1 / 47

Random Key Predistribution Schemes for Sensor Networks

Random Key Predistribution Schemes for Sensor Networks. Authors: H. Chan, A. Perrig , and D. Song Carnegie Mellon University Presented by: Yuliya Olmo April 13, 2009. Paper at a Glance. Three key bootstrapping protocols for large sensor networks

zavad
Télécharger la présentation

Random Key Predistribution Schemes for Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Random Key Predistribution Schemes for Sensor Networks Authors: H. Chan, A. Perrig, and D. Song Carnegie Mellon University Presented by: Yuliya Olmo April 13, 2009

  2. Paper at a Glance Three key bootstrapping protocols for large sensor networks Alternatives to public key cryptosystems Each protocol trades a different drawback in exchange for the security it provides

  3. Outline • Background • Sensor networks overview • Related work • Basic Techniques • Proposed solution (three schemes) • Random pairwise keys scheme • Q-composite keys scheme • Multipath key reinforcement scheme • Future directions • Conclusions

  4. Wireless Sensors Spec Motes Berkeley (Mica) Motes

  5. Motes • Mica Mote: • Processor: 4Mhz • Memory: 128KB Flash and 4KB RAM • Radio: 916Mhz and 40Kbits/second. • Transmission range: 100 Feet • TinyOSoperating System: small, open source and energy efficient. • Features: Self-organizing set of small battery operated sensors (1000+ total), communicating via wireless medium(~20 neighbors within range)

  6. Deploy Wireless Sensor Networks (WSN) Sensors

  7. Applications of WSN • Battle ground surveillance • Enemy movement (tanks, soldiers, etc) • Environmental monitoring • Habitat monitoring (deer, ducks) • Forrest fire monitoring, pollution monitoring • Hospital tracking systems • Tracking patients, doctors, drug administrators. • Data collection • Tire pressure sensor in a car • Temperature in a building • Many more

  8. Why security? • Protecting confidentiality, integrity, and availability of the communications and computations • Sensor networks are vulnerable to security attacks due to the broadcast nature of transmission • Sensor nodes can be physically captured or destroyed

  9. Bootstrapping • Bootstrapping in general • Initialization process • Creating something from nothing • Bootstrapping in WSN • Initialize/preload some secret material pre-distribution (prior to contact) • Secure communication for the whole network • Especially challenging because of the limitations of sensor networks: • Constrained resources • Physical vulnerability • Unpredictability of future configurations • Temptation to rely on base stations

  10. Related Work • Previously proposed solutions often depend on: • Asymmetric cryptography • Arbitration by base stations (SPINS) • Preloading a set of keys before deployment • Some assume that attackers do not arrive until after key exchange (previous paper)

  11. What is a Good Scheme? Guarantee future secure node-to-node communication Prevent unauthorized access Not rely on base stations for decision making Allow addition of nodes after initial network setup Not make assumptions about which nodes will be within communication range of each other Resource-efficient and robust to DoS attacks

  12. Evaluation Metrics • Resilience against node capture • How many misbehaving nodes can be tolerated • Resistance against node replication • How to deal with duplicates • Revocation of misbehaving nodes • How to tell if a node is gone wild • Scalability • What is the maximum supportable network size

  13. The Basic Scheme

  14. The Basic Scheme • Three phases of operation: • Initialization • Before nodes are deployed • Key setup • Establish a secret with (some of ) the nodes in communication range • Graph connection • Establish secure communication between any two given nodes.

