220 likes | 390 Vues
Establishing Pairwise Keys in Distributed Sensor Networks. Donggang Liu & Peng Ning. Outline. Background Research Problem Previous Work Proposed Solutions Conclusion and Future Work. Background. Challenges in Sensor Network Security Resource constraints
E N D
Establishing Pairwise Keys in Distributed Sensor Networks Donggang Liu & Peng Ning
Outline • Background • Research Problem • Previous Work • Proposed Solutions • Conclusion and Future Work
Background • Challenges in Sensor Network Security • Resource constraints • Limited storage, computation, and communication • Expensive mechanisms such as public key cryptography is not practical • Limited resources (e.g. battery power) • Resource consumption attacks • Threat of node compromises • Sensor nodes are usually deployed in an unattended fashion • Subject to node captures
Problem : Pairwise Key Establishment • How to establish pairwise keys between sensor nodes so as to secure the communication ? • Between neighbor nodes • Between arbitrary nodes • Challenges • Resource constraints • Not feasible to use public key cryptography / key distribution center (KDC) • Threat of compromised nodes • Key pre-distribution • No location information before deployment • Naïve methods • Master key • Pairwise Key
Previous Work • Probabilistic key pre-distribution (Eschenauer & Gligor CCS’02) • key pre-distribution • random drawing of k keys out of a key pool P w/o replacement • loading of the key ring into each sensor • shared-key discovery • every node discovers its neighbors with which it shares keys • path-key establishment • assigns a path-key to neighbors w/o shared key • q-composite key pre-distribution (Chan et al. SSP’03) • Two nodes compute a pairwise key if they share at least q common keys. • Random pairwise key pre-distribution (Chan et al. SSP’03) • Randomly pick pairs of sensors and assigns each pair a unique random key.
Previous Work : Problem • Probabilistic key pre-distribution • q-composite key pre-distribution • A small number of compromised nodes may affect a large fraction of pairwise keys • Random pairwise key pre-distribution • Network scalability problem
Proposed Solutions • Polynomial pool based key pre-distribution • Random subset assignment scheme • Higher probability for sensors to establish secure communication • Unless the number of compromised nodes exceeds a threshold, compromise of sensors does not lead to the disclosure of other keys • Grid-based key pre-distribution scheme • Any two sensors can establish a pairwise key when there is no compromised node • Resilient to node capture • No communication overhead during the discovery of shared keys
Polynomial-Based Scheme • Blundo et al. CRYPTO’92 • Pre-distribution • Randomly generate a t-degree function over a finite field Fq • f(x,y)=f(y,x) • Each node i stores a polynomial share f(i,y) • For two nodes to establish a key, both nodes need to evaluate the polynomial at the ID of the other node. Node j Node i f(j,y) f(i,y) f(j,i) f(i,j) =
Polynomial-Based Scheme (Cont’d) • Properties • Storage: a t-degree polynomial, (t+1)log q bits • Computation overhead: evaluate a t-degree polynomial • No communication overhead • Unconditionally secure for up to t compromised nodes • Limitations • It can only tolerate no more than t compromised nodes • t is limited by the memory available in sensor nodes How to make it securer?
