On Concealed Data Aggregation for Wireless Sensor Networks Steffen Peter Peter Langendörfer, Krzysztof Piotrowski IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt.
Download ReportTranscript On Concealed Data Aggregation for Wireless Sensor Networks Steffen Peter Peter Langendörfer, Krzysztof Piotrowski IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt.
On Concealed Data Aggregation for Wireless Sensor Networks Steffen Peter Peter Langendörfer, Krzysztof Piotrowski IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Outline • Concealed Data Aggregation? What does it mean? What is it for? Privacy homomorphism • Example for an efficient CDA scheme CaMyTs-Algorithm • Discussion of security properties Awareness to passive and active attacks • Solution to overcome security problems Cascaded privacy homomorphism • Conclusions IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Scenario: WSN as movement/intruder detection Q: Sensed something since last request? IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved In-Network-Aggregation (INA) 1 Without With INA: INA: 1,0,0,0 1 1,0 1 0 0,0 1,0,0,0,1,0,1,0 1,2 3 3 1,0 1 0 0 1 0 2 1,0,1,0 1 1 1,0 Reduced packet traffic IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany 0 www.ihp-microelectronics.com 0 © 2007 - All rights reserved Security Issues of in-network aggregation • Without cryptography No security • Classic End-to-End security (DES, AES, ECC) Encryption on sensor – decryption on sink + Very secure - No possibility of in-network aggregation • Hop-by-Hop encryption Packets are encrypted and decrypted on every routing node + In-network aggregation possible - No End-to-End security every routing node knows and can change every plaintext IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Concealed (In-netwok) Data Aggregation • We need: End-to-End security that allows aggregation on routing nodes = Routing nodes do not know what they aggregate = Ability to compute with encrypted values Only sink node can decrypt the aggregated value • Solution: Privacy Homomorphism Encryption Value1 Encryption Value2 Encryption Value1 + Value2 IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved CaMyTs (Castelluccia, Mykletun, Tsudik) Encryption: 1+15=16 (mod 32) Random Stream 1: 15 22 Random Stream 2: 6 30 9 11 Random Stream 3: 27 2 29 Aggregation: 16+30+28 =74 =10 (mod 32) 10 Value: 1 16 30 0+30=30 (mod 32) Value: 0 Decryption: Decryption: 10 - 15 – 30 - 27 16 = – 15 -62 = 1=2 (mod 32) =1+0+1 IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany 28 Value: 1 1+27=28 (mod 32) www.ihp-microelectronics.com Random Stream: 15 22 6 Random Stream: 30 9 11 Random Stream: 27 2 29 © 2007 - All rights reserved Attack Scenarios • Passive Attacks Eavesdropping Ciphertext analysis Chosen/known plaintext attacks • Active Attacks Unauthorized aggregation Forged packets Replay attacks Malleability IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Active Attack - Replay Value: 1 (Previous: 0+15=15) 1+22=23 Key Stream: 15 22 6 23 15 9 Value: 0 Attack 1: 26-34 24 no plausible value Decr: 3-34 1 263 20 9 0+9=9 Key: 9 Attack 2: 20-34 18 no plausible value Value: 0 2 Key: 2 0+2=2 IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Active Attack - Malleability Value: 1 Encryption: 1+15=16 Key1: 15 Key2: 30 Key3: 27 Decryption: 9 -15 – 30 - 27 8 = -62 -63 =0 1 (mod 32) = Alert NO ALERT Aggregation: 16+30+27 =73 =9 (mod 32) 8 9 Key: 15 16 30 Value: 0 Encryption: 0+30=30 Key: 30 Value: 0 27 Key: 27 Encryption: 0+27=27 IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Evaluation Domingo-Ferrer (DF) CaMyTs Elliptic Curve ElGamal (ECEG) Ciphertext size - + o Encryption o + - Decryption o - - Aggregation o + - Ciphertext only attack + + + Chosen plaintext attack - + + Replay attack - + - Malleability + - - Malicious aggregation - + - Forged packets + + - Captured Sensors - + + Security/Resistance IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Increase Security – Combination of two PHs Encryption 2 Domingo-Ferrer Encryption 2 Domingo-Ferrer Encryption 1 CaMyTs Encryption 1 CaMyTs Value1 Value2 Encryption 2 Domingo-Ferrer Encryption 1 CaMyTs Value1 + Value2 IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved CaMyTs + DF combination Domingo-Ferrer (DF) CaMyTs CMT/DF combination Ciphertext size - + - Encryption o + o Decryption o - - Aggregation o + o Ciphertext only attack + + + Chosen plaintext attack - + + Replay attack - + + Malleability + - + Malicious aggregation - + + Forged packets + + + Captured Sensors - + + Security/Resistance IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved Conclusions • Concealed Data Aggregation in WSNs is required Reduced network traffic End-to-End security • Concealed Data Aggregation in WSNs is possible Computation overhead is reasonable (e.g. with CaMyTs, DF) • There is not one perfect CDA scheme There are still some security issues (e.g. integrity) Trade-off security/computation effort Evaluation helps selecting application-fitted scheme • Combined (cascaded) privacy homomorphism increases security with very low additional costs (e.g. CaMyTs/DF) IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved