Random Key Predistribution Schemes for Sensor Networks

Random Key Predistribution Schemes for Sensor Networks

Random Key Predistribution Schemes for Sensor NetworksAuthors: H. Chan, A. Perrig, and D. SongCarnegie Mellon University

Presented by: Yuliya OlmoApril 13, 20091Paper at a GlanceThree key bootstrapping protocols for large sensor networksAlternatives to public key cryptosystemsEach protocol trades a different drawback in exchange for the security it provides

2OutlineBackgroundSensor networks overviewRelated workBasic TechniquesProposed solution (three schemes)Random pairwise keys schemeQ-composite keys schemeMultipath key reinforcement schemeFuture directionsConclusions3Wireless Sensors

Berkeley (Mica) Motes

Spec Motes4MotesMica Mote: Processor: 4MhzMemory: 128KB Flash and 4KB RAMRadio: 916Mhz and 40Kbits/second.Transmission range: 100 FeetTinyOS operating System: small, open source and energy efficient.Features: Self-organizing set of small battery operated sensors (1000+ total), communicating via wireless medium (~20 neighbors within range)

5Wireless Sensor Networks (WSN)

DeploySensors6Applications of WSNBattle ground surveillanceEnemy movement (tanks, soldiers, etc)Environmental monitoringHabitat monitoring (deer, ducks)Forrest fire monitoring, pollution monitoringHospital tracking systemsTracking patients, doctors, drug administrators.Data collectionTire pressure sensor in a carTemperature in a buildingMany more

7Why security?Protecting confidentiality, integrity, and availability of the communications and computationsSensor networks are vulnerable to security attacks due to the broadcast nature of transmissionSensor nodes can be physically captured or destroyed

8BootstrappingBootstrapping in generalInitialization processCreating something from nothingBootstrapping in WSN Initialize/preload some secret material pre-distribution (prior to contact)Secure communication for the whole network Especially challenging because of the limitations of sensor networks:Constrained resourcesPhysical vulnerabilityUnpredictability of future configurationsTemptation to rely on base stations9Related WorkPreviously proposed solutions often depend on: Asymmetric cryptographyArbitration by base stations (SPINS)Preloading a set of keys before deploymentSome assume that attackers do not arrive until after key exchange (previous paper)10What is a Good Scheme?Guarantee future secure node-to-node communicationPrevent unauthorized accessNot rely on base stations for decision makingAllow addition of nodes after initial network setupNot make assumptions about which nodes will be within communication range of each otherResource-efficient and robust to DoS attacks

11Evaluation MetricsResilience against node captureHow many misbehaving nodes can be tolerated Resistance against node replicationHow to deal with duplicatesRevocation of misbehaving nodesHow to tell if a node is gone wildScalabilityWhat is the maximum supportable network size12The Basic Scheme13The Basic SchemeThree phases of operation:InitializationBefore nodes are deployedKey setupEstablish a secret with (some of ) the nodes in communication rangeGraph connection Establish secure communication between any two given nodes.14The Basic Scheme InitializationEschenauer and GligorPick a random key pool SFor each node, randomly select m keys from S (this is the nodes key ring)Associate IDs with every keyThe size of S is chosen so that two key rings will share at least one key with probability pAny two nodes can find a common/shared key in their key rings to initiate secure communication with any other node with probability p15The Basic Scheme Key SetupKey discovery: nodes search for neighbors that share a keyBroadcast short IDs assigned to each key prior to deployment (set of IDs)Find neighbors that have the same ID in their set (have the same key in the key ring)Keys verified through challenge-responseThe shared key becomes the key for that link16The Basic Scheme Graph ConnectionForm a connected graph of secure linksHow to ensure the graph is connected? (Erdos , Renyi) -- given number of nodes and probability of any two nodes being connectedNodes then set up path keys with any unconnected neighbors through existing secure pathsReformulate the problem (Eschenauer and Gligor) given number of nodes, what is connection degree of individual nodes to ensure graph is connected# of secure links a node must establish during key setup (degree, d) to form a connected graph of size n with probability c is:d = [(n-1)/n][log(n) log(-log(c))]d = O(log n)

17The Basic Scheme Graph ConnectionThe probability, p, that two nodes successfully connect isp = d/nwhere n is the expected number of neighbor nodes within communication range of ASince connection is probabilistic (plus geometry of space and obstacles), there is a chance the graph is partially connectedWays of detecting the graph is not fully connectedWays of recovering (e.g. range extension)18Extensions of the Basic Schemeq-composite Random Key Pre-distributionLarge-scale attacks are unlikely (infeasible)Strengthen the scheme against small-scale attacksMultipath Key ReinforcementStrengthen security between any two nodes by using existing (established) secure linksAttacker has to compromise too many nodes to assure any given communication is compromisedRandom Pairwise KeysIf any node is captured, the rest are still secureQuorum based revocation without base station19q-composite Random Key Predistribution Scheme20q-composite SchemeInstead of one key, a pair of nodes must share q (q > 1) keys to establish a secure linkImplication 1 (attacker): By increasing the amount of key overlap required for key-setup, the resilience of the network against node capture is increased Implication 2(network setup): Key pool must be shrunk in order to maintain probability p of two nodes sharing enough keysImplication 3 (attacker): fewer captured nodes required to gain a larger sample of S21Initialization and Key SetupSimilar to basic schemeEach node has m keys on key ringTwo nodes must discover at least q common keys in order to connectBroadcasting IDs (like in basic scheme)is dangerous: a casual eavesdropper can identify the key sets of all the nodes in a network and thus pick an optimal set of nodes to compromise in order to discover a large subset of the key pool S.Client Merkle puzzles: each node issues m puzzles for every key, only nodes who have the key can solve itBefore connecting, a new key is created as a hash of the q shared keys22Calculation of the key pool sizep(i) probability of any two nodes have exactly i keys in common( ) number of ways to pick m keys from the pool size |S|; total number of ways for both nodes to pick m keys eachThere are ways to pick the i common keys; this leaves 2 (m-i) keys (in both key rings) to choose the remaining keys

