Download
sensor network security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Sensor Network Security PowerPoint Presentation
Download Presentation
Sensor Network Security

Sensor Network Security

214 Vues Download Presentation
Télécharger la présentation

Sensor Network Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Sensor Network Security Dijiang Huang Arizona State University

  2. Agenda • Sensor and Networks Overview • Security Attacks • Key Management in Sensor Network

  3. Applications

  4. Security • Complex, many aspects to consider • General, complete solution is unlikely • Opportunity to address this properly – from the start! • Targeted solutions for targeted attacks • Reasonably secure WSN

  5. General Security Issues • New (severe) constraints (memory, bandwidth, cpu processing speeds, power, …) • Lightweight solutions required • Symmetric cryptography (asymmetric crypto is too expensive) • Physical Environment • Faults versus attacks • Cheap to attack

  6. Specific Security Problems • Routing and/or Backbone Disruption • Denial of service • Jam • Prevent wake-up • Prevent sleep (dies soon) • Modify group management information

  7. Specific Security Problems • System Initialization (re-sync messages and centralized base stations) • Clock Sync • Neighbor Discovery • Localization • Etc.

  8. Communication Scenarios • Confidentiality (eavesdrop) Node2 Base Station Msg Node1 Adversary

  9. Communication Scenarios • Integrity Base Station Msg1’ Msg1 Node1 Adversary

  10. Communication Scenarios • Authenticity I am the Base Station Node 1 Base Station Node 2 Adversary Node 3 Reprogram system Reset system parameters Node 4

  11. Summary- Basic Problems • Initial trust establishment (efficient key management solution) • Vulnerability of channels (eavesdrop and inject fake messages) • Vulnerability of nodes (capture, modify messages, re-route) • Absence of infrastructure (e.g., no centralized certification authorities) • Dynamically changing topology (difficult to distinguish between dynamics and attacks) • Minimum capacity devices • Drain batteries • Real-Time – slow packets down

  12. Key Graph • Solid links represent direct keys • Node 1 needs to establishindirect keys with nodes4,5,6,7, and 8.

  13. Initial Key Agreement • Main categories of existing solutions: • Purely Random Key Predistribution (P-RKP) • Structured Key-pool RKP (SK-RKP)

  14. Phases in RKP Schemes • Key Predistribution • Select and install keys in sensors • Sensor Deployment • Place the sensors • Shared-key Discovery • Sensors find common (shared) key(s) • Pairwise Key Establishment • Those who don’t find shared key(s), take help from others.

  15. Existing RKP Schemes (Phase 1) • P-RKP K11 K1 K16 K14 K23 K6 K3 K4 K20 K21 K18 ID K22 K7 K10 K19 K5 K13 K15 K17 K9 K8 K24 K12 K2 Sensor – m keys KEY POOL – Size n m << n

  16. Existing RKP Schemes (Phase 1) • SK-RKP K11 K1 K16 K14 K23 K6 K3 K4 K20 K21 K18 ID K22 K7 K10 K19 K5 K13 K15 K17 K9 K8 K24 K12 K2 Sensor – m keys KEY POOL – Size n m << n

  17. Proposed Scheme (Phase 1) F ( ) = K12 F (K12) = K19 F (K19) = K23 … K11 K1 K16 K14 K23 K6 K3 K4 K20 K21 K18 ID1 K22 K7 K10 K19 K5 K13 K15 K17 K9 K8 K24 K12 K2 Sensor – m keys KEY POOL – Size n m << n

  18. So what is different ? • Previous approaches do not use node ID for key selection, we do ! • That is we define RINK = Relation between ID aNd Keys

  19. Sensor Deployment (Phase 2) Deployment Area

  20. Shared-Key Discovery (Phase 3) • P-RKP K3, K1, K9, K24, …. ….. K23, K21, K12, K19 ID 1 ID 2 K3 K23 K1 K24 K21 K12 K9 K18 K5 K17 K17 K19

  21. Shared-Key Discovery (Phase 3) • SK-RKP G3, G6…. ….. G1, G5 ID 1 ID 2 K3 K23 K1 K24 K21 K12 K9 K18 K5 K17 K17 K19

  22. Shared-Key Discovery (Phase 3) • RINK ID 2 ID 1 ID 1 ID 2 K3 K23 K1 K24 K21 K12 K9 K18 K5 K17 K17 K19

  23. Deployment Area After Shared-key Establishment

  24. Security Problem - 1 - Reasons • Unattended deployment environment • Physically insecure • No tamper-resistance due to low cost • Compromised sensor can reveal the stored keys.

