1 / 24

Wensheng Zhang and Guohong Cao

Group Rekeying for Filtering False Data in Sensor Networks: A Predistribution and Local Collaboration-Based Approach. Wensheng Zhang and Guohong Cao. Outline. Research problem – Group key updating Previous work Proposed solution B-PCGR C-PCGR RV-PCGR Performance evaluation Conclusion.

weldon
Télécharger la présentation

Wensheng Zhang and Guohong Cao

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Group Rekeying for Filtering False Data in Sensor Networks: A Predistribution and Local Collaboration-Based Approach Wensheng Zhang and Guohong Cao

  2. Outline • Research problem – Group key updating • Previous work • Proposed solution • B-PCGR • C-PCGR • RV-PCGR • Performance evaluation • Conclusion

  3. Research Problem • Sensor Network • Hostile environment • Adversary may use compromised nodes • Inject false sensing report • Modify the reports sent by other nodes • Symmetric cryptographic techniques • Sensor nodes are randomly divided into multiple groups • Nodes in the same group share a symmetric group key • Each message is attached with multiple MACs, each is generated using one group key • Problem • Node compromises • Innocent nodes should update their group keys

  4. Previous Work • Centralized solution • SKDC: Use central controller to distribute new keys (Hugh, et al.) • Logic tree-based schemes (Wallner et al., Wong et al. Balenson et al.) • High communication cost • Rekeying delay • Distributed Solution • Blundo’s scheme: Allows a set of nodes to set up a group key in distributed way (C. Blundo et al.) • Not scalable: storage cost / each node must know other trusted group members

  5. Motivation • Preload future keys to individual nodes before deployment • Avoid high communication overhead • Neighbors collaborate with each other to effectively protect and appropriately use the preloaded keys. • Security • Relieves high cost of centralized management

  6. System Model • Large scale wireless sensor network • Deployed in a hostile environment • Each node is innocent • Before deployment • Cannot be compromised during the first several minutes • Each pair of neighboring nodes can establish a pairwise key • Compromised nodes can be detected within a certain time period • Nodes are loosely synchronized • Group rekeying is started periodically

  7. Basic Predistribution and Local Collaboration-Based Group Rekeying (B-PCGR) • Group Key Predistribution • The setup sever decides the total number of groups. For each group i, it constructs a t-degree univariate g-polynomialgi(x). • gi(0) is the initial group key, • gi(j)(j >= 1) is the group key of version j. • A node is randomly assigned to a group before deployment. • A group key polynomial (g-polynomial) gi(x) is preloaded in each node based on the group it belongs to. • New group keys are generated and distributed using g-polynomial at key updating times.

  8. B-PCGR (2) • Local Collaboration-Based Key Protection • Each node Nu randomly pick a bivariate encryption polynomial (e-polynomial) • Nu Encrypts its g-polynomial g(x) using its e-polynomial eu(x,y) to get its g’-polynomialg’(x)= g(x) + eu(x,u) • Nu distributes the share of eu(x,y) to its n neighbors Nvi (i = 0,…,n-1). Each neighbor Nvi receives share eu(x,vi) • Nu removes eu(x,y) and g(x) , but keeps g’(x) and uses g(0) as its current group key.

  9. B-PCGR (3) • Local Collaboration-Based Group Key Updating • Each node maintains a rekeying timer • Periodically notify the node to update its group key and the current version of the group key c • To update keys • Each innocent node Nu increases its c by one • Nu returns share evi(c,u) to each trusted neighbor Nvi • Nu receives a share eu(c,vi) from each trusted neighbor Nvi. Having received μ + 1 shares, Nu can reconstruct a unique μ-degree polynomialeu(c,y)

  10. B-PCGR (4) eu(x,v2) g’(x) = g(x) + eu(x,u) eu(x,v1) Nv1 Nv2 eu(x,v1) eu(x,v3) eu(x,v2) eu(c,v2) eu(c,v1) eu(c,v3) Nu eu(x,v0) Nv3 Nv0 g(x) eu(x,v3) eu(c,v0) eu(x,v5) eu(c,v4) eu(x,v0) Compute eu(c,y) g(c) = g’(c) - eu(c,u) eu(x,v4) eu(c,v5) Nv4 Nv5 eu(x,v5) eu(x,v4)

  11. B-PCGR (5) • Security Analysis • For a certain group, its g-polynomial g(x) is compromised if and only if • A node Nu of the group is compromised, and • At least μ + 1 neighbors of Nu are compromised; or • At least t + 1 past keys of the group are compromised

  12. Enhancements to B-PCGR • Limitations of B-PCGR • No more than μ neighbors can be compromised • No more than t keys from the same group can be compromised • Improve B-PCGR • Cascading PCGR (C-PCGR) • First limitation • Random Variance-Based PCGR (RV-PCGR) • Second limitation

  13. C-PCGR (1) • Difference from B-PCGR • The e-polynomial shares of Nu are distributed to its multi-hop neighbors • e-polynomial shares are distributed/collected in a cascading way • Differs from B-PCGR in the second and third steps • Polynomial encryption and share distribution • Key updating • The paper describes the case that e-polynomial shares are distributed to its 1- and 2-hop neighbors

