1 / 43

Suresh Giridarapuram CS 6204 Mobile Computing Virginia Tech

pDCS: Security and Privacy Support for Data-Centric Sensor Networks Min Shao, Student Member, IEEE, Sencun Zhu, Wensheng Zhang, Member, IEEE, Guohong Cao, Senior Member, IEEE, and Yi Yang, Student Member, IEEE. Suresh Giridarapuram CS 6204 Mobile Computing Virginia Tech. Agenda.

cwen
Télécharger la présentation

Suresh Giridarapuram CS 6204 Mobile Computing Virginia Tech

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. pDCS: Security and Privacy Support forData-Centric Sensor NetworksMin Shao, Student Member, IEEE, Sencun Zhu, Wensheng Zhang, Member, IEEE,Guohong Cao, Senior Member, IEEE, and Yi Yang, Student Member, IEEE Suresh Giridarapuram CS 6204 Mobile Computing Virginia Tech

  2. Agenda • Introduction to DCS • Motivation for pDCS • Related work • Design Principles • Performance Evaluation • Conclusion

  3. Data Centric Sensor Network • Large volume of data spread across wide network • Efficient dissemination/access techniques to extract relevant data • In DCS nature of data is important than the identities of the node • Sensor data is named based on even type or geographic location

  4. DCS continued. • Sensor data is stored in nodes determined by Geo. Hash Table (GHT) • Data with same name are co-located • Queries are sent directly using Geo. Routing protocol (e.g. GPSR) vs. flooding • Fig. 1 Sensing data about an animal aggregated and stored in one location

  5. DCS contd.

  6. DCS vs. BS data dissemination. • BS based is inefficient since large data is exchanged back and forth • Nodes close to BS will die very quickly due to energy depletion • BS is attractive for attack and single point of failure • DCS does not need presence of BS, Mobile sinks (MSs) are dispatched on demand to collect stored data

  7. Security concerns in DCS • Data of same type are stored using publicly known hash functions. • Monitoring event types and hash functions one can determine storage nodes. • In e.g. fig.1 hunters can obtain locations of protected animals. • Securing DCS is complicated due to network scale, system resources, unattended and hostile environments.

  8. pDCS – Privacy Enhanced Data Centric Network • First one to provide security and privacy to DCS networks. • Can not get the sensor data from a node even with key compromise • Can not get previous event data even with node compromise. • Revokes compromised node to prevent attacks on future storage locations. • Provides novel query optimization to reduce message overhead still preserving privacy • Private data-location mapping based on cryptographic keys, with periodic key updates. • Query optimization based on Euclidean Steiner Tree (EST) and keyed Bloom Filter (KBF) to reduce message overhead.

  9. pDCS – Related works • Location Privacy and Communication anonymity - Restrict data access using policy enforcement and data perturbation. - Data Cloaking and hierarchical data aggregation - pDCS in contrast uses encryption and random location mapping. - conceal BS using constant rate and mix techniques to hide sender-receiver correlations. - phantom flooding and disturbed data to mislead attacker. • Key Management - pair wise key management with trusted BS. - LKH based group key management for multicast. - Not suited for sensor networks. - updated group key distribution using hop-by-hop encryption - Use geographic based mapping for efficient group re-keying. - pDCS uses row keys and cell keys in addition to group key. Cell based partition reduces re-keying overhead. • Location based forwarding - location aided routing to reduce flooding overhead -greedy routing (GPRS) chooses next hop that provides most progress to destination - pDCS uses trajectory based routing , trajectory encoded in each packet using EST. A novel KBF based approach `

  10. pDCS – Model and Design goal • Sensor network divided to cells. Nodes from neighboring cells directly communicate. • Detection cell and Storage cell. • Cell has unique ID and each sensor know its own Cell ID. • Events types are classified. E.g. Activities of certain kind of animal • Trusted MS enters network as needed and controls data collection and key managements (vs. fixed BS)

  11. pDCS – Attack Model • Assumes attacker targets specific event data • Attacker may launch • Passive attack: By eavesdropping. Solution: encryption • Query attack: Send query to target data. Solution: Authentication e.g. using micro-Tesla for broadcast. • Readout attack: Capture some nodes and read data. • Mapping attack: Obtain mapping storage vs. detection cells.

