wireless sensor network security: the state of the art asci springschool on wireless sensor networks...
TRANSCRIPT
Wireless Sensor Wireless Sensor Network Security:Network Security:The State of the ArtThe State of the ArtASCI Springschool on Wireless ASCI Springschool on Wireless Sensor NetworksSensor Networks
Yee Wei LawThe University of Melbourne
22
PreludePrelude
In the beginning, security objective for In the beginning, security objective for civiliancivilian applications is unclear applications is unclear
But communication with the industry But communication with the industry confirms our ‘suspicion’ about the confirms our ‘suspicion’ about the security requirementssecurity requirements
Endless challenges, every component of Endless challenges, every component of WSNs has its corresponding security WSNs has its corresponding security issuesissues
33
RoadmapRoadmap
Primer to cryptography andPrimer to cryptography andWSNsWSNs
Secure data aggregationSecure data aggregation Key managementKey management Other areas: Other areas:
secure remote reprogrammingsecure remote reprogramming secure localizationsecure localization energy-efficient jamming attacksenergy-efficient jamming attacks
Information Assurance
Protection Detection Reaction
Part ZeroPart Zero
Primer to cryptography and WSNsPrimer to cryptography and WSNs
55
Information assurance
Introduction to securityIntroduction to security Security threats: either somebody wants to steal Security threats: either somebody wants to steal
something from you or sabotage yousomething from you or sabotage you
Information assurance (IA) is a set of measures that Information assurance (IA) is a set of measures that protect and defend information and information protect and defend information and information systems by ensuring their systems by ensuring their availability, integrity, availability, integrity, authentication, confidentiality, and non-repudiationauthentication, confidentiality, and non-repudiation. . These measures include providing for restoration of These measures include providing for restoration of information systems by incorporating information systems by incorporating protection, protection, detection, and re-actiondetection, and re-action capabilities. capabilities.
Information security
Operationsecurity
66
PrimitivesPrimitives Security objectives:Security objectives:
ConfidentialityConfidentiality IntegrityIntegrity AuthenticationAuthentication Non-repudiationNon-repudiation
Encryption / decryptionEncryption / decryption Symmetric-key: Symmetric-key: EE((KK, , MM) / ) / DD((KK, , MM)) Asymmetric-key: Asymmetric-key: EE((PKPK, , MM) / ) / DD((SK, MSK, M))
Signature / verificationSignature / verification Symmetric-key: message authentication code (MAC), denotedSymmetric-key: message authentication code (MAC), denoted
MACMAC((KK, , MM)) Asymmetric-key: digital signature, denotedAsymmetric-key: digital signature, denoted
SignSign((SKSK, , MM), ), VerVer((PKPK, , MM))Notation:Public key = Public key = PKPKPrivate key = Private key = SKSK
77
Common usageCommon usage
EE((KK11, , MM) || ) || MACMAC((KK22, , EE((KK11, , MM))))
EE((KK11, , MM) || ) || SignSign((SKSK, , hh((EE((KK11, , MM))))))
Confidentiality
Confidentiality Integrity, authentication
Integrity, authentication,non-repudiation
Diff keys for encryption and authentication
Signing on hash is more efficient
88
Birthday thresholdBirthday threshold
Collision probability Collision probability CC((NN,,qq))
Birthday attack on CBC-MAC [Bellare et al. 00] Birthday attack on CBC-MAC [Bellare et al. 00] uf-cma /2
CBC -
( 1)( 2)Adv ( , ( log )) 0.3 birthday threshold (2 )
2m
llF
q qq O lmq q q O
( 1)/(2 ) ( 1)1 ( , )
2( 1)
If 1 2 ,0.3 ( , )2
q q N q qe C N q
Nq q
q N C N qN
number of queries running time
23 people (q) birthdays (n)
99
Security notions (PKC)Security notions (PKC)
Semantic security = indistinguishabilitySemantic security = indistinguishabilityCiphertext doesn’t reveal anything about the plaintext Ciphertext doesn’t reveal anything about the plaintext except the lengthexcept the length
Non-malleabilityNon-malleabilityNew ciphertexts cannot be created based on known New ciphertexts cannot be created based on known ciphertextsciphertexts
Satisfies a security notion, if an attacker loses to a Satisfies a security notion, if an attacker loses to a ‘game’, e.g., the chosen plaintext attack (CPA) ‘game’‘game’, e.g., the chosen plaintext attack (CPA) ‘game’
1010
Challenges in WSNsChallenges in WSNs
Sensor node hardware, resource constraints
Algos must be energy- and storage-efficient
Nodes operate unattendedAdversary can compromise any
node
Nodes not tamper-resistantAdversary can compromise any
node’s keys
No fixed infrastructureCannot assume any special-
function node in vicinity
No pre-config’ed topologyNodes don’t know neighbours in
advance
Communicate in an open medium
Communications are world-readable and world-writeable by
default
Constraints Implications
1111
Security design principlesSecurity design principles
Favour computation over communicationFavour computation over communication Communication 1000 times more energy-consuming Communication 1000 times more energy-consuming
than computationthan computation
Minimal public-key cryptoMinimal public-key crypto Tate pairing costs 5s (54mJ) on a Tmote Sky Tate pairing costs 5s (54mJ) on a Tmote Sky
(fastest recorded by [Szczechowiak et al. 08])(fastest recorded by [Szczechowiak et al. 08])
Favour resilience (tolerance) over absolute Favour resilience (tolerance) over absolute securitysecurity Strength in numberStrength in number
Part OnePart One
Secure data aggregationSecure data aggregation
1313
Data aggregationData aggregation
aggregate
aggregate
aggregate
Purposes: (1)Save bandwidth (limited data rate)(2)Save energy (limited energy)
Reason why we put a processor on every node in the first place
1414
Phase 1: Query Phase 1: Query disseminationdissemination
Sample query: SELECT AVERAGE(temperature) FROM sensorsWHERE floor = 6EPOCH DURATION 30s
1515
Phase 2: Data Phase 2: Data aggregationaggregation
aggregate
aggregate
aggregate
Types of aggregation:(1) basic aggregation, (2) data compression, (3) parameter estimation
1616
Phase 3: Result Phase 3: Result verification (optional)verification (optional)
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
1717
Security goals of data Security goals of data aggregationaggregation
Robustness: Byzantine Robustness: Byzantine corruption of data would corruption of data would not make aggregation not make aggregation result totally result totally meaninglessmeaningless
Confidentiality: To Confidentiality: To ensure that other than ensure that other than the sink and the sources, the sink and the sources, no intermediate node no intermediate node should have knowledge should have knowledge of the raw data or the of the raw data or the aggregation resultaggregation result
perform averaging1
23
1000
So the average is 251.5… Oh wait a
minute
sources
sinkWhat the hell am I
aggregating?
