1 / 23

SPINS: Security Protocols for Sensor Networks

SPINS: Security Protocols for Sensor Networks. Authors: Adrian Perrig, Robert Szewczyk, Victor Wen,David Culler and J.D.Tygar. Outline. Security for sensor networks - Research Problem Proposed Techniques - SPINS building blocks Applications Related Work Discussion Conclusion.

vlora
Télécharger la présentation

SPINS: Security Protocols for Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SPINS: Security Protocols for Sensor Networks Authors: Adrian Perrig, Robert Szewczyk, Victor Wen,David Culler and J.D.Tygar

  2. Outline • Security for sensor networks - Research Problem • Proposed Techniques - SPINS building blocks • Applications • Related Work • Discussion • Conclusion

  3. Security for Sensor Networks • Data Authentication • Data Confidentiality • Data Integrity • Data Freshness - Weak Freshness - Partial message ordering, no delay information - Useful for sensor measurements - Strong Freshness - Total ordering on req-res pair, delay estimation - Useful for time synchronization

  4. Challenge: Resource Constraints • Limited energy • Limited computation(4MHz 8-bit) • Limited memory(512 bytes) • Limited code size(8 Kbytes) • Limited communication(30 byte packets) • Energy consuming communication

  5. Contributions • SNEP -Sensor Network Encryption Protocol -Secures point-to-point communication • µTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication -Provides broadcast authentication

  6. Base Station G E F C D B A System Assumptions • Communication patterns -Node to base station (e.g. sensor readings) -Base station to node (e.g. specific requests) -Base station to all nodes • Base Station -Sufficient memory, power -Shares secret key with each node • Node -Limited resources, limited trust

  7. SNEP • Data Confidentiality (Semantic Security ) • Data Authentication • Replay Protection • Weak Freshness • Low Communication Overhead

  8. Key Generation /Setup Counter KeyEncryption RC5 Block Cipher KeyMAC Key Master Keyrandom • Nodes and base station share a master key pre-deployment • Other keys are bootstrapped from the master key: • Encryption key • Message Authentication code key • Random number generator key

  9. Authentication, Confidentiality Node B Node A M, MAC(Kmac, M) {M}<Kencr, CA>, MAC(Kmac, CA|| {M}<Kencr, CA>) • Without encryption can have only authentication • For encrypted messages, the counter is included in the MAC • Base station keeps current counter for every node

  10. Strong Freshness Node B Node A Request, NA {Response}<Kencr, CB), MAC(Kmac, NA || CB|| {Response}<encr, CB>) • Nonce generated randomly • Sender includes Nonce with request • Responder include nonce in MAC, but not in reply

  11. Counter Exchange Protocol • Bootstrapping counter values Node B Node A CA CB, MAC(Kmac, CA||CB) • To synchronize: • A →B : CA • B →A : CB, MAC(Kmac,CA|| CB).

  12. TESLA: Authenticated Broadcast • Uses purely symmetric primitives • Asymmetry from delayed key disclosure • Self-authenticating keys • Requires loose time synchronization • Use SNEP with strong freshness

  13. Key Setup • Main idea: One-way key chains • K0 is initial commitment to chain • Base station gives K0 to all nodes F(Kn) F(K2) F(K1) Kn Kn-1 K1 K0 ……. X

  14. Broadcast • Divide time into intervals • Associate Ki with interval i • Messages sent in interval i use Ki in MAC • Ki is revealed at time i +  • Nodes authenticate Ki and messages using Ki K0 K1 K2 K3 … 0 1 2 3 4 time

  15. Msg, MAC(Kj, Msg) Broadcasting Authenticated Packets • In interval j, base station broadcasts Msg • Node verifies that key Kj has not been disclosed yet • Node stores Msg Node A Base Station Nonce Tnow, Ki, Ti, Tint, , MAC(Kmaster, Nonce | Tnow | …)

  16. Kj Node authenticating packets • After disclosure interval , base station broadcasts Kj • Node verifies that F(Kj) = Kj-1, or F(F(Kj)) = Kj-2, etc. • Node verifies MAC of Msg • Node delivers Msg Node A Base Station Nonce Tnow, Ki, Ti, Tint, , MAC(Kmaster, Nonce | Tnow | …) Msg, MAC(Kj, Msg)

  17. Authenticate K3 F F P1 P2 P3 P4 P5 K0 K0 K1 K2 K3 Verify MACs Perfect robustness to packet loss K1 K2 K3 K4 K5 t Time 2 Time 3 Time 4 Time 5

  18. TESLA Properties • Asymmetry from delayed key disclosure • Self-authenticating keys • Requires loose time synchronization • Low overhead (1 MAC) - Communication (same as SNEP) - Computation (~ 2 MAC computations) • Independent of number of receivers

  19. Applications • Authenticated Routing • Node to Node Agreement A B: NA, A B S: NA,NB, A, B, MAC(K’BS, NA || NB || A || B) S A: {SKAB}KSA , MAC(K’SA,NA || A || {SKAB}KSA ) S B: {SKAB}KSB , MAC(K’SB,NB || B || {SKAB}KSB )

  20. Related Work in Broadcast Authentication • Symmetric schemes - Link-state routing updates - Multi-MAC • Asymmetric schemes - Merkle hash tree • Chained hashes - EMSS • Hybrid schemes -Stream signature -K-times signature

  21. Discussion: Drawbacks • The TESLA protocol lacks scalability - require initial key commitment with each nodes, which is very communication intensive • SPINS uses source routing, so vulnerable to traffic analysis

  22. Discussion: Risks Un-addressed • Information leakage through covert channels • No mechanism to determine and deal with compromised nodes. • Denial of service attacks • No Non-repudiation

  23. Conclusion • Strong security protocols affordable - First broadcast authentication • Low security overhead - Computation, memory, communication • Apply to future sensor networks -Energy limitations persist -Tendency to use minimal hardware • Base protocol for more sophisticated security services

More Related