  12. pDCS – Security Assumptions • Authenticated broadcast e.g. using u-Tesla • Assumes attacker compromise nodes from relatively smaller number of cells. • A cell is compromised even one node in a cell is compromised. • Worst case attacker may selectively compromise cells. • Assume anti-traffic analysis schemes are deployed to counter traffic monitoring

  13. pDCS – Design Goal • Mainly address readout and mapping attack • Event Data Confidentiality: Though keys of a node are compromised , can not decrypt data. • Backward event privacy: Attacker is prevented from obtaining previous sensor data though some nodes are compromised • Forward event privacy: Thwart an attacker from obtaining future data though some nodes are compromised • Query Privacy: MS query reveal as little location information of sensor data. • Resource constrained and hence avoid network wide flooding or public key operations as much possible.

  14. pDCS - Overview • Each sensor processes 5 types of keys - master key shared only with MS. - pair wise key shared with every neighbor. - row key shared by all sensors in same row. - cell key shared by all sensors in a cell. - group key shared by all sensors in a network. • Sensed data handled using 6 steps (Event –E at Time -T, detection cell –u and storage cell –v) - determine storage cell using keyed hash function. - encrypts recorded information with cell key. - forward message towards destination. Apply techniques to prevent attacker analyzing traffic and injecting false packets. - Storage cell v stored the message locally. - authorized MS interested in event E at cell –u , determines storage cell –v using mapping and queries cell –v directly. Query optimization is used to reduce message overhead. - after MS receives data of interest, decrypts using cell key.

  15. pDCS - overview • Without knowing mapping key attacker can not get the mapping of cell-u and cell-v • Since storage cell does not posses decryption key, readout attack is difficult though a node is compromised in cell –v. • Attacker can launch various attacks only if he knows the mapping. • Key point of the design hence is to secure mapping function to randomize mapping among cells.

  16. pDCS - Privacy Enhanced Data Location Mapping • N - # of cells, Nr- # of cells in row, Nc - # of cells in a column • Every cell is uniquely identified by L(i,j) where 0 <= i <= Nr-1 and 0<= j <= Nc-1 • Attacker is capable of compromise s cells. • m detection cells for event E and are independent and identically distributed over N cells. • Event privacy level – EPL – Probability that an attacker can not obtain both sensor data and encryption key. BEPL – Backward Privacy, FEPL – Forward privacy • Larger the EPL , higher the privacy • Group key based mapping, Time based mapping and Cell based mapping.

  17. pDCS – Group Key based mapping • All nodes store same event E in location (Lr,Lc) based on group wide shared key. • Prevent readout, attacked cell does not store its own data. • If cell L(x,y) finds it stores its own data i.e. Lr =x and Lc=y then apply hash H on Lr and Lc until Lr <> x and Lc <> y • MS can answer query “What is information about event E” – all information about E is stored in one location. • MS determines location based on key K and E

  18. pDCS – Group-key based mapping - Analysis • All m detection cells are mapped to one location • Attacker randomly compromise a node to get group key • Locate storage cell based on group key. • Data stored is encrypted using individual cell key. Attacker has to first get cell-ID randomly from m-detection cells. • Assume attacker compromise up to s cells. • First compromise cell is Storage cell with probability (1/N). Attacker will randomly compromise (s-1) cells from (N-1) cells. • If first compromised cell is NOT storage cell with probability(N-1)/N then attacker first compromise storage cell and randomly compromise (s-2) cells from remaining (N-2) cells. • Assume i out of m detection cells are compromised • Let B1=min(s-1,m) and B2=min(s-2,m)

  19. pDCS – Group Key based mapping - Analysis • BEPL of this scheme is • If attacker compromises s cells at time t0 and later at time t1 obtain storage data . • On average ms/N out of s compromised cells are detection cells which will provide encryption keys • FEPL of this scheme is

  20. pDCS – Group Key based mapping - Analysis • BEPL decreases with s. • BEPL does not change with m.