What the hell am I
forwarding?
1818
Securing data Securing data aggregation: aggregation: multipronged defencemultipronged defence
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
1919
Resilient aggregationResilient aggregation
Objective: To bound the effect of data Objective: To bound the effect of data corruptioncorruption
Corruption can be arbitrary – ByzantineCorruption can be arbitrary – Byzantine By convention, we denote the number of By convention, we denote the number of
corruptions as corruptions as kk Methods:Methods:
Robust statistics (1-hop networks)Robust statistics (1-hop networks) RANBAR (1-hop networks)RANBAR (1-hop networks) Quantiles aggregation (multi-hop networks)Quantiles aggregation (multi-hop networks)
2020
Robust statisticsRobust statisticsSay an aggregation function is actually an estimator
Say we are estimating a parameter Θ and there are k rouge nodes
An aggregation function is (k,)-resilient if
ˆ ˆrms*( , ) rms( )k
That is, the RMS error as a result of k-corruption, must be bounded by a constant factor of the original RMS error
We win if we can limit
The attacker wins if he manages to unbound
2121
Examples of (k,Examples of (k,)-)-resilient aggregation resilient aggregation functionsfunctions
AVG
x1 x2 x3 x4
y
AVG
x1 x2 x3 x4+4
y=y+Non-resilient, example: Average
Resilient, examples
rms(y)> rms(y)
Aggregation function Resilience Breakdown point ε*
Sample median wrt Gaussian distribution
21 2 ( / )k n , if k n 0.5
5%-trimmed average wrt Gaussian distribution
1 6.278 /k n , if k < 0.05n 0.05
[l, u]-truncated average wrt Gaussian distribution
1 ( ) / /u l k n Not applicable
Count wrt Bernoulli distribution with parameter p
21 / [ (1 )]k np p Not applicable
2222
RANBARRANBAR
Based on RANdom SAmple ConsensusBased on RANdom SAmple Consensus, which , which originates in computer vision (hence the name originates in computer vision (hence the name RANBAR = RANsac-Based AggRegation [ButtyRANBAR = RANsac-Based AggRegation [Buttyáán n et al. 06])et al. 06])
Step1: Use as few samples as possible to Step1: Use as few samples as possible to determine a preliminary modeldetermine a preliminary model
Step 2: Use the preliminary model to identify Step 2: Use the preliminary model to identify samples that are consistent with the modelsamples that are consistent with the model
Step 3: Refine the model with all the samples that Step 3: Refine the model with all the samples that are found to be consistentare found to be consistent
2323
Quantiles aggregation Quantiles aggregation (extending resilient (extending resilient aggregation to multihop)aggregation to multihop)
Median
1 2 3
6
Median
4 16
Median
Actual median = 3
Median
1 2 3 4 16
Median
4
This approach suggests that instead of taking a median every hop on the way, we should compress the data judiciously at each hop
2 10 2
2424
Quantiles aggregationQuantiles aggregation
Rules for deriving a q-digest: Rule (A): count(node) + count(parent) + count(siblings) ≥ n/k + 1 Rule (B): count(node) n/k
q-digest in this example: {<8,2>,<9,2>,<1,1>}
tree nodes are numbered
count
2525
Quantiles aggregationQuantiles aggregation
Derived median = data value represented by node 9 = 3.5Actual median = 3
tree nodes are numbered
count
2626
Resilient aggregation Resilient aggregation guidelinesguidelines
1-hop1-hop multihopmultihop
Data Data distribution distribution knownknown
Robust Robust statistics, statistics, RANBARRANBAR
Quantiles Quantiles aggregationaggregation
Data Data distribution distribution unknownunknown
Robust Robust statisticsstatistics
Quantiles Quantiles aggregationaggregation
Two approaches actually:(1)estimate by minimizing
effects of outliers(2)detect outliers and
estimate without outliers
Two approaches actually:(1)estimate by minimizing
effects of outliers(2)detect outliers and
estimate without outliers
2727
Progress so far…Progress so far…
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
2828
VotingVoting
Resource-intensive, only good for mission-critical, small-scale networks
1
1
2
3 300
malicious
malicious
No
No
No
No Yes
“is mean = 61.4 reasonable?”
malicious
Alright, 61.4 is not
reasonable!
