Wireless Sensor Network Security: The State of the Art

Download Report

Transcript Wireless Sensor Network Security: The State of the Art 

Wireless Sensor
Network Security:
The State of the Art
Credit: Yee Wei Law
The University of Melbourne
Roadmap
 Primer to cryptography and
WSNs
Information Assurance
Protection
Detection
Reaction
 Secure data aggregation
 Key management
 Other areas:
 secure remote reprogramming
 secure localization
 energy-efficient jamming attacks
2
Introduction to security
 Security threats: either somebody wants to steal
something from you or sabotage you
Information
security
Operation
security
Information assurance
 Information assurance (IA) is a set of measures that
protect and defend information and information
systems by ensuring their availability, integrity,
authentication, confidentiality, and non-repudiation.
These measures include providing for restoration of
information systems by incorporating protection,
detection, and re-action capabilities.
3
Primitives
 Security objectives:
 Confidentiality
 Integrity
 Authentication
 Non-repudiation
 Encryption / decryption
 Symmetric-key: E(K, M) / D(K, M)
 Asymmetric-key: E(PK, M) / D(SK, M)
 Signature / verification
 Symmetric-key: message authentication code (MAC), denoted
MAC(K, M)
 Asymmetric-key: digital signature, denoted
Notation:
Sign(SK, M), Ver(PK, M)
Public key = PK 4
Private key = SK
Common usage
Diff keys for encryption
and authentication
 E(K1, M) || MAC(K2, E(K1, M))
Confidentiality
Integrity,
authentication
 E(K1, M) || Sign(SK, h(E(K1, M)))
Confidentiality
Signing on hash
is more efficient
Integrity,
authentication,
non-repudiation
5
Challenges in WSNs
Constraints
Implications
Sensor node hardware,
resource constraints
Algos must be energy- and
storage-efficient
Nodes operate unattended
Adversary can compromise any
node
Nodes not tamper-resistant
Adversary can compromise any
node’s keys
No fixed infrastructure
Cannot assume any specialfunction node in vicinity
No pre-config’ed topology
Nodes don’t know neighbours in
advance
Communicate in an open
medium
Communications are worldreadable and world-writeable by
default
6
Security design principles
 Favour computation over communication
 Communication 1000 times more energy-consuming
than computation
 Minimal public-key crypto
 Tate pairing costs 5s (54mJ) on a Tmote Sky
(fastest recorded by [Szczechowiak et al. 08])
 Favour resilience (tolerance) over absolute
security
 Strength in number
7
Part One
Secure data aggregation
Data aggregation
aggregate
aggregate
aggregate
Purposes:
(1) Save bandwidth (limited data rate) Reason why we put a processor on
every node in the first place 9
(2) Save energy (limited energy)
Phase 1: Query
dissemination
Sample query:
SELECT AVERAGE(temperature) FROM sensors
10
WHERE floor = 6
EPOCH DURATION 30s
Phase 2: Data aggregation
aggregate
aggregate
aggregate
Types of aggregation:
(1) basic aggregation, (2) data compression, (3) parameter estimation
11
Phase 3: Result
verification (optional)
“Did you really
report this?”
“Did you really
report this?”
“Did you really
report this?”
“Did you really
report this?”
“Did you really
report this?”
“Did you
really report
this?”
12
Security goals of data
So the average is
aggregation
251.5… Oh wait a
minute
 Robustness: Byzantine
corruption of data would
not make aggregation
result totally
meaningless
 Confidentiality: To
ensure that other than
the sink and the sources,
no intermediate node
should have knowledge
of the raw data or the
aggregation result
perform averaging
1000
3
1
2
What the
hell am I
forwarding?
sink
What the
hell am I
aggregatin
g?
sources
13