Polynomial Pool Based Scheme • Main idea • Use a pool of randomly generated polynomials • Three phases • Setup (Pre-distribution) • Initialize the sensors by distributing polynomial shares to them • Direct Key Establishment • Sensors first attempt to set up direct keys • Path Key Establishment • Establish pairwise keys with the help of other sensor
Polynomial Pool Based Scheme (Cont’d) • Phase 1: Pre-distribution • Setup server randomly generates a set F of t-degree polynomials over the finite field Fq • For each sensor node i, the server picks a subset of polynomials • The server assigns the polynomial shares of these polynomials to node i A subset Fi {fi1(i,y),fi2(i,y)…fik(i,y)} f1(x,y), f2(x,y), f3(x,y), f4(x,y), …,fn(x,y) A set F of t-degree polynomials i
Polynomial Pool Based Scheme (Cont’d) • Phase 2: Direct Key Establishment • If both sensors have polynomial shares on the same polynomial, they can establish the pairwise key directly. • Polynomial share discovery: How to find a common polynomial of which both sensors have polynomial shares. • Pre-distribution • Real-time discovery fim(x,y) = fjn(x,y) {fi1(i,y),fi2(i,y)…fim(i,y)…fik(i,y)} {fj1(j,y),fj2(j,y)…fjn(j,y)…fjk(j,y)} i1,i2…ik j1,j2…jk i j
Polynomial Pool Based Scheme (Cont’d) • Phase 3: Path Key Establishment • Node i and j cannot establish a key directly • Node i needs to find a path between i and j s.t. any two adjacent nodes in the path can establish a pairwise key directly • Path discovery: How to find the key path • Pre-distribution • Real-time discovery {fp1(p,y)…fpr(p,y)…fps(p,y)…fpk(p,y)} fim(x,y) = fpr(x,y) fjn(x,y) = fps(x,y) {fi1(i,y),fi2(i,y)…fim(i,y)…fik(i,y)} {fj1(j,y),fj2(j,y)…fjn(j,y)…fjk(j,y)} p i j
Random Subset Assignment Scheme • Phase 1: Subset assignment • Random • Phase 2: Polynomial share discovery • Real-time discovery • Nodes broadcast a list of polynomial IDs • Broadcast an encryption list , Ekv(), v = 1, …, |Fi|. Kv is a potential pairwise key the other node may have. • Phase 3: Path discovery • Real-time discovery • Node i contacts nodes with which it shares a key • Any node that also shares a key with j replies
Random Subset Assignment Scheme - Performance • Probability that two sensors can establish a key p: The probability that two sensor nodes share a key directly Pc: The probability that two sensor nodes can establish a pairwise key (directly or indirectly) s: Number of polynomials in the polynomial pool s’: Number of polynomial shares that a node will store d: Average number of neighbors that a node can contact
Random Subset Assignment Scheme - Performance • Fraction of compromised links between non-compromised sensors v.s. number of compromised sensor nodes (Assume each node has available storage for 200 keys)
Random Subset Assignment Scheme - Performance • Maximum supported network size (Assume each node has available storage for 200 keys)
Grid-Based Scheme • For a sensor network of N nodes • Construct a m x m grid, m = ceil( ) • Generate a set of 2m polynomials • Each row i • Each column i
Grid-Based Scheme (Cont’d) • Phase 1: Subset assignment • For each sensor, pick an unoccupied intersection (i,j) in the grid • ID of this sensor is ID = <i,j> • Distribute {ID, , } to this node • Phase 2: Polynomial share discovery • Node i checks whether ci = cj or ri = rj. If so, they can use or to establish pairwise key. • Phase 3: Path discovery • Both nodes <i’,j> and <i,j’> can help node <i,j> to establish a pairwise key with node <i’,j’> • Besides <i’,j> and <i,j’>, nodes like <i’,m-2> and <i’, m-2> can work together to help node <i,j> and <i’,j’>. There are up to 2(m-2) pairs of such nodes in the grid.
Grid-Based Scheme - Performance • Properties • When there is no compromised nodes • Any pair of sensors can establish a pairwise key • Directly or through the help of intermediate nodes • Communication overhead is lower • Not require real-time path discovery • Even if there are compromised nodes, there is still a high probability that two non-compromised sensors can establish a pairwise key
Conclusion and Future Work • Conclusion • Developed a general framework for polynomial pool-based key pre-distribution • Two instantiations • Random subset assignment • Grid-based key pre-distribution • Future work • Grid-based scheme can be extended to a n-dimensional or hypercube based scheme • Develop location based schemes • Sensor nodes have low mobility in many applications