  14. C-PCGR (2) • Polynomial Encryption and Share Distribution • Each node Nu picks two e-polynomials (degree of x is t, degree of y is μ) • 0-level e-polynomial eu,0(x,y) • 1-level e-polynomial eu,1(x,y) • Nu encrypts its g(x) using eu,0(x,y) to get its g’(x) = g(x) + eu,0(x,u) • Nu keeps g(0) and g’(x), removes g(x) and eu,0(x,y) , distributes the shares of eu,0(x,y) to its neighbors. Neighbor Nv is given eu,0(x,v) • Having received 0-level e-polynomial shares from its neighbors, each node Nv uses its 1-level e-polynomial ev,1(x,y) to encrypt each received 0-level polynomial eu,0(x,v) to obtain e’u,0(x,v) = eu,0(x,v) + ev,1(x-1,v) • Nv keeps eu,0’(x,v) and eu,0(c+1,v) , which will be returned to Nu at the next key updating time • Nv removes eu,0(x,v) and distribute shares of its 1-level polynomial ev,1(x,y) to neighbors

  15. C-PCGR (3) g(0) & g’(x) = g(x) + eu,0(x,u) eu,0(x,v2) Nu Nv2 eu,0(1,v1) e’u,0(x,v1) = eu,0(x,v1) + ev1,1(x-1,v1) eu,0(x,v1) eu,0(x,v0) Nv1 Nv3 ev1,1(x,v3) Nv0 ev1,1(x,v3) ev1,1(x,v4) ev1,1(x,v5) Nv5 Nv4 ev1,1(x,v5) ev1,1(x,v4)

  16. C-PCGR (4) • Key updating • Each innocent node Nu increases its c by one, and returns shares ev,0(c,u) and ev,1(c,u) to each trusted neighbor Nv (We assume that Nu has received these shares from Nv) • Nu receives its own 0-level and 1-level polynomial shares from its neighbors (eu,0(c,v) and eu,1(c,v) from each trusted neighbor Nv) • Having received µ + 1 0-level e-polynomial shares, Nu reconstructs a unique polynomial eu,0(c,x) which is used to compute its new group key g(c) = g’(c) –eu,0(c,u) • Having received µ + 1 1-level e-polynomial shares, Nv computes a unique polynomial ev,1(c,x) and then generates a share eu,0(c+1,v) =e’u,0(c+1,v) – ev,1(c,v), which will be returned to neighbor Nu at the next key updating time.

  17. C-PCGR (5) g(1) = g’(1) – eu,0(1,u) g’(x) g(0) g’(x) eu,0(1,v2) Nu Nv2 eu,0(1,v1) e’u,0(x,v1) eu,0(2,v1) = e’u,0(2,v1) + ev1,1(1,v1) e’u,0(x,v1) eu,0(1,v1) eu,0(1,v0) Nv1 Nv3 ev1,1(1,v3) Nv0 ev1,1(1,v5) ev1,1(1,v4) Nv5 Nv4

  18. C-PCGR (6) • Security Analysis • For a certain group, its g-polynomial g(x) is compromised if and only if • A node Nu of the group is compromised, and • The adversary has compromised at least μ + 1 neighbors of Nu , each of which also has μ + 1 neighbors compromised; or • At least t + 1 past keys of the group are compromised

  19. RV-PCGR(1) • Aims to address another limitation of B-PCGR • If the adversary has obtained t + 1 keys of a certain group (g(0),g(1),…,g(t)), the adversary can break the g-polynomial of the group (g(x)). • Basic Idea • Let the length of g(j) be 2L bits. • Add a L bit random number σj to each g(j) to obtain gr(j) • The highest L bit of g(j) and gr(j) are same, but the lowest L bits are different • Even the adversary compromises t + 1 keys (gr(0),gr(1),…,gr(t)), it cannot break the future keys of the group

  20. RV-PCGR(2) • Predistribution of g-polynomial • Each g(x) is constructed over an extended finite field F(22L) • The group key of any version j is defined as the highest L bits of g(j) • Encrypting g-polynomial and distributing components • Nu randomly picks a t-degree e-polynomial eu(x) to encrypt its g-polynomial g(x) to get its g’-polynomial g’(x) = g(x) XOR eu(x) • Nu randomly decomposes eu(x) into μ + 1 components, denoted as eu,i(x) (i = 0,…, μ) • Components are evenly distributed to the neighbors, each neighbor gets only one components.

  21. RV-PCGR(3) • Key Updating • To update keys, each innocent node Nu increases its key version c by one, and returns erv,j(c) = ev,j(c) XOR σ’c,v to each trusted neighbor Nv • σ’c,v is randomly picked from {0,…,2L-1} • Having received μ + 1 distinct shares <vi,eru,i(c)>, Nu computes eru(c). Knowing eru(c),Nu can compute gr(c) = g’(c) XOR eru(c)

  22. RV-PCGR(4) • Security Analysis • The adversary can only obtain gr(i), while the calculated by node Nu has already included a random variance. • The adversary needs to guess all the σj to figure out the original g(x) • Complexity o(2(t+1)L)

  23. Performance Evaluation

  24. Conclusion • The paper proposed a family of predistribution and local collaboration-based group rekeying schemes • Address the node compromise problem • Improve the effectiveness of filtering false data in sensor networks • The schemes are based on the idea: • Future group keys can be preloaded before deployment • Neighbors can collaborate to protect and appropriately use the preloaded keys

More Related