Securing data aggregation:
multipronged defence
4
1
2
3
14
Resilient aggregation
 Objective: To bound the effect of data
corruption
 Corruption can be arbitrary – Byzantine
 By convention, we denote the number of
corruptions as k
 Methods:
 Robust statistics (1-hop networks)
 RANBAR (1-hop networks)
 Quantiles aggregation (multi-hop networks)
15
Robust statistics
Say an aggregation function is actually an estimator
Say we are estimating a parameter Θ and there are k rouge nodes
An aggregation function is (k,)-resilient if
ˆ , k )    rms(
ˆ)
rms*(
That is, the RMS error as a result of k-corruption, must be bounded
by a constant factor of the original RMS error
We win if we can limit 
The attacker wins if he manages to unbound 
16
Examples of (k,)-resilient
aggregation functions
y
y=y+
AVG
AVG
Non-resilient, example: Average
x1
Resilient, examples
x2
x3
x4
x2
x3
Resilience 
Aggregation function
Sample
median
distribution
x1
rms(y)> rms(y)
wrt
5%-trimmed average wrt
distribution
Gaussian
Gaussian
x4+4
Breakdown point ε*
 1  2 (k / n)2 , if k  n
0.5
 1 6.278k / n , if k < 0.05n
0.05
[l, u]-truncated average wrt Gaussian
distribution
1  (u  l ) /   k / n
Not applicable
Count wrt Bernoulli distribution with
parameter p
1  k 2 / [np(1  p)]
Not applicable
17
RANBAR
 Based on RANdom SAmple Consensus, which
originates in computer vision (hence the name
RANBAR = RANsac-Based AggRegation
[Buttyán et al. 06])
 Step1: Use as few samples as possible to
determine a preliminary model
 Step 2: Use the preliminary model to identify
samples that are consistent with the model
 Step 3: Refine the model with all the samples
that are found to be consistent
18
Quantiles aggregation
(extending resilient
aggregation to multihop)
6
4
Median
Median
2
2
2
Median
Median
1
10
3
4
Median
16
1
2
3
4
16
Actual median = 3
This approach suggests that instead
of taking a median every hop on the
way, we should compress the data
judiciously at each hop
19
Quantiles aggregation
count
tree nodes are numbered
Rules for deriving a q-digest:
Rule (A): count(node) + count(parent) + count(siblings) ≥ n/k + 1
Rule (B): count(node)  n/k
q-digest in this example: {<8,2>,<9,2>,<1,1>}
20
Quantiles aggregation
count
tree nodes are numbered
Derived median = data value represented by node 9 = 3.5
Actual median = 3
21
Resilient aggregation
guidelines
1-hop
Two approaches actually:
multihop
(1) estimate
by minimizing
effects of outliers
(2) detect outliers and
estimate without outliers
Data
distribution
known
Robust
statistics,
RANBAR
Quantiles
aggregation
Data
distribution
unknown
Robust
statistics
Quantiles
aggregation
22
Progress so far…
4
1
2
3
23
malicious
Voting
“is mean = 61.4 reasonable?”
malicious
3
300
2
1
malicious
1
Alright, 61.4
is not
reasonable!
No
Yes
No
Resource-intensive, only good for
mission-critical, small-scale networks
No
No
24
Progress so far…
4
1
2
3
25
Progress so far…
4
1
2
3
26
Privacy homomorphism
(PH)
 First proposed by Rivest et al. in 1978 to process encrypted data
without decrypting the data first
 A function is (,)-homomorphic if
f(x)  f (y) = f (x  y)
where ‘’ is an operator in the range and ‘’ is an operator in the
domain.
 If f is an encryption function and the inverse function f-1 is the
corresponding decryption function, then f is a PH.
27
Types of PHs
 There are three main approaches to PHs in WSNs so
far:
 PHs that are based on polynomial rings, e.g.,
Domingo-Ferrer’s scheme
 PHs that are based on one-time pads
 homomorphic public-key cryptosystems
Insecure under known-plaintext attacks
Attacks involve only computation of gcd and
linear algebra [Wagner 03]
28
PHs based on one-time
One-time
pads
pad

