SIA: Secure Information Aggregation in Sensor Networks

B. Przydatek, D. Song, and A. Perrig. In Proc. of ACM SenSys 2003

Natalia Stakhanovacs610

Sensor networks

wireless network consisting of large number of small sensor devicesMain objective: data collection

Sensors are severely constrained: Low memory Low power Limited bandwidth

Transfer of raw information is expensive (often individual readings are not needed)

Solution: aggregate data and transfer the result only!

Data aggregation

Selected nodes are aggregators responsible for

data collection computation of aggregated result result transfer to the user (home server)

Security concern: compromised aggregator compromised sensors

Proposed approach

Previous works assumed honest sensors

This work’s focus: stealthy attacks If user accepts the aggregation result, then there isa

high probability that the reported result is “close” to the true result value

Considered model

single home server (user) single aggregator

more powerful than sensor has information about size and

topology of the network

sensors have unique ids share a key with server and

aggregator

Both home server & aggregator have master key and able to compute key for each sensor

aggregator

home server

sensorsa1 a2

a3

A= ?A= (a1, a2, a3)

Aggregate-Commit-Prove approach

aggregate aggregator collect the data from sensors compute aggregated result

commit aggregator commits to the data

guarantee that result is computed using sensors’ data

prove aggregator send the aggregate result and commitment

to home server home server

checks if commitment is good representation of the sensor data

aggregation result is close to the committed data values

Commit phase

Merkle hash tree – to commit to the data

a1a2 a3 ... an - sensors’ data placed at the leaves

each internal node is hash of its children root value is a commitment

Considered …

Most commonly used aggregation operations: Compute median Compute min, max Counting distinct elements

Computing median Securely compute median of a1a2 a3 ... an Aggregate phase:

take median of a random sample of sensor values commits to a sorted sequence using a Merkle hash

tree Prove phase:

home server receives the commitment and computed median amed

home server performs 2 tests: requests an/2 and compares it with amed picks an element from a random position

Checks if elements picked from left half is < than median Checks if elements picked from right half is > than median

Computing min/max Securely compute min of a1a2 a3 ... an Assumption – sensors will not provide fake values

Computing min/max by sensors MinRootedTree protocol

construct minimum spanning tree rooted at the minimum value

each round node broadcast (min, id) pair fills the table by smallest received value

Final state is authenticated and sent to aggregator

p min idS1 S1 3 id1S2 S2 1 id2S3 S2 1 Id2

S1 S2

S3

Reading: 3 Reading: 1

Reading: 5 p – id of the current parentmin – min value so farid – id of the node with min

p min idS1 S1 3 id1S2 S2 1 id2S3 S3 5 id3

p min idS1 S2 1 id2S2 S2 1 id2S3 S2 1 Id2

Computing min/max

Aggregate phase: aggregator commits to the list of the

states reports the root of the tree to the server

Prove phase: home server randomly picks a node in the

list traverses the path from the node to the

root If unsuccessful - rejects

Counting distinct elements

Securely determine number of distinct values given a1a2 a3 ... an

Basic protocol: Pick random hash function h Apply to all elements ai Keep v=mini=1

n h(ai) Number of distinct elements can be estimated by 1/v

Protocol can be used for: computing the size of the network computing average value

Conclusion

Hierarchical aggregation for very large networks the proposed protocols need to be slightly modified

Consider forward secure authentication for past results querying sensor’s key is recomputed each time interval using

one-way function past readings are secure in case sensor is

compromised

This is the first work that allows existence of malicious sensors