2929
Progress so far…Progress so far…
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
3030
Result verificationResult verification
The single-aggregator caseThe single-aggregator case The multi-aggregator caseThe multi-aggregator case
Chan et al.’s hierarchical in-network Chan et al.’s hierarchical in-network aggregationaggregation
Yang et al.’s SDAPYang et al.’s SDAP
3131
Interactive proof algoInteractive proof algo By [Przydatek et al. 2003], algo for proving probabilistically a By [Przydatek et al. 2003], algo for proving probabilistically a
given figure is indeed the median of the samplesgiven figure is indeed the median of the samples Example for the sake of intuition:Example for the sake of intuition:
1 2 3 4 5 6
1 Prover must have the samples sorted first
2 Prover tells the verifier median is 3.5 and the no. of samples is 6
3 Verifier asks for the 3rd sample, prover tells the 3rd sample is 3 < 3.5, verifier is happy but still suspicious
4 Verifier asks for the 4th sample, prover tells the 4th sample is 4 > 3.5, verifier is happy but still suspicious
5 Verifier asks for the 1st and 6th sample, prover tells 1st is 1 < 3.5 and 6th is 6 > 3.5, verifier says: “Alright, I’ve sampled enough, median should be 3.5 at high probability”. Relies on the trustworthiness of the
samples, but how do we make sure?
3232
Result verification – Result verification – single aggregatorsingle aggregator
A
1 2 ... n
Sink S
x1 x2 ... xn
q || A || f(x1,x2,...,xn) || n || hA || MACAS
q || ID(1) || x1 || MAC1S || MAC1A
x1
h2,0
x2
h2,1
x3
h2,2
x4
h2,3
h1,0 h1,1
h0,0hi, j=h(hi+1,2j||h i+1,2j+1)
(a) (b)
(a) The information S requires from A in the data aggregation phase:• aggregation result f(x1…xn)
• the number of data samples n• a commitment of the data samples hA.
(b) Commitment tree based on Merkle hash tree saves bandwidth
Previous slide shows these are necessary
Forces prover to commit to the sample values
3333
Result verification – Result verification – single aggregatorsingle aggregator
A
1 2 ... n
Sink S
x1 x2 ... xn
q || A || f(x1,x2,...,xn) || n || hA || MACAS
q || ID(1) || x1 || MAC1S || MAC1A
x1
h2,0
x2
h2,1
x3
h2,2
x4
h2,3
h1,0 h1,1
h0,0hi, j=h(hi+1,2j||h i+1,2j+1)
(a) (b)
A returns the following when interrogated by S:
M || MAC(KAS, M)
where M = q || ID(1) || x1 || MAC1S || ID(2) || x2 || MAC2S || h1,1Prevents source nodes from lying
3434
Result verification – Result verification – multi-aggregatormulti-aggregator
Chan et al.’s hierarchical in-network aggregationChan et al.’s hierarchical in-network aggregation Every sensor sends a message of the following format Every sensor sends a message of the following format
to its parent:to its parent:query ID || value || complement || count || commitment || MACquery ID || value || complement || count || commitment || MAC
Uses two primitives COMB and AGGUses two primitives COMB and AGG AGG(msg1, msg2)AGG(msg1, msg2)::
Let msg1 = Let msg1 = qq || || vv11 || || cc11 and msg2 = and msg2 = qq || || vv22 || || cc22,, then then AGG(msg1, msg2) = AGG(msg1, msg2) = qq || || ff((vv11, , vv22) || ) || cc11++cc22..
COMB(msg1, msg2)COMB(msg1, msg2)::Let msg1 = Let msg1 = qq || || vv11 || || cc11 and msg2 = and msg2 = qq || || vv22 || || cc22,, then then COMB(msg1, msg2) = COMB(msg1, msg2) = qq || || vv11 || || cc11 || || vv22 || || cc22..
3535
Aggregation phase [Chan Aggregation phase [Chan et al.]et al.]
A
B E
C D G
H
I J
Sink S
F
J1 = q || xJ || 1
H2 = q || f(xI,xJ) || 2 || h(q||f(xI,xJ)||2||I1||J1)
I1
C1 D1
COMB(H2, G1)B2
COMB(AGG(B2, H2), G1)
Aggregate only trees of the same size to create Aggregate only trees of the same size to create balanced binary treesbalanced binary trees
The advantage of creating only balanced binary trees The advantage of creating only balanced binary trees is that edge congestion (congestion on a link) is only is that edge congestion (congestion on a link) is only OO(log2(log2nn), where ), where nn is the number of samples is the number of samples
3636
Verification phase [Chan Verification phase [Chan et al.]et al.]