Encryption:
n
C
n
 E(k , m )  ( m   k ) mod p
i
i 1

Decryption by sink:
n
i
i
i 1
n
i 1
n
 m mod p  C   k mod p
i
i
i 1

i
i 1
Drawbacks:
 Use of the addition operator in place of the XOR operator in the plaintext
space is unproven in terms of security
 Synchronization of keys causes scalability problem
m1 + m2+ k1 + k2
m1 + k1
m1+m2+m3+k1+ k2+k3
m1+m2+m3+m4+k1+ k2+k3+k4
m3 + k3
m2 + k2
m4 + k4
sink
29
aggregate
aggregate
Part Two
Key management
aggregate
In Secure Data Aggregation, we secure one-way traffic.
generalized
30
In Key Management, we secure generic traffic.
Components
Protocol
verification
1
Key management
2
Key establishment
3
Key refreshment
4
Key revocation
31
Protocol verification
 Verification gives us indication and confidence
of security
 If we simulate unbounded sessions, verification
of secrecy and authentication is undecidable
 If we limit number of parallel sessions, we can
use constraint solving for verification
 Model: strand space model
 Tool: CoProVe implements the strand space
model using constraint solving (Prolog)
32
Strand space model
Protocol
Strand space model
Role: What a principal does in Strand: A sequence of events
the protocol
Complete run: A complete
iteration of the protocol
Bundle: A set of strands 
legitimate or otherwise 
hooked together where one
strand sends a message and
another receives that same
message, that represents a full
protocol exchange
Example
Initiator, responder, server
1. Initiator  Attacker: …
2. Attacker  Responder: …
3. Responder  Attacker: …
4. Attacker  Initiator: …
33
Node-to-node key
establishment
A wants to establish a secure channel with B via a
common trusted node S:
A  B: NA || A
B  S: NA || NB || A || B || MAC(KBS, NA || NB || A || B)
S  A: E(KAS, KAB) || MAC(KAS, NA || B || E(KAS, KAB))
S  B: E(KBS, KAB) || MAC(KBS, NB || A || E(KBS, KAB))
A  B: Ack || MAC(KAB, Ack)
34
Node-to-node key
establishment
NA || AAB, Ack)
Ack || MAC(K
35
Components
Protocol
verification
1
Key management
2
Key establishment
3
Key refreshment
4
Key revocation
36
Key establishment
 Definition: a process or protocol whereby
a shared secret key becomes available to
two or more parties, for subsequent
cryptographic use
 Types:Key establishment
A key agreement
Key transport
Key agreement
Key pre-distribution
protocol whereby
the resulting
established keys
are completely
determined a priori
by initial keying
material
37
Protocol design by
communication modes
 Global broadcasts:
 Authenticated broadcast using μTESLA
 Local broadcasts:
 Passive participation
 Unicast:
 Only consider neighbour-to-neighbour
 Multihop can be secured hop by hop
 Random key pre-distribution schemes
 LEAP+
 EBS
38
Global broadcast: μTESLA
 “Micro” version of the Timed, Efficient, Streaming,
Loss-tolerant Authentication Protocol Authenticated
broadcast
keys are generated in reverse order
Ki-1 = h(Ki)
K1
K2
K3
K4
……
Kn
keys are released in forward order
Time interval:
Message:
i
Mi || MAC(Ki, Mi)
i+1
...
i+δ
Mi+δ || Ki || MAC(Ki+δ, Mi+δ || Ki)
authentication succeeds if
(1) Ki generates MAC
(2) and there exists a past key Kj = Hi-j (K i)
39
μTESLA example (1)
(1) Generate one-way reverse key chain
on the base station
h()
K1
K2
K3
(3) Generate one-way reverse key chain
on the base station
K4
(2) Give K1 to everybody
