3 K4 K20 K21 K18 ID1 K22 K7 K10 K19 K5 K13 K15 K17 K9 K8 K24 K12 K2 Sensor – m keys KEY POOL – Size n m << n
So what is different ? • Previous approaches do not use node ID for key selection, we do ! • That is we define RINK = Relation between ID aNd Keys
Sensor Deployment (Phase 2) Deployment Area
Shared-Key Discovery (Phase 3) • P-RKP K3, K1, K9, K24, …. ….. K23, K21, K12, K19 ID 1 ID 2 K3 K23 K1 K24 K21 K12 K9 K18 K5 K17 K17 K19
Shared-Key Discovery (Phase 3) • SK-RKP G3, G6…. ….. G1, G5 ID 1 ID 2 K3 K23 K1 K24 K21 K12 K9 K18 K5 K17 K17 K19
Shared-Key Discovery (Phase 3) • RINK ID 2 ID 1 ID 1 ID 2 K3 K23 K1 K24 K21 K12 K9 K18 K5 K17 K17 K19
Deployment Area After Shared-key Establishment
Security Problem - 1 - Reasons • Unattended deployment environment • Physically insecure • No tamper-resistance due to low cost • Compromised sensor can reveal the stored keys.
Problem-1 (Capturing Nodes) • Random Capture (naïve approach) • Randomly pick nodes and obtain keys • Selective Capture (proposed approach) • Pick sensors that can give you keys that you do not already have
Random vs. Selective Capture • SK-RKP affected the most • P-RKP and RINK-RKP not affected much
Security Problem - 2 - Reasons • Wireless environment • Passive listening is easy • Unattended deployment environment • Fake sensors can be added to the system (proposed attack)
Problem – 2 (Deploying fake sensors) • Learn keys from captured nodes and fabricate fake nodes • Fake nodes have enough keys to look legitimate to other sensors • Fake nodes can • Inject / Absorb sensed data • Alter data in specific way
A Comprehensive Solution Dijiang Huang and Deep Medhi “Secure Pairwise Key Establishment in Large-scale Sensor Networks: An Area Partitioning and Multi-group Key Predistribution Approach”
Key Predistribution • A set of keys is predistributed to each sensor • Purely Random Key Predistribution • Each sensor randomly select a set of keys without replacement from a large key pool • Structured key pool predistribution (Liu and Ning CCS 2003, Du et al. CCS 2003) • A large key pool is partitioned into multiple (ω) small key spaces • A key space is composed of a key matrix • Each sensor randomly select t key spaces (t £ ω) • In each selected key space, a row of key matrix (l+1 keys) is preinstalled in the sensor • Structured key pool security property • If less than l+1 rows of a key matrix are compromised, an attacker cannot compromise the whole key matrix • The row number can serves as a node id, it can uniquely identify a sensor.
Structured key pool approach • The SK-RKP scheme uses the key predistribution scheme proposed by Blom [Blom1985]. • A publicly known matrix G of size (λ+1) ×N; • a secret matrix D of size (λ+1) ×(λ+1) created by key distribution center. • The matrix A of size N ×(λ+ 1) is then created as A = (D · G)Tover the finite field GF(q). • Each row of A is the keys distributed to a group member and the row number can serve as a sensor's id. Since K = A · G is a symmetric matrix, nodes i and j can generate a shared key (Kijor Kji) from their predistributed secrets, where Kijis the element in K located in the ith row and jth column. • A key pool is constructed by many key spaces, represented by A(t), where t =1,…,ω. • Each sensor randomly selects τkey spaces out of ωkey spaces, where τ < ω. • If sensor k selects key space A(t), the kth row of A(t) and kth column of G are preinstalled in the sensor (note that the G matrix is unique). • Once two nodes i and j have keys preinstalled from the same key space A(t), they can derive a shared key K(t)ij= K(t)ji.
Area Partitioning and Key Distribution • If an attacker has the knowledge of more than λrows, the entire matrix A can be derived. Thus, we restrict the number of rows distributed to sensors for each key matrix A to be no more than λ. • The number of nodes in each partition: • The number of keys for each sensor: randomly select t key spaces from w key spaces. In each space distribute a row to the sensor. Note no more than λ key spaces are selected for sensors.
Sensor Deployment • Location-unaware distribution • Sensors are uniformly distributed in a large area • Location-aware distribution • Normal distribution (Du et al. 2004 Infocom) • Sensors are divided into groups • At the deployment point (e.g., dropped from a helicopter), the sensor density follows normal distribution. • Uniform distribution • The deployment area is partitioned into multiple small areas • In each small area, a group of sensors are uniformly distributed Phase two: sensor deployment
Key Discovery • Plaintext broadcast • Purely random key predistribution: key list or one-way function method (Pietro et al. 2004) • Structured key pool (within the same zone): sensor id (row # of the key matrix) , selected key spaces id, a seed (to generate a public known key generating matrix) • Shared key discovery (between adjacent zone): based on the sensor id, a group member can easily identify the nodes that share a preinstalled key in adjacent zones. • Private shared-key discovery • Multiple rounds of challenges and responses to discover shared key Phase three: key discovery
Key Establishment Protocol • Goal: to set up a pairwise key between two adjacent nodes that do not share preinstalled key(s) • One-path key establishment: pairwise key is established via a single path • k-path key establishment: pairwise key is established via k paths (key=k1Å... Åkj) • Two phases • Set up pairwise key within the same zone • Set up pairwise key between adjacent zones
Attack Model • The attacker has unlimited energy and computing power. • The attacker knows all the information stored in a sensor once the sensor is captured. • The attacker can listen to and record all the traffic in the network. • The attacker has the ability to physically locate a given sensor by listening to the traffic. • The attacker has the ability to fabricate similar nodes, deploy, and control them.
Attack Models – Attack classification • Selective node capture attack: attacking communication link. • Node fabrication attack: attacking authenticity. • Insider attack: attacking PKE Protocol.
Deployment Area Partition and Key Predistribution • A large sensor deployment area is partitioned into multiple small areas (zones) • Post-deployment information • A group of sensors is known to be deployed in a particular zone • Key predistribution • A structured key pool is created for each zone • We can restrict the number of rows distributed from a key space to l • The maximum number of sensors distributed in each area is wl/t • Each sensor shares a unique key with exactly one sensor (randomly picked without replacement) in each of its neighbor zones
Node Fabrication Attack • The attacker compromises only few sensors and uses the captured keys to fabricate sensors • Purely random key predistribution • By capturing only two node, the attacker can fabricate nodes about • Structured key pool • An attacker requires to capture more than l sensors in order to compromise a key space. Thus we restrict the number of key rows distributed from a key space to l. • An attacker cannot arbitrarily generate new ids for the fabricated sensors Attack analysis