A
B E
C D G
H
I J
Sink S
F
J1 = q || xJ || 1
H2 = q || f(xI,xJ) || 2 || h(q||f(xI,xJ)||2||I1||J1)
I1
C1 D1
COMB(H2, G1)B2
COMB(AGG(B2, H2), G1)
SS broadcasts COMB(AGG( broadcasts COMB(AGG(BB22, , HH22),), G G11) to the network, for example, ) to the network, for example, using μTESLA. Next, the following transmissions take place:using μTESLA. Next, the following transmissions take place:
AA BB: : HH22 AA EE: COMB(: COMB(BB22, , GG11))BB CC: COMB(: COMB(HH22, , DD11)) BB DD: COMB(: COMB(HH22, , CC11))EE GG: COMB(: COMB(BB22, , GG11)) GG HH: : BB22
HH II: COMB(: COMB(BB22, , JJ11)) HH JJ: COMB(: COMB(BB22, , II11)) A source node that successfully reconstructs the commitment will A source node that successfully reconstructs the commitment will
send a confirmation message to the sink:send a confirmation message to the sink:qq||nodeID||OK ||nodeID||OK MACMAC((KK, , qq||nodeID||OK)||nodeID||OK)
Problem is instead of at the sink, the commitment is reconstructed at Problem is instead of at the sink, the commitment is reconstructed at the source nodes themselves – an attacker can forge negative the source nodes themselves – an attacker can forge negative confirmationsconfirmations
3737
Result verification – SDAPResult verification – SDAP Better than previous approach, because commitment is re-constructed Better than previous approach, because commitment is re-constructed
at the sink, not the source nodesat the sink, not the source nodes We divide the sub-network into groups, we only need to check the We divide the sub-network into groups, we only need to check the
groups which look suspicious groups which look suspicious A sensor decides whether it would become a group leader by checking A sensor decides whether it would become a group leader by checking
whether whether hh((qq||nodeID) < ||nodeID) < FFgg((cc), where ), where FFgg((cc) is a function that increases ) is a function that increases
with the data count with the data count cc The role of a group leader is to set a boolean flag in a message to The role of a group leader is to set a boolean flag in a message to NNAGGAGG
to indicate the message needs only be forwarded, not aggregatedto indicate the message needs only be forwarded, not aggregated
A
B E
C D G
H
I J
Sink S
F
q || J || xJ || 1 || YAGG || MAC(KJS, q||J||xJ||1||YAGG)
q || H || f(xI, xJ) || 2 || YAGG || MAC(KHS, q||H||f(xI, xJ)||2||YAGG ||MACISMACJS)
MACJS
q || I || xI || 1 || YAGG || MACIS
q || G || f(xH, f(xI, xJ)) || 3 || NAGG || MAC(KGS , q||G||f(xH, f(xI, xJ))||3||NAGG ||MACHS)
MACHS
MACGS
3838
SDAP’s aggregation SDAP’s aggregation phasephase
A
B E
C D G
H
I J
Sink S
F
q || J || xJ || 1 || YAGG || MAC(KJS, q||J||xJ||1||YAGG)
q || H || f(xI, xJ) || 2 || YAGG || MAC(KHS, q||H||f(xI, xJ)||2||YAGG ||MACISMACJS)
MACJS
q || I || xI || 1 || YAGG || MACIS
q || G || f(xH, f(xI, xJ)) || 3 || NAGG || MAC(KGS , q||G||f(xH, f(xI, xJ))||3||NAGG ||MACHS)
MACHS
MACGS
SS tests if tests if hh((qq||leader’s nodeID) < ||leader’s nodeID) < FFgg((cc). If false, ). If false, SS
discards the group aggregate. Otherwise, discards the group aggregate. Otherwise, SS proceeds with the next test.proceeds with the next test.
SS tests if the group aggregate represents an tests if the group aggregate represents an outlieroutlier
3939
SDAP’s verification phaseSDAP’s verification phase
A
B E
C D G
H
I J
Sink S
F
q || J || xJ || 1 || YAGG || MAC(KJS, q||J||xJ||1||YAGG)
q || H || f(xI, xJ) || 2 || YAGG || MAC(KHS, q||H||f(xI, xJ)||2||YAGG ||MACISMACJS)
MACJS
q || I || xI || 1 || YAGG || MACIS
q || G || f(xH, f(xI, xJ)) || 3 || NAGG || MAC(KGS , q||G||f(xH, f(xI, xJ))||3||NAGG ||MACHS)
MACHS
MACGS
SS AA: : GG || || qq || || qqaa
G G S: q S: qaa || G || x || G || xGG || || 33 || MAC || MACGSGS
H H S: q S: qaa || H || x || H || xHH || || 22 || MAC || MACHSHS
J J S: q S: qaa || J || x || J || xJJ || || 11 || MAC || MACJSJS
I I S: q S: qaa || I || x || I || xII || || 11 || MAC || MACISIS
S performs the following checks:S performs the following checks: xxGG is correctly derived from is correctly derived from ff((xxGG, f, f((xxJJ, x, xII))))
MACMACGSGS is correctly reconstructed in the is correctly reconstructed in the
following steps:following steps: MACMACISIS = MAC = MAC((KKISIS, q || I || x, q || I || xII || || 1)1)
MACMACJSJS = MAC = MAC((KKJSJS, q || J || x, q || J || xJJ || || 1)1)
MACMACHSHS = MAC(K = MAC(KHSHS, q || H || f, q || H || f((xxJJ, x, xII)) || || 22 || ||
MACMACISIS MAC MACJSJS))
MACMACGSGS = MAC(K = MAC(KGSGS, q || G || f, q || G || f((xxGG, f, f((xxJJ, x, xII)))) || || 33
|| MAC|| MACHSHS))
4040
Progress so far…Progress so far…
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
4141
Privacy homomorphism Privacy homomorphism (PH)(PH)
First proposed by Rivest et al. in 1978 to process encrypted data First proposed by Rivest et al. in 1978 to process encrypted data without decrypting the data firstwithout decrypting the data first
A function is (A function is (,,)-homomorphic)-homomorphic ifif
ff((xx) ) ff ((yy) = ) = ff ((xx yy))
where ‘where ‘’ is an operator in the range and ‘’ is an operator in the range and ‘’ is an operator in the ’ is an operator in the domain. domain.
If If ff is an encryption function and the inverse function is an encryption function and the inverse function ff--11 is the is the corresponding decryption function, then corresponding decryption function, then ff is a PH.is a PH.