M
K2
MAC(K3, …)
K1
K1
K1
K1
40
μTESLA example (2)
(4) K2 is genuine because h(K2) = K1 but
packet tagged with MAC(K3, M||K2) still
needs to be authenticated
(5) Base station later sends K3 that can
be used to authenticate message M
M2
M MAC(K3, …)
K2
M
MAC(K3, …)
K2
K3
MAC(K4, …)
Authentication steps:
(a) K3 is genuine because
K2 = h(K3)
(b) M is genuine because
K3 is genuine and K3
41
authenticates M
Local broadcast: Passive
participation
A is just transmitting
a similar data to I
have, so I shall not
transmit.
D
C
E
B
A
Passive participation: nodes B, C, D, E
suppress their transmissions when they
find A transmitting about the same data
To secure passive participation, A uses
a cluster key and a one-way key chain
to achieve encrypted and authenticated
42
local broadcast
Local broadcast: Passive
participation
D
C
B
A
 If only the key chain is used, the keys
in the key chain would have to be
broadcast in the clear, and in the
absence of time interval differentiation,
a cluster-outsider would be able to
forge messages using these keys
 If only the cluster key is used,
authentication of the sender cannot be
achieved
 But if used together, the cluster key
can be used to encrypt messages as
well as to hide the key chain keys from
cluster-outsiders; and at the same
time, the key chain keys can be used
for authentication
43
Securing unicast
 Random key pre-distribution schemes
 LEAP+
 EBS
44
Random key predistribution (RKP)
at random
‘Keying material’
at random
Pool
Able to establish session key?
P = pool size
K = key ring size
(4 in this example)
(1 in this example)
45
Random key predistribution (RKP)
 Different types:
Type 1
Type 2
Type 3
t
f ( x, y) 
a
i jx
i
yj
i , j 0
Symmetric key
[Eschenauer & Gligor 02]
Symmetric bivariate polynomial
[Liu et al. 05]
Part of a matrix
[Du et al. 05]
46
Symmetric-key-based RKP
I’ve got keys 1, 2, 3, 4
I’ve got keys 1, 5, 6, 7
1
1
2
5
3
6
4
7
OK, so our
session key can
be derived from
key 1
OK, so our
session key
can be derived
from key 1
Although not all neighbouring pairs of nodes can establish a session
key (aka pairwise key), the network will remain connected, with a
suitable choice of K and P.
K = key ring size
(4 in this example)
P = key pool size
(7 in this example)
47
Symmetric-key-based RKP
Pr{connectivity ≥ k} vs k
K = 4, P = 15, RMSE = 0.0427
Pr{connectivity ≥ k}
K = 4, P = 30, RMSE = 0.0436
Expected connectivity
Derived from results of random
48
geometric graphs [Law et al. 07]
Polynomial-based
RKP
I’ve got f1(), f2()
I’ve got f2(), f3()
Node 1
f1(1, y) = 6+7y+8y2
f2(1, y) = 10+12y+14y2
t
f ( x, y) 
a
i jx
i , j 0
i
yj
f1(x, y) = 1+2y+3y2+2x+xy+4xy2
+3x2+4x2y+x2y2
f2(x, y) = 2+3y+5y2+3x+2xy+7xy2
+5x2+7x2y+2x2y2
f3(x, y) = 3+4y+5y2+4x+3xy+6xy2
+5x2+6x2y+3x2y2
Pool
Node 2
OK, so our
session key can
be derived from
f2()
OK, so our
session key
can be derived
from
f2()
f2(2, y) = 28+35y+27y2
f3(2, y) = 31 + 34y + 29y2
In this example, t = 2, K = 2, P = 3
The pairwise key is f2(1,2) = f2(2,1) = 10 + 24 + 56 = 28 + 35 + 27 = 90
*In reality, the value must of course be as large as normal crypto keys
Storage requirement: K(t + 1) coefficients, where t is the threshold
49
Matrix-based
RKP
N = number of nodes = number of columns
Vandemonde-like
generator matrix
Random
symmetric
matrices
1
s