  15. The Basic Scheme – Initialization Eschenauer and GligorPicka random key pool S For each node, randomly select m keys from S (this is the node’s key ring) Associate IDs with every key The size of S is chosen so that two key rings will share at least one key with probabilityp Any two nodes can find a common/shared key in their key rings to initiate secure communication with any other node with probability p

  16. Key discovery: nodes search for neighbors that share a key Broadcast short IDs assigned to each key prior to deployment (set of IDs) Find neighbors that have the same ID in their set (have the same key in the key ring) Keys verified through challenge-response The shared key becomes the key for that link The Basic Scheme – Key Setup

  17. The Basic Scheme – Graph Connection • Form a connected graph of secure links • How to ensure the graph is connected? (Erdos , Renyi) -- given number of nodes and probability of any two nodes being connected • Nodes then set up path keys with any unconnected neighbors through existing secure paths • Reformulate the problem • (Eschenauer and Gligor) – given number of nodes, what is connection degree of individual nodes to ensure graph is connected • # of secure links a node must establish during key setup (degree, d) to form a connected graph of size n with probability c is: d = [(n-1)/n][log(n) – log(-log(c))] d = O(log n)

  18. The Basic Scheme – Graph Connection • The probability, p, that two nodes successfully connect is p = d/n′ where n′ is the expected number of neighbor nodes within communication range of A • Since connection is probabilistic (plus geometry of space and obstacles), there is a chance the graph is partially connected • Ways of detecting the graph is not fully connected • Ways of recovering (e.g. range extension)

  19. Extensions of the Basic Scheme • q-composite Random Key Pre-distribution • Large-scale attacks are unlikely (infeasible) • Strengthen the scheme against small-scale attacks • Multipath Key Reinforcement • Strengthen security between any two nodes by using existing (established) secure links • Attacker has to compromise too many nodes to assure any given communication is compromised • Random Pairwise Keys • If any node is captured, the rest are still secure • Quorum based revocation without base station

  20. q-composite Random Key Predistribution Scheme

  21. q-composite Scheme • Instead of one key, a pair of nodes must share q (q > 1) keys to establish a secure link • Implication 1 (attacker): By increasing the amount of key overlap required for key-setup, the resilience of the network against node capture is increased • Implication 2(network setup): Key pool must be shrunk in order to maintain probability p of two nodes sharing enough keys • Implication3 (attacker): fewer captured nodes required to gain a larger sample of S

  22. Initialization and Key Setup • Similar to basic scheme • Each node has m keys on key ring • Two nodes must discover at least q common keys in order to connect • Broadcasting IDs (like in basic scheme)is dangerous: a casual eavesdropper can identify the key sets of all the nodes in a network and thus pick an optimal set of nodes to compromise in order to discover a large subset of the key pool S. • Client Merkle puzzles: each node issues m puzzles for every key, only nodes who have the key can solve it • Before connecting, a new key is created as a hash of the q shared keys

  23. Calculation of the key pool size p(i) probability of any two nodes have exactly i keys in common ( ) number of ways to pick m keys from the pool size |S|; total number of ways for both nodes to pick m keys each There are ways to pick the icommon keys; this leaves 2 (m-i) keys (in both key rings) to choose the remaining keys

  24. Calculation of the key pool size p(i) probability of any two nodes have exactly i keys in common P_connect probability of any two nodes sharing sufficient keys (i = q) Choose the largest |S| such that p_connect >p, where p is minimum connection probability

  25. Evaluation at a glance Much harder for an attacker with a given key set to eavesdrop on a link Necessary reduction in key pool size makes large-scale attacks even more powerful

  26. Compromising a given # of nodes is more damaging Harder to compromise nodes, however Evaluation

  27. Creates an incentive for large-scale attack: fraction is compromised – all are compromised Removes the incentive for small scale attacks: too little information is obtained Evaluation

  28. Multipath Key Reinforcement Scheme

  29. Multipath Key Reinforcement Scheme Initialization and key setup as in basic scheme Key update over multiple independent paths between nodes Key update is damage control in the event that other nodes are captured Works good in conjunction with the basic scheme, but not q-composite scheme

  30. Multipath Key Reinforcement Scheme • A has a secure link to B after key setup (single key k from the pool S) • Key k can be in the key ring of some other nodes, let us say node C • If C is compromised, the secure link between A and B is jeopardized. • Solution: update communication key to a random value after key setup.