4242
Types of PHsTypes of PHs
There are three main approaches to PHs in WSNs so There are three main approaches to PHs in WSNs so far:far: PHs that are based on PHs that are based on polynomial ringspolynomial rings, e.g., , e.g.,
Domingo-Ferrer’s schemeDomingo-Ferrer’s scheme PHs that are based on PHs that are based on one-time padsone-time pads homomorphic homomorphic public-keypublic-key cryptosystems cryptosystems
Insecure under known-plaintext attacksAttacks involve only computation of gcd and linear algebra [Wagner 03]
Insecure under known-plaintext attacksAttacks involve only computation of gcd and linear algebra [Wagner 03]
4343
PHs based on one-time PHs based on one-time padspads
Encryption: Encryption:
Decryption by sink:Decryption by sink:
Drawbacks:Drawbacks: Use of the addition operator in place of the XOR operator in the plaintext Use of the addition operator in place of the XOR operator in the plaintext
space is unproven in terms of securityspace is unproven in terms of security Synchronization of keys causes scalability problemSynchronization of keys causes scalability problem
1 1 1
( , ) ( ) modn n n
i i i ii i i
C E k m m k p
1 1
mod modn n
i ii i
m p C k p
sinkm1 + k1
One-time pad
One-time pad
m2 + k2
m1 + m2+ k1 + k2
m3 + k3
m4 + k4
m1+m2+m3+k1+ k2+k3
m1+m2+m3+m4+k1+ k2+k3+k4
4444
Security of homomorphic Security of homomorphic public-key cryptosystemspublic-key cryptosystems
PHs are different from conventional ciphers in the sense that the PHs are different from conventional ciphers in the sense that the highest attain-able security for PHs is highest attain-able security for PHs is semantic security under semantic security under non-adaptive chosen-ciphertext attacksnon-adaptive chosen-ciphertext attacks (IND-CCA1) (IND-CCA1)
PHs are also by definition PHs are also by definition malleablemalleable, so they , so they failfail all the non- all the non-malleability notionsmalleability notions
In practice, we only look for PHs that are semantically secure In practice, we only look for PHs that are semantically secure against against chosen-plaintext attacks chosen-plaintext attacks (IND-CPA) (IND-CPA)
Security notions for public-key cryptosystems
4545
Candidate Candidate cryptocryptosystemssystems
ElGamal on elliptic curves (EG-EC)ElGamal on elliptic curves (EG-EC) Semantic security depends on the discrete Semantic security depends on the discrete
logarithm problem on elliptic curveslogarithm problem on elliptic curves (+,+)-homomorphic(+,+)-homomorphic
Okamoto-UchiyamaOkamoto-Uchiyama Semantic security depends on the Semantic security depends on the
intractability of factoring intractability of factoring pp22qq ((,+)-homomorphic,+)-homomorphic
4646
Guideline Guideline [Mykletun et al. [Mykletun et al. 06]06]
(real-
time)
(intermediate nodes mightwant to decrypt the intermediatevalues)
EG-EC requires
too much storage here
EG-EC b
ecom
es in
crea
sing
costl
y with
larg
er ci
pher
texts
4747
Part One ConclusionPart One Conclusion
Among the techniques introduced so far, Among the techniques introduced so far, voting, result verification and PH all require a voting, result verification and PH all require a lot of resources.lot of resources.
Only resilient aggregation is the most practical.Only resilient aggregation is the most practical. If all data are only aggregated once, then If all data are only aggregated once, then
RANBAR, or a simple resilient aggregation RANBAR, or a simple resilient aggregation function can be used.function can be used.
For multi-aggregation scenarios, quantiles For multi-aggregation scenarios, quantiles aggregation can be used at each aggregation aggregation can be used at each aggregation point to compress the data.point to compress the data.
Instead of PH, encrypted data are decrypted Instead of PH, encrypted data are decrypted and then aggregated and re-encrypted – no and then aggregated and re-encrypted – no true end-to-end confidentiality.true end-to-end confidentiality.
4848
aggregate
aggregate
aggregate
In Secure Data Aggregation, we secure one-way traffic.
In Key Management, we secure generic traffic.
