240 likes | 345 Vues
Group Rekeying for Filtering False Data in Sensor Networks: A Predistribution and Local Collaboration-Based Approach. Wensheng Zhang and Guohong Cao. Outline. Research problem – Group key updating Previous work Proposed solution B-PCGR C-PCGR RV-PCGR Performance evaluation Conclusion.
E N D
Group Rekeying for Filtering False Data in Sensor Networks: A Predistribution and Local Collaboration-Based Approach Wensheng Zhang and Guohong Cao
Outline • Research problem – Group key updating • Previous work • Proposed solution • B-PCGR • C-PCGR • RV-PCGR • Performance evaluation • Conclusion
Research Problem • Sensor Network • Hostile environment • Adversary may use compromised nodes • Inject false sensing report • Modify the reports sent by other nodes • Symmetric cryptographic techniques • Sensor nodes are randomly divided into multiple groups • Nodes in the same group share a symmetric group key • Each message is attached with multiple MACs, each is generated using one group key • Problem • Node compromises • Innocent nodes should update their group keys
Previous Work • Centralized solution • SKDC: Use central controller to distribute new keys (Hugh, et al.) • Logic tree-based schemes (Wallner et al., Wong et al. Balenson et al.) • High communication cost • Rekeying delay • Distributed Solution • Blundo’s scheme: Allows a set of nodes to set up a group key in distributed way (C. Blundo et al.) • Not scalable: storage cost / each node must know other trusted group members
Motivation • Preload future keys to individual nodes before deployment • Avoid high communication overhead • Neighbors collaborate with each other to effectively protect and appropriately use the preloaded keys. • Security • Relieves high cost of centralized management
System Model • Large scale wireless sensor network • Deployed in a hostile environment • Each node is innocent • Before deployment • Cannot be compromised during the first several minutes • Each pair of neighboring nodes can establish a pairwise key • Compromised nodes can be detected within a certain time period • Nodes are loosely synchronized • Group rekeying is started periodically
Basic Predistribution and Local Collaboration-Based Group Rekeying (B-PCGR) • Group Key Predistribution • The setup sever decides the total number of groups. For each group i, it constructs a t-degree univariate g-polynomialgi(x). • gi(0) is the initial group key, • gi(j)(j >= 1) is the group key of version j. • A node is randomly assigned to a group before deployment. • A group key polynomial (g-polynomial) gi(x) is preloaded in each node based on the group it belongs to. • New group keys are generated and distributed using g-polynomial at key updating times.
B-PCGR (2) • Local Collaboration-Based Key Protection • Each node Nu randomly pick a bivariate encryption polynomial (e-polynomial) • Nu Encrypts its g-polynomial g(x) using its e-polynomial eu(x,y) to get its g’-polynomialg’(x)= g(x) + eu(x,u) • Nu distributes the share of eu(x,y) to its n neighbors Nvi (i = 0,…,n-1). Each neighbor Nvi receives share eu(x,vi) • Nu removes eu(x,y) and g(x) , but keeps g’(x) and uses g(0) as its current group key.
B-PCGR (3) • Local Collaboration-Based Group Key Updating • Each node maintains a rekeying timer • Periodically notify the node to update its group key and the current version of the group key c • To update keys • Each innocent node Nu increases its c by one • Nu returns share evi(c,u) to each trusted neighbor Nvi • Nu receives a share eu(c,vi) from each trusted neighbor Nvi. Having received μ + 1 shares, Nu can reconstruct a unique μ-degree polynomialeu(c,y)
B-PCGR (4) eu(x,v2) g’(x) = g(x) + eu(x,u) eu(x,v1) Nv1 Nv2 eu(x,v1) eu(x,v3) eu(x,v2) eu(c,v2) eu(c,v1) eu(c,v3) Nu eu(x,v0) Nv3 Nv0 g(x) eu(x,v3) eu(c,v0) eu(x,v5) eu(c,v4) eu(x,v0) Compute eu(c,y) g(c) = g’(c) - eu(c,u) eu(x,v4) eu(c,v5) Nv4 Nv5 eu(x,v5) eu(x,v4)
B-PCGR (5) • Security Analysis • For a certain group, its g-polynomial g(x) is compromised if and only if • A node Nu of the group is compromised, and • At least μ + 1 neighbors of Nu are compromised; or • At least t + 1 past keys of the group are compromised
Enhancements to B-PCGR • Limitations of B-PCGR • No more than μ neighbors can be compromised • No more than t keys from the same group can be compromised • Improve B-PCGR • Cascading PCGR (C-PCGR) • First limitation • Random Variance-Based PCGR (RV-PCGR) • Second limitation