  21. pDCS- Time based mapping • Node stores event E occurring in same time interval T into same location (Lr,Lc) • Uses group wide shared key Kt • Every sensor node maintains timer which periodically at T interval derives next group Kt as function of H(Kt) • An MS can answer query what event E at timer interval T • MS determines location based on Kt, E and T and send queries to fetch data • Attacker can not get old group key from current group key, due to one way hash function. • Assuming a cell is not both detection and storage an attacker can guess s/N storage cells and s/N detection cells. • Only when these detection and storage cells are mapped attacker can decrypt data • BEPL for this scheme is higher than scheme-1 1-(s/N)(s/N) • Since storage cells vary over time T for same Event E FEPL is same as BEPL

  22. pDCS- Cell based mapping • All nodes of same cell L(i,j) store in the same location (Lr,Lc) the same type of event E at time T. • Uses cell key Kij shared among all nodes in cell L(i,j) • Kij is updated periodically such that Kij = H(kij) and erases old keys for backward privacy • Since cell key is also used for encryption, data is encrypted using different keys over period of time. • MS can answer query “has event E happened in cell L(i,j) at time T. • Attacker can not get old cell keys from new keys and hence offers highest BEPL with p=1 • FEPL is same as scheme 2.

  23. Comparison of mapping schemes • Message overhead is total number of hops of all the messages from detection to storage cells. • Fig.3 shows message overhead linearly increases with number of events. • Cell based scheme has slightly more overhead • Fig.4 shows message overhead is more balanced in cell based scheme and hence network can have longer life time. • Overall memory requirement to store sensed data is same in all 3 schemes.

  24. comparison of mapping schemes

  25. Key Management • Master key K directly used between node and MS for encryption. When a node in a cell is revoked, MS encrypts new cell key using master keys of remaining nodes in cell. • Pair wise key – hop by hop authentication of data between neighboring cells. • Cell key – encrypting sensed data in a storage cell, for private cell to cell mapping, secure delivery of row key. • Row key – private row to cell mapping. • Group key – secure group to cell mapping, MS broadcasts secure query to all nodes

  26. Key Management contd. • Keys are organized into an LKH with following hierarchy • Unlike LKH group member also share pairwise keys. • Pairwise keys reduce the bandwidth overhead of group re-keying when a node is revoked in a group.

  27. Key Management contd. • Pairwise keys established using existing schemes • Group keys and Master keys are pre-loaded prior to deployment. • Row and Cell keys are established after deployment. • Assumes a node will not be compromised before it finds its location • Every node is pre-loaded with same network key Ki then cell key is computed H(Ki,i|j) based on cell location (i,j). After this Ki is erased. • Row key is similarly computed as H(ki,i)

  28. Key updates on Node revocation • If a node u in cell L(2,2) is compromised, all other nodes in the cell report this to MS. Nodes use master key to compute MAC. • Since node u compromise keys k22,k2 and kg these keys are updated to new. • the new group key Kg’ is encrypted by K0, K1, K2’ , and K3 • K2’ is encrypted by K20, K21, K22’, and K23 • K22’ is encrypted by Kv0 , Kv1 , Kv2 , Kv3 • Based on LKH, MS will encrypt each key with its child keys (new keys if updated) and broadcast. • In general Nr+Nc+Nij-1 keys will be broadcast.

  29. Improvement to Rekeying • Based on Network Topology • When a new encrypted key is to be communicated, send it to only one in the group and allow the recipient to propagate to others using pairwise keys. • Trades communication for computation • If a node u in cell L(i,j) is revoked then • For nodes in row m (r <> i) they only need new group key Kg’ encrypted by its row key Km. MS sends only one encrypted key to cell (m,0). Keys are propagated to other cells in row m. • For nodes in row i, if nodes in column (n <> j) they only need new group key Kg’ encrypted by Ki’ and Ki’ encrypted with cell key Kin. If nodes are located in same cell as node u then each need to receive Kij’ encrypted with its own mater key . • MS sends Nc+Nij-1 keys to cell (i,0) and keys are propagated in row i

  30. Performance Analysis • Define performance overhead C as the average number of keys that traverse each cell during a rekeying event Where sij is number keys traversed cell L(i,j) Assume a sensor network of square field then Nr= Nc and hence C=2.5 better than Nr+Nj+Nij-1

  31. Improving Query efficiency • Better privacy ( refer to 3 schemes discussed) results in message overhead • To answer queries like “Where were the elephants in last 3 days” is much easier to answer with group key mapping than cell based mapping • Cell based approach requires queries to multiple cells since data are stored at multiple places.