generalized
PartPart TwoTwoKey managementKey management
4949
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
5050
Protocol verificationProtocol verification
Verification gives us indication and confidence Verification gives us indication and confidence of securityof security
If we simulate unbounded sessions, verification If we simulate unbounded sessions, verification of secrecy and authentication is of secrecy and authentication is undecidableundecidable
If we limit number of parallel sessions, we can If we limit number of parallel sessions, we can use use constraint solvingconstraint solving for verification for verification
Model: strand space modelModel: strand space model Tool: CoProVe implements the strand space Tool: CoProVe implements the strand space
model using constraint solving (Prolog)model using constraint solving (Prolog)
5151
Strand space modelStrand space model
Protocol Strand space model Example
Role: What a principal does in the protocol
Strand: A sequence of events Initiator, responder, server
Complete run: A complete iteration of the protocol
Bundle: A set of strands legitimate or otherwise hooked together where one strand sends a message and another receives that same message, that represents a full protocol exchange
1. Initiator Attacker: …
2. Attacker Responder: …
3. Responder Attacker: …
4. Attacker Initiator: …
5252
Node-to-node key Node-to-node key establishmentestablishmentA wants to establish a secure channel with B via a
common trusted node S:
A B: NA || AB S: NA || NB || A || B || MAC(KBS, NA || NB || A || B)S A: E(KAS, KAB) || MAC(KAS, NA || B || E(KAS, KAB))S B: E(KBS, KAB) || MAC(KBS, NB || A || E(KBS, KAB))A B: Ack || MAC(KAB, Ack)
5353
Node-to-node key Node-to-node key establishmentestablishment
NA || A
NA || N
B || A || B || MAC(K
BS , …)E(K AS
, KAB) ||
MAC(K AS
, NA ||
B || …
) E(KBS , K
AB ) || MAC(K
BS , NB || A || …
)
Ack || MAC(KAB, Ack)
5454
Verification using Verification using CoProVeCoProVe
Role 1:send …recv …
Role n:send …recv …
…
Scenario:Instantiate Role 1…Instantiate Role nInstantiate Outcome
Outcome: e.g.,attacker learns key
Strand space model
Str
and
sB
und
le
Security is disproved if there exists a bundle that satisfies these constraints
has_to_finish(Outcome)
5555
Verification using Verification using CoProVe – the code itselfCoProVe – the code itself
initiator(A, S, B, Na, Ns, Ka, Kb, Kab, initiator(A, S, B, Na, Ns, Ka, Kb, Kab, Ack, [ Ack, [
recv([A, [S, B]]),recv([A, [S, B]]), send([Na, B]+Ka),send([Na, B]+Ka), recv([Ns+Kb, [Kab, [Na, B]]]+Ka),recv([Ns+Kb, [Kab, [Na, B]]]+Ka), send([A, Ns+Kb]), send([A, Ns+Kb]), recv([Ack]+Kab)recv([Ack]+Kab) ]).]).server(A, B, Na, Ns, Nb, Ka, Kb, Kab, server(A, B, Na, Ns, Nb, Ka, Kb, Kab,
[[ recv([Na, B]+Ka),recv([Na, B]+Ka), send([Ns+Kb, [Kab, [Na, B]]]+Ka),send([Ns+Kb, [Kab, [Na, B]]]+Ka), recv([B, [Nb, [A, Ns]]]+Kb),recv([B, [Nb, [A, Ns]]]+Kb), send([Kab, [Nb, A]]+Kb)send([Kab, [Nb, A]]+Kb) ]).]).
responder(A, B, Nb, Ns, Kb, Kab, responder(A, B, Nb, Ns, Kb, Kab, Ack, [Ack, [
recv([A, Ns+Kb]),recv([A, Ns+Kb]), send([B, [Nb, [A, Ns]]]+Kb),send([B, [Nb, [A, Ns]]]+Kb), recv([Kab, [Nb, A]]+Kb),recv([Kab, [Nb, A]]+Kb), send([Ack]+Kab)send([Ack]+Kab) ]).]).secrecy(N, [recv(N)]).secrecy(N, [recv(N)]).scenario([[a, Init1], [b, Resp1], [s, scenario([[a, Init1], [b, Resp1], [s,
Serv1], [sec, Secr1]]) :-Serv1], [sec, Secr1]]) :- initiator(a, s, B, na, Ns, ka, Kb, Kab, initiator(a, s, B, na, Ns, ka, Kb, Kab,
ack, Init1),ack, Init1), server(a, b, Na, ns, Nb, ka, kb, kab, server(a, b, Na, ns, Nb, ka, kb, kab,
Serv1),Serv1), responder(A, b, nb, Ns1, kb, Kab1, responder(A, b, nb, Ns1, kb, Kab1,
ack, Resp1),ack, Resp1), secrecy(kab, Secr1).secrecy(kab, Secr1).has_to_finish([sec]).has_to_finish([sec]).
5656
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
5757
Key establishmentKey establishment
Definition: a process or protocol whereby Definition: a process or protocol whereby a shared secret key becomes available to a shared secret key becomes available to two or more parties, for subsequent two or more parties, for subsequent cryptographic usecryptographic use
Types:Types:Key establishment
Key transport Key agreement
Key pre-distribution
A key agreement protocol whereby the resultingestablished keys are completely determined a priori by initial keying material
5858
Protocol design by Protocol design by communication modescommunication modes
Global broadcasts: Global broadcasts: Authenticated broadcast using Authenticated broadcast using μμTESLATESLA
Local broadcasts: Local broadcasts: Passive participationPassive participation
Unicast:Unicast: Only consider neighboOnly consider neighbouur-to-neighbor-to-neighbouurr Multihop can be secured hop by hopMultihop can be secured hop by hop Random key pre-distribution schemesRandom key pre-distribution schemes LEAP+LEAP+ EBSEBS
5959
Global broadcast: Global broadcast: μμTESLATESLA
““Micro” version of the Timed, Efficient, Streaming, Micro” version of the Timed, Efficient, Streaming, Loss-tolerant Authentication Protocol Authenticated Loss-tolerant Authentication Protocol Authenticated broadcastbroadcast
i i+1 i+δ...Mi+δ || Ki || MAC(Ki+δ, Mi+δ || Ki)Mi || MAC(Ki, Mi)
Time interval:Message:
authentication succeeds if(1) Ki generates MAC
(2) and there exists a past key Kj = Hi-j(K i)
K1 K2 K3 K4 Kn……
keys are generated in reverse order
keys are released in forward order
Ki-1 = h(Ki)
6060
μμTESLA example (1)TESLA example (1)
K1 K2 K3 K4
h()
(1) Generate one-way reverse key chain on the base station
K1
(2) Give K1 to everybody
K1
(3) Generate one-way reverse key chain on the base station
K1
K1
M K2 MAC(K3, …)
6161
μμTESLA example (2)TESLA example (2)(4) K2 is genuine because h(K2) = K1 butpacket tagged with MAC(K3, M||K2) still needs to be authenticated
K2
(5) Base station later sends K3 that can be used to authenticate message M
M MAC(K3, …)
K2
M2 K3 MAC(K4, …)
M MAC(K3, …)
Authentication steps:(a) K3 is genuine because K2 = h(K3)(b) M is genuine because K3 is genuine and K3 authenticates M
6262
Local broadcast: Passive Local broadcast: Passive participationparticipation
A
B
C
D
E
Passive participation: nodes B, C, D, E suppress their transmissions when they find A transmitting about the same data
To secure passive participation, A uses a cluster key and a one-way key chain to achieve encrypted and authenticated local broadcast
A is just transmitting a similar data to I have, so I shall not transmit.
