1 Dr. Peng Ning CSC 774 Adv. Net. Security 1 Computer Science CSC 774 Advanced Network Security Topic 6. Random Key Pre-Distribution in Wireless Sensor Networks Dr. Peng Ning CSC 774 Adv. Net. Security 2 Computer Science Wireless Sensor Networks sensor Communication and processing module 1. Network protocol (e.g., routing) 2. Data management (e.g., aggregation) 3. Localization and time synchronization 4. Energy management, robustness,etc. 5. Security Node to node Node to sink Group communication a. Key management b. Broadcast authentication Location? c. Security of fundamental services d. Detection of attacks, etc.
25
Embed
CSC 774 Advanced Network Security - Nc State Universitydiscovery.csc.ncsu.edu/Courses/csc774-S07/T06_RandomKPD.ppt.pdf · 1 Dr. Peng Ning CSC 774 Adv. Net. Security 1 Computer Science
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Dr. Peng Ning CSC 774 Adv. Net. Security 1
Computer Science
CSC 774 Advanced Network Security
Topic 6. Random Key Pre-Distribution inWireless Sensor Networks
Dr. Peng NingCSC 774 Adv. Net. Security 2Computer Science
Wireless Sensor Networks
sensor
Communicationand processing
module
1. Network protocol (e.g., routing)2. Data management (e.g., aggregation)3. Localization and time synchronization4. Energy management, robustness,etc.5. Security
Node to node
Node to sink Group communication
a. Key managementb. Broadcast authentication
Location?
c. Security of fundamental servicesd. Detection of attacks, etc.
2
Dr. Peng NingCSC 774 Adv. Net. Security 3Computer Science
Wireless Sensor Networks (Cont’d)
• Composed of– Low cost, low power, and multifunctional nodes– Wireless communication in short distances
• Sensor node– Sensing– Data processing– Communication– Unattended
Dr. Peng NingCSC 774 Adv. Net. Security 4Computer Science
• For each key on a key ring, each node broadcasts a list– α, EKi(α), i= 1, …, k, where α is a challenge
• If a node receives this list, it tries to decrypt each cipher-text with every key it has
• The node establishes a shared key if it can successfullydecrypt a cipher-text
8
Dr. Peng NingCSC 774 Adv. Net. Security 15Computer Science
Probabilistic Key Pre-Distribution (Cont’d)
• Path-key establishment– Assign a path-key to selected pairs of nodes that
• Are in wireless communication range• Do not share a common key• But are connected by two or more links at the end of
shared-key discovery– Established through those links
Dr. Peng NingCSC 774 Adv. Net. Security 16Computer Science
Probabilistic Key Pre-Distribution (Cont’d)
• Revocation– Revoke the entire key ring of a compromised node– A controller node broadcasts a single revocation
message containing a signed list of key ids for therevoked key ring
• The controller generates a signature key Ke, and unicastsit to each node by encrypting it with the key they share.
– Each node verifies the signed list of key ids, andremoves those keys from its key ring
9
Dr. Peng NingCSC 774 Adv. Net. Security 17Computer Science
Probabilistic Key Pre-Distribution (Cont’d)
• Re-keying– Restart shared-key discovery and path-key
discovery
Dr. Peng NingCSC 774 Adv. Net. Security 18Computer Science
Analysis
• Model a sensor network as a random graph– All the sensor nodes are the vertices in the graph– There is an edge between two vertices if the corresponding
nodes share a common key• Analysis questions
– What should be the expected degree (d) of a node so that asensor network with n nodes is connected?
– Given d and the size of a neighborhood (n’), what should bethe key ring size (k) and key pool size (P) for a networkwith n nodes?