C-PCGR (1) • Difference from B-PCGR • The e-polynomial shares of Nu are distributed to its multi-hop neighbors • e-polynomial shares are distributed/collected in a cascading way • Differs from B-PCGR in the second and third steps • Polynomial encryption and share distribution • Key updating • The paper describes the case that e-polynomial shares are distributed to its 1- and 2-hop neighbors
C-PCGR (2) • Polynomial Encryption and Share Distribution • Each node Nu picks two e-polynomials (degree of x is t, degree of y is μ) • 0-level e-polynomial eu,0(x,y) • 1-level e-polynomial eu,1(x,y) • Nu encrypts its g(x) using eu,0(x,y) to get its g’(x) = g(x) + eu,0(x,u) • Nu keeps g(0) and g’(x), removes g(x) and eu,0(x,y) , distributes the shares of eu,0(x,y) to its neighbors. Neighbor Nv is given eu,0(x,v) • Having received 0-level e-polynomial shares from its neighbors, each node Nv uses its 1-level e-polynomial ev,1(x,y) to encrypt each received 0-level polynomial eu,0(x,v) to obtain e’u,0(x,v) = eu,0(x,v) + ev,1(x-1,v) • Nv keeps eu,0’(x,v) and eu,0(c+1,v) , which will be returned to Nu at the next key updating time • Nv removes eu,0(x,v) and distribute shares of its 1-level polynomial ev,1(x,y) to neighbors
C-PCGR (3) g(0) & g’(x) = g(x) + eu,0(x,u) eu,0(x,v2) Nu Nv2 eu,0(1,v1) e’u,0(x,v1) = eu,0(x,v1) + ev1,1(x-1,v1) eu,0(x,v1) eu,0(x,v0) Nv1 Nv3 ev1,1(x,v3) Nv0 ev1,1(x,v3) ev1,1(x,v4) ev1,1(x,v5) Nv5 Nv4 ev1,1(x,v5) ev1,1(x,v4)
C-PCGR (4) • Key updating • Each innocent node Nu increases its c by one, and returns shares ev,0(c,u) and ev,1(c,u) to each trusted neighbor Nv (We assume that Nu has received these shares from Nv) • Nu receives its own 0-level and 1-level polynomial shares from its neighbors (eu,0(c,v) and eu,1(c,v) from each trusted neighbor Nv) • Having received µ + 1 0-level e-polynomial shares, Nu reconstructs a unique polynomial eu,0(c,x) which is used to compute its new group key g(c) = g’(c) –eu,0(c,u) • Having received µ + 1 1-level e-polynomial shares, Nv computes a unique polynomial ev,1(c,x) and then generates a share eu,0(c+1,v) =e’u,0(c+1,v) – ev,1(c,v), which will be returned to neighbor Nu at the next key updating time.
C-PCGR (5) g(1) = g’(1) – eu,0(1,u) g’(x) g(0) g’(x) eu,0(1,v2) Nu Nv2 eu,0(1,v1) e’u,0(x,v1) eu,0(2,v1) = e’u,0(2,v1) + ev1,1(1,v1) e’u,0(x,v1) eu,0(1,v1) eu,0(1,v0) Nv1 Nv3 ev1,1(1,v3) Nv0 ev1,1(1,v5) ev1,1(1,v4) Nv5 Nv4
C-PCGR (6) • Security Analysis • For a certain group, its g-polynomial g(x) is compromised if and only if • A node Nu of the group is compromised, and • The adversary has compromised at least μ + 1 neighbors of Nu , each of which also has μ + 1 neighbors compromised; or • At least t + 1 past keys of the group are compromised
RV-PCGR(1) • Aims to address another limitation of B-PCGR • If the adversary has obtained t + 1 keys of a certain group (g(0),g(1),…,g(t)), the adversary can break the g-polynomial of the group (g(x)). • Basic Idea • Let the length of g(j) be 2L bits. • Add a L bit random number σj to each g(j) to obtain gr(j) • The highest L bit of g(j) and gr(j) are same, but the lowest L bits are different • Even the adversary compromises t + 1 keys (gr(0),gr(1),…,gr(t)), it cannot break the future keys of the group
RV-PCGR(2) • Predistribution of g-polynomial • Each g(x) is constructed over an extended finite field F(22L) • The group key of any version j is defined as the highest L bits of g(j) • Encrypting g-polynomial and distributing components • Nu randomly picks a t-degree e-polynomial eu(x) to encrypt its g-polynomial g(x) to get its g’-polynomial g’(x) = g(x) XOR eu(x) • Nu randomly decomposes eu(x) into μ + 1 components, denoted as eu,i(x) (i = 0,…, μ) • Components are evenly distributed to the neighbors, each neighbor gets only one components.
RV-PCGR(3) • Key Updating • To update keys, each innocent node Nu increases its key version c by one, and returns erv,j(c) = ev,j(c) XOR σ’c,v to each trusted neighbor Nv • σ’c,v is randomly picked from {0,…,2L-1} • Having received μ + 1 distinct shares <vi,eru,i(c)>, Nu computes eru(c). Knowing eru(c),Nu can compute gr(c) = g’(c) XOR eru(c)
RV-PCGR(4) • Security Analysis • The adversary can only obtain gr(i), while the calculated by node Nu has already included a random variance. • The adversary needs to guess all the σj to figure out the original g(x) • Complexity o(2(t+1)L)
Conclusion • The paper proposed a family of predistribution and local collaboration-based group rekeying schemes • Address the node compromise problem • Improve the effectiveness of filtering false data in sensor networks • The schemes are based on the idea: • Future group keys can be preloaded before deployment • Neighbors can collaborate to protect and appropriately use the preloaded keys