6363
Local broadcast: Passive Local broadcast: Passive participationparticipation
If only the key chain is used, the keys If only the key chain is used, the keys in the key chain would have to be in the key chain would have to be broadcast in the clear, and in the broadcast in the clear, and in the absence of time interval differentiationabsence of time interval differentiation, , a cluster-outsider would be able to a cluster-outsider would be able to forge messages using these keysforge messages using these keys
If only the cluster key is used, If only the cluster key is used, authentication of the sender cannot be authentication of the sender cannot be achievedachieved
But if used together, the cluster key But if used together, the cluster key can be used to encrypt messages as can be used to encrypt messages as well as to hide the key chain keys from well as to hide the key chain keys from cluster-outsiders; and at the same cluster-outsiders; and at the same time, the key chain keys can be used time, the key chain keys can be used for authenticationfor authentication
A
B
C
D
6464
Securing unicastSecuring unicast
Random key pre-distribution schemesRandom key pre-distribution schemes LEAP+LEAP+ EBSEBS
6565
Random key pre-Random key pre-distribution (RKP)distribution (RKP)
Pool
at random
at random
Able to establish session key?
‘Keying material’
P = pool size (4 in this example)K = key ring size (1 in this example)
6666
Random key pre-Random key pre-distribution (RKP)distribution (RKP)
Different types:Different types:
Type 1 Type 2 Type 3
Symmetric key[Eschenauer & Gligor 02]
Symmetric bivariate polynomial[Liu et al. 05]
Part of a matrix[Du et al. 05]
, 0
( , )t
i ji j
i j
f x y a x y
6767
Symmetric-key-based Symmetric-key-based RKPRKP
3
4
1
2
6
7
1
5
I’ve got keys 1, 2, 3, 4
I’ve got keys 1, 5, 6, 7
OK, so our session key can be derived from
key 1
OK, so our session key
can be derived from key 1
Although not all neighbouring pairs of nodes can establish a session key (aka pairwise key), the network will remain connected, with a suitable choice of K and P.K = key ring size (4 in this example)P = key pool size (7 in this example)
6868
Symmetric-key-based Symmetric-key-based RKPRKP
K = 4, P = 15, RMSE = 0.0427
Pr{connectivity ≥ k} vs k
K = 4, P = 30, RMSE = 0.0436
Pr{connectivity ≥ k} Expected connectivity
Derived from results of random geometric graphs [Law et al. 07]
6969
In this example, t = 2, K = 2, P = 3The pairwise key is f2(1,2) = f2(2,1) = 10 + 24 + 56 = 28 + 35 + 27 = 90*In reality, the value must of course be as large as normal crypto keysStorage requirement: K(t + 1) coefficients, where t is the threshold
Node 1
Polynomial-basedPolynomial-basedRKPRKP
I’ve got f2(), f3()
OK, so our session key can be derived from
f2()
f1(x, y) = 1+2y+3y2+2x+xy+4xy2
+3x2+4x2y+x2y2
Pool
f1(1, y) = 6+7y+8y2
f2(x, y) = 2+3y+5y2+3x+2xy+7xy2
+5x2+7x2y+2x2y2
f3(x, y) = 3+4y+5y2+4x+3xy+6xy2
+5x2+6x2y+3x2y2
f2(1, y) = 10+12y+14y2
Node 2
f2(2, y) = 28+35y+27y2
f3(2, y) = 31 + 34y + 29y2OK, so our session key
can be derived fromf2()
I’ve got f1(), f2()
, 0
( , )t
i ji j
i j
f x y a x y
7070
Matrix-basedMatrix-basedRKPRKP
2 3
2 2 2 3 2 2
2 3
1 1 1 ... 1
...
( ) ( ) ... ( )
( ) ( ) ... ( )
N
N
t t t N t
s s s s
G s s s s
s s s s
D1 D2 D3 D4
Randomsymmetricmatrices
M1=(D1G)T M2 M3 M4
N = number of nodes = number of columns
Vandemonde-likegenerator matrix
this seed can be used as an ID
7171
Matrix-basedMatrix-basedRKPRKP
Pairwise key = Pairwise key = MM22(1)(1)GG(2) = (2) = MM22(2)(2)GG(1)(1)
Storage requirement: Storage requirement: KK((tt+1)+1+1)+1 coefficients, where coefficients, where tt is the threshold is the threshold
Node 1
I’ve got M1, M2
I’ve got M2, M3
OK, so our session key can be derived from
M2
OK, so our session key
can be derived fromM2
Pool
Node 2
M1
M2
M3
M4
M1(1)
M2(1)M2(2)
M3(2)G(1)
G(2)
Here’s G(1)
Here’s G(2)
7272
Node-to-node key Node-to-node key establishmentestablishmentRKP schemes only good for keying two neighbouring nodes
with common key(s); what about neighbours without any common key? Use common trusted node
A wants to establish a secure channel with B via a common trusted node S:
A B: NA || AB S: NA || NB || A || B || MAC(KBS, NA || NB || A || B)S A: E(KAS, KAB) || MAC(KAS, NA || B || E(KAS, KAB))S B: E(KBS, KAB) || MAC(KBS, NB || A || E(KBS, KAB))A B: Ack || MAC(KAB, Ack)
7373
Node Ainitial key Kin
LEAP+LEAP+ LEAP+ is a key pre-distribution scheme but not randomLEAP+ is a key pre-distribution scheme but not random Every node is pre-distributed with Every node is pre-distributed with KKinin
Node Bnode key KB = PRF(Kin, B)Kin already deletedHello, I’m A
I’m B
A and B compute pairwise key = PRF(PRF(Kin, B), A)
KB
1
2
3
4 Timer fires, A deletes Kin
0 A sets timer
7474
EBS (Exclusion Basis EBS (Exclusion Basis System)System)
Nodes
Key
s
Pro: Two nodes always share at least 2K-P keys.