10
Dr. Peng NingCSC 774 Adv. Net. Security 19Computer Science
Analysis (Cont’d)
• What should be the expected degree (d) of a node so that asensor network with n nodes is connected?– Answered by random graph theory– G(n, p): a graph of n nodes for which the probability that a link exists
between two nodes is p.– d = p * (n-1): expected degree of a node (i.e. the average number of
edges connecting that node with its neighbors).• Erdös and Rényi’s Equation:
– Given a desired probability Pc for graph connectivity and number ofnodes, n, the threshold function p is defined by:
– where
!
Pc = limn"#
Pr[G(n, p) is connect] = e$e
$ c
!
p =ln(n)
n+c
n and c is any real constant.
Dr. Peng NingCSC 774 Adv. Net. Security 20Computer Science
Analysis (Cont’d)
11
Dr. Peng NingCSC 774 Adv. Net. Security 21Computer Science
Analysis (Cont’d)
• Given d and the size of a neighborhood (n’), what should bethe key ring size (k) and key pool size (P) for a network with nnodes?– p’: probability of sharing a key between any two nodes in a
neighborhood (p’=d/(n’-1))– p’ = 1 − Pr[two nodes do not share any key]
• Simplify with Stirling’s approximation
!
p'=1"((P " k)!)
2
(P " 2k)!P!
!
n!" 2# nn+1
2e$n
!
p'=1"(1" k
P)2(P"k+
1
2)
(1" 2kP)(P"2k+
1
2)
Dr. Peng NingCSC 774 Adv. Net. Security 22Computer Science
Analysis (Cont’d)
12
Dr. Peng NingCSC 774 Adv. Net. Security 23Computer Science
Improvements for the Probabilistic KeyPre-Distribution• q-composite key pre-distribution
– Two nodes have to have at least q shared keys toderive a valid pairwise key
– Better resilience when the number of compromisednodes is small
• Multi-path enforcement– Derive each path key through multiple node-
disjoint paths, each of which derives one sub-key– Path key is the XOR of all sub keys– Better resilience to compromised nodes in key
paths
Dr. Peng NingCSC 774 Adv. Net. Security 24Computer Science
Random Pairwise Keys Scheme
• Approach– Calculate the smallest probability p of two nodes
being connected so that the entire network isconnected with a high probability.
– Consider a network of n nodes– Each node needs to store np pairwise keys
• Limitation– The network size is limited by n=m/p, where m is
the available memory on each node for keys
13
Dr. Peng Ning CSC 774 Adv. Net. Security 25
Computer Science
Polynomial Pool Based KeyPre-Distribution
Dr. Peng NingCSC 774 Adv. Net. Security 26Computer Science
Outline
• Background– Polynomial based key predistribution
• A framework for key predistribution in sensornetworks– Polynomial pool based key predistribution
• Two efficient key predistribution schemes– Random subset assignment– Grid based key predistribution
• Efficient implementation in sensor networks• Conclusion and future work
14
Dr. Peng NingCSC 774 Adv. Net. Security 27Computer Science
Polynomial Based Key Predistribution
• By Blundo et al. [CRYPTO ‘92]– Developed for group key predistribution– We consider the special case of pairwise key predistribution
• Predistribution:– The setup server randomly generates
where f (x,y) = f (y, x)– Each sensor i is given a polynomial share f(i, y)
• Key establishment:– Node i computes f (i, y = j) = f (i, j)– Node j computes f (j, y =i) = f (j, i) = f (i, j)
!
f (x,y) = aij xiyj
i, j= 0
t
" ,
Dr. Peng NingCSC 774 Adv. Net. Security 28Computer Science
Polynomial Based Key Predistribution(Cont’d)• Security properties (by Blundo et al.)