  31. Multipath Key Reinforcement Scheme • Solution: update communication key to a random value after key setup. • Cannot use the direct link between A and B • So update using multiple independent paths • A knows all paths to B within h hops (let’s say j paths); the same is true for B • Choose disjoint paths, i.e. no links in common (let’s say i paths) • Send random values v1, v2, … vi along the paths • Reassamble at B

  32. Evaluation • Better resistance against node capture • Adversary has to eavesdrop on all paths • The longer the path, the higher the probability it can be eavesdropped • Significantly higher maximum network size • Comes at cost of greater communication overhead

  33. Random Pairwise Keys Scheme

  34. Random Pairwise Keys Scheme • Key feature is node-to-node identity authentication • Ability to verify node identities opens up several security features • Perfect resilience against node capture • Resilience against node replication • Distributed node revocation

  35. The Basics • Sensor network of n nodes • Pairwise scheme: • Each node holds n-1 keys • Each key is shared with exactly one other node • Random pairwise scheme: • Not all n-1 keys are needed for a connected graph • Only random set of nppariwise keys are needed to connect with probabilityp (Erdos, Renyi calculated the smallest p, s.t. the entire graph is connected with high probability c)

  36. Notation • n • # of unique node IDs • m • keys on each node’s key ring • p • Probability of two nodes connecting • n = m/p • Maximum supportable network size

  37. Initialization • Each node ID pairs with m other random & distinct node IDs; n = m/p unique identifiers • Unused IDs can be used later to extend the network • Each pair is assigned a key • Nodes store key-ID pairs on key rings; they also store ID of the other node who knows that key • A holds some key k; A also holds the identity of the node that also has the same key k, let’s call it B • Thus, if k is used in communication, both nodes know who they are talking to because nobody else holds the key k.

  38. Key Setup • Node IDs are broadcast to immediate neighbors • Search for other node’s ID in the key ring • Find the nodes with whom they share a pairwise key • Verified through cryptographic handshake

  39. Distributed Node Revocation • Faster than relying on base stations • Public votes are broadcast against compromised nodes • Public since identities of the nodes are known • Offending node is cut off when votes reach threshold • Base station relays this information to a secure location (possible node replacement)

  40. Scheme Requirements • Compromised nodes can’t revoke arbitrary nodes • Voting members or who can vote against node A • No vote spoofing • Legitimate node A cannot pretend to be legit node B • Verifiable vote validity • Votes have no replay value • Not vulnerable to DoS

  41. The Voting Process • A node’s voting members are those that share a pairwise key with it • Exactly m nodes • All voting members are assigned a voting key • Votes are verified through a Merkletree • Compact data structure (partial information only) • Voting members keep track of votes received up to a threshold t

  42. Voting Threshold • If too high • A node may not have enough voting members to be revoked • If too low • Easy for a group of compromised nodes to revoke many legitimate nodes • Subtle consequence • Every node has to have t (value of threshold) neighbors in order to be revoked

  43. Resisting Revocation Attacks • Each node can cast a vote against m other nodes • Attacker compromises a small fixed number of nodes • They revoke a significant proportion of the network, regardless of the network size. • Solution: only nodes that established direct communication can revoke • Node B’s revocation key for node A must be activated before use • Hashed with secret value known only by A • A gives B its secret value only after the two establish communication • Other DoS attacks are more practical

  44. Resistance to Node Replication and Node Generation • Place a cap, dmax, on the degree of a node • dmaxis some small multiple of d • Nodes keep track of degree and node IDs using same method as vote counting • So now we need to memorize dmax • Do not need to be precise though; network is expected to be heavily connected

  45. Evaluation, Cont. • Resistance to revocation attack • Small number of compromised nodes only compromises a small portion of communications • Compromising large number of nodes is not economical • Perfect resilience against node capture • All pairwise keys are unique, so capturing one node reveals no information about communications outside of the compromised node’s

  46. Summary • Three efficient schemes for secure key bootstrapping • Each scheme has trade-offs • q-composite: good for small attacks, bad for large • Multipath-reinforcement: improved security, more communication overhead • Random pairwise: max. network size is smaller, but offers best security

More Related