Con: When a node is compromised, more than half of the keys in the key pool are compromised.
615 key combinations
4
P
K
7575
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
7676
Key refreshmentKey refreshment
Parallel re-keying:
Lose the key Lose the key KK, then , then allall past and future keys are past and future keys are exposedexposed
Not suitable for WSNsNot suitable for WSNs
Why? The more a key is used, the more it is open to Why? The more a key is used, the more it is open to cryptanalytic attacks, birthday attacks etc.cryptanalytic attacks, birthday attacks etc.
7777
Key refreshmentKey refreshment
Serial re-keying: preferable because of forward security
Only need to store this:Only need to store this:
Lose this, then all future keys are compromisedLose this, then all future keys are compromised But past keys are intactBut past keys are intact
0
1 times -1 times
(... ( ,0)...,0)i i
PRF PRF K
7878
Abdalla et al. 2000Abdalla et al. 2000
Without this scheme, birthday threshold = Without this scheme, birthday threshold = O(2O(2kk/2/2))
With this scheme, a session key can be With this scheme, a session key can be refreshed refreshed O(2O(2kk/3/3)) times times Each time, a session key has a birthday Each time, a session key has a birthday
threshold of threshold of O(2O(2kk/3/3)) The final birthday threshold is The final birthday threshold is O(2O(2kk/3/3) ) O(2 O(2kk/3/3) )
= O(2= O(222kk/3/3))
7979
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
8080
Which keys to revoke?Which keys to revoke?
When When AA is compromised is compromised Global broadcast keys: Global broadcast keys: BB, , CC, , DD, , EE need to have their copies of need to have their copies of KKSS
globalglobal
replacedreplaced Local broadcast keys: Local broadcast keys: BB,, C C,, D D,, E E need to purge need to purge KKAA
clustercluster and and KKAAchainchain; ; BB
needs to re-gen and re-distribute needs to re-gen and re-distribute KKBBclustercluster and and KKBB
chainchain; similarly for ; similarly for CC,, D D,, E E
A
B
CD
EKD
cluster
KD
chain
KCcluster
KC
chain
KBcluster
KB
chain
KEcluster
KE
chain
KSglobal
KSchain
Compromisednode
KSglobal
KSchain
KSglobal
KSchain
Base stationS
Big picture:
8181
StrategyStrategyGateway
8282
Re-keying unicast keysRe-keying unicast keys
If using polynomial-based or matrix-based RKP or If using polynomial-based or matrix-based RKP or LEAP+, do nothingLEAP+, do nothing
If using symmetric key-based RKP, re-keying is If using symmetric key-based RKP, re-keying is desirable but can be done withoutdesirable but can be done without
If using EBS, re-keying is a mustIf using EBS, re-keying is a must
A
B
CD
EKD
cluster
KD
chain
KCcluster
KC
chain
KBcluster
KB
chain
KEcluster
KE
chain
KSglobal
KSchain
Compromisednode
KSglobal
KSchain
KSglobal
KSchain
Base stationS
Big picture:
8383
Re-keying local broadcast Re-keying local broadcast keyskeys
8484
Re-keying global Re-keying global broadcast keysbroadcast keys
New global key is propagated from the base station in two stages:
(1) The hash of the key is propagated(2) Then the key itselfOver each hop, the key is protected by a cluster key and a
cluster key chain
8585
Part Two Part Two ConclusionConclusion
Securing local broadcasts is generally too expensive Securing local broadcasts is generally too expensive for current generation of nodesfor current generation of nodes
The priority is to secure query broadcasts, data The priority is to secure query broadcasts, data convergecasts and neighbour-to-neighbour unicasts convergecasts and neighbour-to-neighbour unicasts This means a node should minimally storeThis means a node should minimally store a unique key shared with the base stationa unique key shared with the base station a a μμTESLA commitment distributed by the base stationTESLA commitment distributed by the base station a global keya global key a set of pairwise keys, each of which is shared with a different a set of pairwise keys, each of which is shared with a different
neighbourneighbour Periodic key refreshment should be made a standard Periodic key refreshment should be made a standard
practicepractice global key is used most oftenglobal key is used most often
Always verify protocolsAlways verify protocols
8686
Thank y’allThank y’allDank uDank uDankeDankeGrazieGrazieMult'umescMult'umescDziekujeDziekujeKöszönömKöszönömTesekkurlerTesekkurlerShukran Shukran
धन्यवा�दधन्यवा�द 谢谢谢谢