– Unconditionally secure for up to t compromised nodes• Performance
– Storage overhead at sensors: (t +1)log q bits– Computational overhead at sensors: t modular
multiplications and t modular additions– No communication overhead
• Limitation – Insecure when more than t sensors are compromised– An invitation for node compromise attacks
15
Dr. Peng NingCSC 774 Adv. Net. Security 29Computer Science
Polynomial Pool Based Key Predistribution
• A general framework for key predistributionbased on bivariate polynomials– Let us use multiple polynomials
• A pool of randomly generated bivariatepolynomials
• Two special cases– One polynomial in the polynomial pool
• Polynomial based key predistribution– All polynomials are 0-degree ones
• Key pool by Eschenauer and Gligor
Dr. Peng NingCSC 774 Adv. Net. Security 30Computer Science
f1(x,y), f2(x,y), …, fn(x,y)
Random polynomial poolF
A subset: {fj(i, y), …, fk(i, y)}
i
Polynomial Pool Based Key Predistribution(Cont’d)• Phase 1: Setup
– Randomly generates a set F of bivariate t-degreepolynomials
– Subset assignment: Assign a subset of polynomials in F toeach sensor
16
Dr. Peng NingCSC 774 Adv. Net. Security 31Computer Science
Polynomial Pool Based Key Predistribution(Cont’d)• Phase 2: Direct Key Establishment
– Polynomial share discovery: Communicating sensorsdiscover if they share a common polynomial
• Pairwise keys can be derived if they share a commonpolynomial.
– Two approaches:• Predistribution:
– Given predistributed information, a sensor candecide if it can establish a direct pairwise key withanother sensor.
• Real-time discovery:– Sensors discover on the fly if they can establish a
direct pairwise key.
Dr. Peng NingCSC 774 Adv. Net. Security 32Computer Science
Polynomial Pool Based Key Predistribution(Cont’d)• Phase 3: Path Key Establishment
– Establish pairwise keys through other sensors if twosensors cannot establish a common key directly
– Path discovery• Node i finds a sequence of nodes between itself and node j such
that two adjacent nodes can establish a key directly• Key path: the above sequence of nodes between i and j
– Two approaches• Predistribution
– Node i can find a key path to node j based on predistributedinformation
• Real-time discovery– Node i discover a key path to node j on the fly
17
Dr. Peng NingCSC 774 Adv. Net. Security 33Computer Science
Random Subset Assignment Scheme
• An instantiation of the polynomial pool-basedkey predistribution.
• Subset assignment: random
f1(x,y), f2(x,y), …, fn(x,y)
Random polynomial poolF
A random subset: {fj(i, y), …, fk(i, y)}
i
Dr. Peng NingCSC 774 Adv. Net. Security 34Computer Science
Random Subset Assignment (Cont’d)
• Polynomial share discovery– Real-time discovery
i
fj, …, fk
Broadcast IDs in clear text. Broadcast a list of challenges.
i
α, Ekv(α), v = 1, …, m.
18
Dr. Peng NingCSC 774 Adv. Net. Security 35Computer Science
Random Subset Assignment (Cont’d)
• Path discovery– i and j use k as a KDC– Alternatively, i contacts nodes with which it shares a key;
any node that also shares a key with j replies.– Each key path has 2 hops
i j
k
Dr. Peng NingCSC 774 Adv. Net. Security 36Computer Science
0
0.2
0.4
0.6
0.8
1
1.2
0 10 20 30 40 50 60 70 80 90
s
p
s'=2 s'=3 s'=4 s'=5
Probability of Sharing Direct Keys betweenSensors
• s: polynomial pool size• s’: number of polynomial shares for each sensor• p: probability of sharing a polynomial between two sensors
19
Dr. Peng NingCSC 774 Adv. Net. Security 37Computer Science
Probability of Sharing Keys betweenSensors
0
0.2
0.4
0.6
0.8
1
1.2
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
p
Ps
d=20 d=40 d=60 d=80 d=100
• d: number of neighbors• p: probability that two sensors share a polynomial• ps: probability of sharing a common keyNote: each key path is at most two hops
