sia: secure information aggregation in sensor networks bartosz przydatek, dawn song, adrian perrig...
Post on 18-Dec-2015
217 views
TRANSCRIPT
SIA: Secure Information Aggregation in Sensor Networks
Bartosz Przydatek, Dawn Song, Adrian Perrig
Carnegie Mellon University
Carl Hartung
CSCI 7143: Secure Sensor Networks
Overview
Secure Aggregation What is aggregation in sensor networks Why aggregate? Security Issues with aggregation Communication Efficiency vs. Accuracy Aggregate-Commit-Prove Computing
Median, Min/Max, Average Conclusions
Aggregation in sensor networks
Aggregators Collect information from nearby sensors Process it locally Send the processed information to user
Reduces communication & power consumption
Why Aggregate?
Given a query, it may be unnecessary and inefficient to return all raw data collected from each sensor—instead, information should be processed and aggregated within the network and only processed and aggregated information is returned
Security issues with aggregation
Node Compromise One or more sensor nodes Aggregator(s)
Denial of Service Stealth Attack
Make user accept false aggregation results
Goal of Paper: Prevent the user from accepting incorrect results
Communication
Each sensor has unique identifier and shares key with home server and aggregator
Home Server and Aggregator each have master key KB and KA respectively.
Nodes store the shared keys MACKB(node ID) and MACKA (node ID), where MAC is a secure message authentication code.
Assumptions
Uncorrupted sensors can reach each other via paths of uncorrupted sensors (including aggregator)
Base station has a mechanism to broadcast authentic messages such that each node can verify authenticity. (TESLA, other?)
More Assumptions
Attacker can corrupt some* sensors as well as aggregator.
Attacker has complete control over corrupted node(s)
* Attacker can corrupt at most a small fraction of nodes.
Efficiency vs. Accuracy
Assume communication between nodes/aggregator and Home Server is expensive
Trivial solution Send all data with aggregated data so Home Server
can verify. – Linear communication. Must be willing to accept a small non-zero
possibility of error to get sub-linear communication.
Efficiency vs. Accuracy
Let f be a function of a1,…,an into real numbers, and let y = f(a1,…,an).
ỹ is a multiplicative ε-approximation of y if (1- ε)y <= ỹ <= (1+ ε)y.
In addition to approximation error ε, also use δ to upper bound the probability of not detecting a cheating aggregator. Called a (ε, δ)-approximation. Finds ε-approximation with probability at least 1 – δ.
ε
Aggregate – Commit – Prove
Aggregators compute aggregation of sensor nodes’ data
Report aggregated data to home server along with commitment
Home server and aggregator perform efficient interactive proofs such that the home server will be able to verify results or detect cheating.
Aggregator collects data
AB
C
Aggregator
Nodes share key with Aggregator, preventing impersonation, but not flawed data from a corrupt sensor
Home Server
Aggregator commits data
m0 m1 m2 m3
v3,0 v3,1 v3,2 v3,3
v2,0
v1,0
m4 m5 m6 m7
v3,4 v3,5 v3,6 v3,7
v0,0 = H(v1,0 || v1,1 )
v2,1 v2,2 v2,3
v1,1
Example:
M5 is authentic if the following holds true:
v0,0 = H(v1,0 || H( H(v3,4 || H(m5)) || v2,3))
Aggregator commits data
m0 m1 m2 m3
v3,0 v3,1 v3,2 v3,3
v2,0
v1,0
m4 m5 m6 m7
v3,4 v3,5 v3,6 v3,7
v0,0 = H(v1,0 || v1,1 )
v2,1 v2,2 v2,3
v1,1
Example:
M5 is authentic if the following holds true:
v0,0 = H(v1,0 || H( H(v3,4 || H(m5)) || v2,3))
Aggregator proves data
AB
C
Aggregator
Home Server checks committed data and aggregated data in order to verify
Home ServerAggregated data and Commitment
Computing the Median
Require Aggregator to commit in hash-tree construction AND values are sorted
2 committed sequences One sorted on measured values One sorted on sensor IDs
Pick random elements from one list and verify that they are present in the other
Pick random elements from committed sequence and check that elements picked from left half are less than median, elements from right half are greater.
Requires only O(log n/ε) elements to check whether is an ε-approximation.
Computing the Min/Max
Construct a spanning tree in the network of sensors such that the root of the tree holds the minimum element.
Each node authenticates its final state using the shared key with the home server, and sends the authenticated state to the aggregator.
The aggregator checks consistency of tree and commits to the list of all nodes and their states, and reports the root-node to the home server.
Home server randomly picks a node in the committed list and traverses the path from the chosen node to the root, checking the consistency of the constructed tree. If all checks are successful, home server accepts the value reported by the aggregator.
Counting Distinct Elements
Random Node Selection Home Server distributes hash function h Sensors compute MIN using h, ID, and time interval
Find lower and upper bounds using sampling.
Forward Secure Authentication
Time is divided into constant time intervals Each sensor updates its key shared with the home
station at the beginning of each time interval using a one way function. Uses updated key to compute the MAC on the sensing data
during that time interval. If hacker compromises sensor at a later time, because of
the one-way function, will be unable to compute the MAC key for the previous time interval.
Problem: How to efficiently store past data and authenticator.
Hierarchical Aggregation
If networks is too big, might need to use multiple Aggregators
Basically, have regular aggregators and super aggregators Super aggregators aggregate the data from regular aggregators
Conclusions
Possible to securely aggregate information using the aggregate-commit-prove framework even when some nodes (including the aggregator) are compromised.
Can be done with less than linear communication Not all values from all nodes need to be sent to home server to
verify that aggregation is correct. Forward Secure Authentication
Ensure that a hacker can not change previous values/measurements on a node compromised later in time.