G  s2


 s t
D1
M1=(D1G)T
1
s2
(s 2 )2
1
s3
(s3 )2
( s 2 )t
( s 3 )t
D2
M2
...
1 
...
s N 
... ( s N ) 2 


N t 
... ( s ) 
this seed can be
used as an ID
D3
D4
M3
M4
50
Matrix-based
RKP
M1
M3
M2
I’ve got M1, M2
M4
Pool
I’ve got M2, M3
Node 1
M1(1)
M2(1)
Node 2
G(1)
OK, so our
session key can
be derived from
M2
OK, so our
session key
can be derived
from
M2
G(2)
M3(2)
M2(2)
Here’s G(1)
Here’s G(2)
Pairwise key = M2(1)G(2) = M2(2)G(1)
Storage requirement: K(t+1)+1 coefficients, where t is the threshold
51
Node-to-node key
establishment
RKP schemes only good for keying two neighbouring nodes
with common key(s); what about neighbours without any
common key? Use common trusted node
A wants to establish a secure channel with B via a common
trusted node S:
A  B: NA || A
B  S: NA || NB || A || B || MAC(KBS, NA || NB || A || B)
S  A: E(KAS, KAB) || MAC(KAS, NA || B || E(KAS, KAB))
S  B: E(KBS, KAB) || MAC(KBS, NB || A || E(KBS, KAB))
A  B: Ack || MAC(KAB, Ack)
52
LEAP+
 LEAP+ is a key pre-distribution scheme but not random
 Every node is pre-distributed with Kin
0
A sets timer
1
Hello, I’m A
2
Node B
node key KB = PRF(Kin, B)
Kin already deleted
I’m B
Node A
initial key Kin
3
A and B compute pairwise key = PRF(PRF(Kin, B), A)
KB
4
Timer fires, A deletes Kin
53
EBS (Exclusion Basis
System)
 P   6
      15 key combinations
 K   4
Nodes
Keys
Pro: Two nodes always share at least 2K-P keys.
Con: When a node is compromised, more than half of
the keys in the key pool are compromised.
54
Components
Protocol
verification
1
Key management
2
Key establishment
3
Key refreshment
4
Key revocation
55
Key refreshment
 Why? The more a key is used, the more it is open to
cryptanalytic attacks, birthday attacks etc.
Parallel re-keying:
 Lose the key K, then all past and future keys are
exposed
 Not suitable for WSNs
56
Key refreshment
Serial re-keying: preferable because of forward security
 Only need to store this: PRF (...PRF (K0 , 0)..., 0)
i 1 times
i -1 times
 Lose this, then all future keys are compromised
 But past keys are intact
57
Components
Protocol
verification
1
Key management
2
Key establishment
3
Key refreshment
4
Key revocation
58
Which keys to revoke?
KSglobal
KSchain
Big picture:
KSglobal
KBcluster
KB
B
KCcluster
K
K
chain
Base station
S
chain
S
Compromised
node
KEcluster
A
KEchain
chain
C
KD cluster
KDchain
C
KSglobal
E
KSchain
D
 When A is compromised
 Global broadcast keys: B, C, D, E need to have their copies of
KSglobal replaced
 Local broadcast keys: B, C, D, E need to purge KAcluster and
KAchain; B needs to re-gen and re-distribute KBcluster and KBchain;
similarly for C, D, E
59
Strategy
Gateway
60
Re-keying unicast keys
KSglobal
Big picture:
KSchain
KB
KB
B
KCcluster
K
KSglobal
cluster
Base station
S
KSchain
chain
Compromised
node
KEcluster
A
KEchain
chain
C
KD cluster
KDchain
C
KSglobal
E
KSchain
D
 If using polynomial-based or matrix-based RKP or
LEAP+, do nothing
 If using symmetric key-based RKP, re-keying is
desirable but can be done without
 If using EBS, re-keying is a must
61
Re-keying local broadcast
keys
62
Re-keying global
broadcast keys
New global key is propagated from the base station in two
stages:
(1) The hash of the key is propagated
(2) Then the key itself
Over each hop, the key is protected by a cluster key and
a cluster key chain
63
Thank y’all
Dank u
Danke
Grazie
Mult'umesc
Dziekuje
Köszönöm
Tesekkurler
Shukran
धन्यवाद
谢谢
64