  32. Query efficiency – Basic scheme • MS sends one query message to each cell using routing protocol like GPRS • Each message contains query and storage cell ID. • High message overhead • Query privacy is measured as probability that attacker can not get storage cell ID. For this scheme since cell ID is part of message Probability P1=0

  33. The Euclidean Steiner Tree (EST) Scheme • Organize the storage cells as a minimum spanning tree to reduce message overhead. • Message size will increase due to tree construction but number of queries reduced. • Query Privacy is still an issue as storage cell ID is still part of message • EST is widely used concept in network multicasting to reduce message overhead. • EST includes Steiner cells other than storage cells that helps improve query privacy.

  34. EST Contd. • With EST the cell that MS resides is at the root. • MS constructs query message with IDs of the cells in the EST and sends to its child cells using GPRS • Each cell head re-constructs query message by removing its own ID and that of its siblings. Forwards EST sub-tree to its child cells. • Recursive process until each storage cell in EST receives query message. • For n storage cells Query privacy P1 = 1 – n/(2n-2) where (2n-2) is at-most cells in Steiner tree including Steiner cells.

  35. Keyed Bloom Filter scheme • Bloom filter is popular data structure used for membership queries • Represents set S=s1,s2,..,sn using k independent hash functions h1,h2,..,hk and string of m bits each set to 0 initially. • For each s subset of S, hash using all k hash functions and obtain hi(s)(1<=i<=k). The bits corresponding to this value are set to 1 in the string. • Multiple hash values may map to same bit yielding false positive i.e. an element not in S but its bits hi(s) are marked by elements in S.

  36. KBF contd. • An attacker could still easily check if the cell ID is that of storage cells though there are high false positive rates • In KBF cell key is used to encrypt cell ID before inserted • Cell ID is concatenated with Cell Key of its parent in EST before inserting to Bloom Filter. • When a query message arrives at a cell, the cell concatenates its own cell key with the ID of each neighboring cell that is not a neighbor of its own parent node , and determines whether the neighbor is in the Bloom Filter. Forwards message only if in BF. • With encryption KBF has the highest query Privacy.

  37. KBF contd.

  38. Message size overhead with EST • EST scheme reduces the number of query messages at the price of larger messages • Limited packet size may prevent MS to piggyback all storage cell ID along with query in one packet • Use multiple Steiner trees and encode each of them to one packet. • Partitioning Steiner tree to multiple is NP-hard, requires heuristics. • Using Intuitive partitioning cluster the storage cells from top-bottom and left-right and construct EST for each partition. MS sends same queries to each partition at the same time. Some redundancy. • Using Fanlike partitioning involves considering the plane as polar co-ordinates. Storage cells are within (-Pi, Pi)

  39. Plane partitioning

  40. Performance Evaluation – Message overhead • EST and KBF out-perform basic scheme • Message overhead of KBF is higher than EST though they have similar number of messages. KBF may go through redundant cells due to false positive.

  41. Performance Evaluation – Query Delay and Privacy • Basic scheme performs best since it queries storage cells directly • With EST and KBF message has to traverse many intermediate cells • At low cell density KBF outperforms EST • Query Privacy is highest for KBF event a s=20 cells compromised

  42. pDCS – issues and future work • To prevent selective compromise attacks, ID of a detection cell is also encrypted. MS will try all the cell keys until the decrypted message is meaningful. • May not be a big issue for laptop based MS that can perform 4m decryptions per second. • Another concern is no of keys to be possessed by MS when MS needs to decrypt data from many cells. • Paper also presented an appendix –A for Row based mapping In this scheme, all the nodes in the same row i (or column) of the gridded sensor field store the same type of event E occurring during T in the same location (Lr,Lc) based on a key Ki shared only among all the nodes in row i

  43. Questions ?

More Related