23Calculation of the key pool sizep(i) probability of any two nodes have exactly i keys in common

P_connect probability of any two nodes sharing sufficient keys (i = q)

Choose the largest |S| such that p_connect >p, where p is minimum connection probability

2424Evaluation at a glanceMuch harder for an attacker with a given key set to eavesdrop on a link

Necessary reduction in key pool size makes large-scale attacks even more powerful25Evaluation

Compromising a given # of nodes is more damagingHarder to compromise nodes, however26Evaluation

Creates an incentive for large-scale attack: fraction is compromised all are compromisedRemoves the incentive for small scale attacks: too little information is obtained27Multipath Key Reinforcement Scheme28Multipath Key Reinforcement SchemeInitialization and key setup as in basic schemeKey update over multiple independent paths between nodesKey update is damage control in the event that other nodes are capturedWorks good in conjunction with the basic scheme, but not q-composite scheme29Multipath Key Reinforcement SchemeA has a secure link to B after key setup (single key k from the pool S)Key k can be in the key ring of some other nodes, let us say node CIf C is compromised, the secure link between A and B is jeopardized. Solution: update communication key to a random value after key setup.

30Multipath Key Reinforcement SchemeSolution: update communication key to a random value after key setup.Cannot use the direct link between A and BSo update using multiple independent pathsA knows all paths to B within h hops (lets say j paths); the same is true for BChoose disjoint paths, i.e. no links in common (lets say i paths)Send random values v1, v2, vi along the pathsReassamble at B

31EvaluationBetter resistance against node captureAdversary has to eavesdrop on all pathsThe longer the path, the higher the probability it can be eavesdroppedSignificantly higher maximum network sizeComes at cost of greater communication overhead

32Random Pairwise Keys Scheme33Random Pairwise Keys SchemeKey feature is node-to-node identity authenticationAbility to verify node identities opens up several security featuresPerfect resilience against node captureResilience against node replicationDistributed node revocation34The BasicsSensor network of n nodesPairwise scheme:Each node holds n-1 keysEach key is shared with exactly one other nodeRandom pairwise scheme:Not all n-1 keys are needed for a connected graphOnly random set of np pariwise keys are needed to connect with probability p (Erdos, Renyi calculated the smallest p, s.t. the entire graph is connected with high probability c)35Notationn# of unique node IDsmkeys on each nodes key ringpProbability of two nodes connectingn = m/pMaximum supportable network size36InitializationEach node ID pairs with m other random & distinct node IDs; n = m/p unique identifiersUnused IDs can be used later to extend the networkEach pair is assigned a keyNodes store key-ID pairs on key rings; they also store ID of the other node who knows that keyA holds some key k; A also holds the identity of the node that also has the same key k, lets call it BThus, if k is used in communication, both nodes know who they are talking to because nobody else holds the key k.37Key SetupNode IDs are broadcast to immediate neighborsSearch for other nodes ID in the key ring Find the nodes with whom they share a pairwise keyVerified through cryptographic handshake38Distributed Node RevocationFaster than relying on base stationsPublic votes are broadcast against compromised nodesPublic since identities of the nodes are knownOffending node is cut off when votes reach threshold Base station relays this information to a secure location (possible node replacement)39Scheme RequirementsCompromised nodes cant revoke arbitrary nodesVoting members or who can vote against node ANo vote spoofingLegitimate node A cannot pretend to be legit node BVerifiable vote validityVotes have no replay valueNot vulnerable to DoS40The Voting ProcessA nodes voting members are those that share a pairwise key with itExactly m nodesAll voting members are assigned a voting keyVotes are verified through a Merkle treeCompact data structure (partial information only)Voting members keep track of votes received up to a threshold t41Voting ThresholdIf too highA node may not have enough voting members to be revokedIf too lowEasy for a group of compromised nodes to revoke many legitimate nodesSubtle consequenceEvery node has to have t (value of threshold) neighbors in order to be revoked42Resisting Revocation AttacksEach node can cast a vote against m other nodesAttacker compromises a small fixed number of nodesThey revoke a significant proportion of the network, regardless of the network size.Solution: only nodes that established direct communication can revokeNode Bs revocation key for node A must be activated before useHashed with secret value known only by AA gives B its secret value only after the two establish communicationOther DoS attacks are more practical43Resistance to Node Replication and Node GenerationPlace a cap, dmax , on the degree of a nodedmax is some small multiple of dNodes keep track of degree and node IDs using same method as vote countingSo now we need to memorize dmax Do not need to be precise though; network is expected to be heavily connected44Evaluation, Cont.Resistance to revocation attackSmall number of compromised nodes only compromises a small portion of communicationsCompromising large number of nodes is not economicalPerfect resilience against node captureAll pairwise keys are unique, so capturing one node reveals no information about communications outside of the compromised nodes45SummaryThree efficient schemes for secure key bootstrappingEach scheme has trade-offsq-composite: good for small attacks, bad for largeMultipath-reinforcement: improved security, more communication overheadRandom pairwise: max. network size is smaller, but offers best security46

47