  25. Problem-1 (Capturing Nodes) • Random Capture (naïve approach) • Randomly pick nodes and obtain keys • Selective Capture (proposed approach) • Pick sensors that can give you keys that you do not already have

  26. Random vs. Selective Capture • SK-RKP affected the most • P-RKP and RINK-RKP not affected much

  27. Security Problem - 2 - Reasons • Wireless environment • Passive listening is easy • Unattended deployment environment • Fake sensors can be added to the system (proposed attack)

  28. Problem – 2 (Deploying fake sensors) • Learn keys from captured nodes and fabricate fake nodes • Fake nodes have enough keys to look legitimate to other sensors • Fake nodes can • Inject / Absorb sensed data • Alter data in specific way

  29. Damage by fake sensors !

  30. A Comprehensive Solution Dijiang Huang and Deep Medhi “Secure Pairwise Key Establishment in Large-scale Sensor Networks: An Area Partitioning and Multi-group Key Predistribution Approach”

  31. Key Predistribution • A set of keys is predistributed to each sensor • Purely Random Key Predistribution • Each sensor randomly select a set of keys without replacement from a large key pool • Structured key pool predistribution (Liu and Ning CCS 2003, Du et al. CCS 2003) • A large key pool is partitioned into multiple (ω) small key spaces • A key space is composed of a key matrix • Each sensor randomly select t key spaces (t £ ω) • In each selected key space, a row of key matrix (l+1 keys) is preinstalled in the sensor • Structured key pool security property • If less than l+1 rows of a key matrix are compromised, an attacker cannot compromise the whole key matrix • The row number can serves as a node id, it can uniquely identify a sensor.

  32. Structured key pool approach • The SK-RKP scheme uses the key predistribution scheme proposed by Blom [Blom1985]. • A publicly known matrix G of size (λ+1) ×N; • a secret matrix D of size (λ+1) ×(λ+1) created by key distribution center. • The matrix A of size N ×(λ+ 1) is then created as A = (D · G)Tover the finite field GF(q). • Each row of A is the keys distributed to a group member and the row number can serve as a sensor's id. Since K = A · G is a symmetric matrix, nodes i and j can generate a shared key (Kijor Kji) from their predistributed secrets, where Kijis the element in K located in the ith row and jth column. • A key pool is constructed by many key spaces, represented by A(t), where t =1,…,ω. • Each sensor randomly selects τkey spaces out of ωkey spaces, where τ < ω. • If sensor k selects key space A(t), the kth row of A(t) and kth column of G are preinstalled in the sensor (note that the G matrix is unique). • Once two nodes i and j have keys preinstalled from the same key space A(t), they can derive a shared key K(t)ij= K(t)ji.

  33. Area Partitioning and Key Distribution • If an attacker has the knowledge of more than λrows, the entire matrix A can be derived. Thus, we restrict the number of rows distributed to sensors for each key matrix A to be no more than λ. • The number of nodes in each partition: • The number of keys for each sensor: randomly select t key spaces from w key spaces. In each space distribute a row to the sensor. Note no more than λ key spaces are selected for sensors.

  34. Sensor Deployment • Location-unaware distribution • Sensors are uniformly distributed in a large area • Location-aware distribution • Normal distribution (Du et al. 2004 Infocom) • Sensors are divided into groups • At the deployment point (e.g., dropped from a helicopter), the sensor density follows normal distribution. • Uniform distribution • The deployment area is partitioned into multiple small areas • In each small area, a group of sensors are uniformly distributed Phase two: sensor deployment

  35. Key Discovery • Plaintext broadcast • Purely random key predistribution: key list or one-way function method (Pietro et al. 2004) • Structured key pool (within the same zone): sensor id (row # of the key matrix) , selected key spaces id, a seed (to generate a public known key generating matrix) • Shared key discovery (between adjacent zone): based on the sensor id, a group member can easily identify the nodes that share a preinstalled key in adjacent zones. • Private shared-key discovery • Multiple rounds of challenges and responses to discover shared key Phase three: key discovery

  36. Key Establishment Protocol • Goal: to set up a pairwise key between two adjacent nodes that do not share preinstalled key(s) • One-path key establishment: pairwise key is established via a single path • k-path key establishment: pairwise key is established via k paths (key=k1Å... Åkj) • Two phases • Set up pairwise key within the same zone • Set up pairwise key between adjacent zones

  37. Attack Model • The attacker has unlimited energy and computing power. • The attacker knows all the information stored in a sensor once the sensor is captured. • The attacker can listen to and record all the traffic in the network. • The attacker has the ability to physically locate a given sensor by listening to the traffic. • The attacker has the ability to fabricate similar nodes, deploy, and control them.

  38. Attack Models – Attack classification • Selective node capture attack: attacking communication link. • Node fabrication attack: attacking authenticity. • Insider attack: attacking PKE Protocol.

  39. Deployment Area Partition and Key Predistribution • A large sensor deployment area is partitioned into multiple small areas (zones) • Post-deployment information • A group of sensors is known to be deployed in a particular zone • Key predistribution • A structured key pool is created for each zone • We can restrict the number of rows distributed from a key space to l • The maximum number of sensors distributed in each area is wl/t • Each sensor shares a unique key with exactly one sensor (randomly picked without replacement) in each of its neighbor zones

  40. Selective Node Capture Attack for Random Key Predistribution

  41. Selective Node Capture Attack for Structured Key Pool

  42. Node Fabrication Attack • The attacker compromises only few sensors and uses the captured keys to fabricate sensors • Purely random key predistribution • By capturing only two node, the attacker can fabricate nodes about • Structured key pool • An attacker requires to capture more than l sensors in order to compromise a key space. Thus we restrict the number of key rows distributed from a key space to l. • An attacker cannot arbitrarily generate new ids for the fabricated sensors Attack analysis