Dr. Peng NingCSC 774 Adv. Net. Security 38Computer Science
• Comparison with basic probability and q-composite schemes– Probability to establish direct keys p = 0.33– Each sensor has storage equivalent to 200 keys
20
Dr. Peng NingCSC 774 Adv. Net. Security 39Computer Science
Dealing with Compromised Sensors(Cont’d)
0
0.2
0.4
0.6
0.8
1
1.2
0 500 1000 1500 2000 2500 3000 3500 4000
Maximum supported network size
Pro
bab
ilit
y o
f sh
ari
ng
a c
om
mo
n
key
RS(s'=2,t=99) RS(s'=6,t=32) RS(s'=10,t=19) Random pairwise keys
• Comparison with random pairwise keys scheme– Assume perfect security against node compromises
• Each polynomial is used at most t times in our scheme– Each sensor has storage equivalent to 200 keys
Dr. Peng NingCSC 774 Adv. Net. Security 40Computer Science
Grid Based Key Predistribution• Create a m×m grid• Each row or column is
assigned a polynomial• Assign each sensor to an
interaction• Assign each sensor the
polynomials for the rowand the column of itsintersection– Sensor ID: coordinate
• There are multiple waysfor any two sensors toestablish a pairwise key
21
Dr. Peng NingCSC 774 Adv. Net. Security 41Computer Science
Grid Based Key Predistribution (Cont’d)
• Order of node assignment
Dr. Peng NingCSC 774 Adv. Net. Security 42Computer Science
Grid Based Key Predistribution (Cont’d)
• Polynomial share discovery– No communication overhead
Same row
Same column
22
Dr. Peng NingCSC 774 Adv. Net. Security 43Computer Science
Grid Key Predistribution (Cont’d)
• Path discovery– Real-time discovery– Paths with one
intermediate node– Paths with two
intermediate nodes– They know who to
contact!
Dr. Peng NingCSC 774 Adv. Net. Security 44Computer Science
Properties
1. Any two sensors can establish a pairwise key whenthere is no compromised node;
2. Even if some sensors are compromised, there is stilla high probability to establish a pairwise keybetween non-compromised sensors;
3. A sensor can directly determine whether it canestablish a pairwise key with another node.
23
Dr. Peng NingCSC 774 Adv. Net. Security 45Computer Science
• Comparison with basic probabilistic scheme, q-compositescheme, and random subset assignment scheme– Assume each sensor has storage equivalent to 200 keys
Dr. Peng NingCSC 774 Adv. Net. Security 46Computer Science
Dealing with Compromised Sensors (Cont’d)
0
0.2
0.4
0.6
0.8
1
1.2
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Fraction of compromised nodes
Pro
bab
ilit
y t
o e
sta
blish
pair
wis
e
keys
d=1 d=3 d=5
d=7 d=9
• Probability to establish pairwise keys when there arecompromised sensors– d: number of non-compromised sensors to contact– Assume each sensor has storage equivalent to 200 keys
24
Dr. Peng NingCSC 774 Adv. Net. Security 47Computer Science
Implementation
• Observations– Sensor IDs are chosen from a field much smaller than cryptographic
keys• Field for cryptographic keys: Fq• Field for sensor IDs: Fq’
– Special fields: q’=216+1, q’ = 28+1• No division operation is needed for modular multiplications
l bits each
f1(i,y) f2(i,y) fr(i,y)
Sensor ID j
Key: n bits
Polynomials over Fq’ Same storage as 1 polynomial over Fq
Dr. Peng NingCSC 774 Adv. Net. Security 48Computer Science
Implementation (Cont’d)
• Lemma 1. In this implementation, the entropy of thekey for a coalition of no more than t other sensors is
where and .• Examples
– 64 bit keys– When q’=216+1, the above entropy is 63.9997 bits– When q’ = 28+1, the above entropy is 63.983 bits
!
r " [log2 q'#(2 #2l+1
q')]
!
l = log2 q'" #
!
r =n
l
"
# # $
% %
25
Dr. Peng NingCSC 774 Adv. Net. Security 49Computer Science
TinyKeyMan
• Polynomial pool based key pre-distribution onTinyOS– http://discovery.csc.ncsu.edu/software/TinyKeyMan/