On Concealed Data Aggregation for Wireless Sensor Networks Steffen Peter Peter Langendörfer, Krzysztof Piotrowski IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt.
Download
Report
Transcript On Concealed Data Aggregation for Wireless Sensor Networks Steffen Peter Peter Langendörfer, Krzysztof Piotrowski IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt.
On Concealed Data Aggregation
for Wireless Sensor Networks
Steffen Peter
Peter Langendörfer, Krzysztof Piotrowski
IHP
Im Technologiepark 25
15236 Frankfurt (Oder)
Germany
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Outline
•
Concealed Data Aggregation?
What does it mean? What is it for?
Privacy homomorphism
•
Example for an efficient CDA scheme
CaMyTs-Algorithm
•
Discussion of security properties
Awareness to passive and active attacks
•
Solution to overcome security problems
Cascaded privacy homomorphism
•
Conclusions
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Scenario: WSN as movement/intruder detection
Q: Sensed something
since last request?
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
In-Network-Aggregation (INA)
1
Without
With
INA:
INA:
1,0,0,0
1
1,0
1
0
0,0
1,0,0,0,1,0,1,0
1,2
3 3
1,0
1
0
0
1
0
2
1,0,1,0
1
1
1,0
Reduced packet traffic
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
0
www.ihp-microelectronics.com
0
© 2007 - All rights reserved
Security Issues of in-network aggregation
•
Without cryptography
No security
•
Classic End-to-End security (DES, AES, ECC)
Encryption on sensor – decryption on sink
+ Very secure
- No possibility of in-network aggregation
•
Hop-by-Hop encryption
Packets are encrypted and decrypted on every routing node
+ In-network aggregation possible
- No End-to-End security
every routing node knows and can change every plaintext
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Concealed (In-netwok) Data Aggregation
•
We need:
End-to-End security that allows aggregation on routing nodes
= Routing nodes do not know what they aggregate
= Ability to compute with encrypted values
Only sink node can decrypt the aggregated value
•
Solution:
Privacy Homomorphism
Encryption
Value1
Encryption
Value2
Encryption
Value1 + Value2
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
CaMyTs (Castelluccia, Mykletun, Tsudik)
Encryption:
1+15=16 (mod 32)
Random Stream 1:
15
22
Random Stream 2:
6
30
9
11
Random Stream 3:
27
2
29
Aggregation:
16+30+28
=74
=10 (mod 32)
10
Value:
1
16
30
0+30=30 (mod 32)
Value:
0
Decryption:
Decryption:
10 - 15 – 30 - 27
16 =
– 15
-62
= 1=2 (mod 32)
=1+0+1
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
28
Value:
1
1+27=28 (mod 32)
www.ihp-microelectronics.com
Random Stream:
15
22
6
Random Stream:
30
9
11
Random Stream:
27
2
29
© 2007 - All rights reserved
Attack Scenarios
•
Passive Attacks
Eavesdropping
Ciphertext analysis
Chosen/known plaintext attacks
•
Active Attacks
Unauthorized aggregation
Forged packets
Replay attacks
Malleability
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Active Attack - Replay
Value:
1
(Previous: 0+15=15)
1+22=23
Key Stream:
15
22
6
23
15
9
Value:
0
Attack 1: 26-34 24 no plausible value
Decr: 3-34 1
263
20
9
0+9=9
Key:
9
Attack 2: 20-34 18 no plausible value
Value:
0
2
Key:
2
0+2=2
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Active Attack - Malleability
Value:
1
Encryption:
1+15=16
Key1: 15
Key2: 30
Key3: 27
Decryption:
9 -15 – 30 - 27
8
= -62
-63
=0
1 (mod 32)
= Alert
NO ALERT
Aggregation:
16+30+27
=73
=9 (mod 32)
8
9
Key:
15
16
30
Value:
0
Encryption:
0+30=30
Key:
30
Value:
0
27
Key:
27
Encryption:
0+27=27
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Evaluation
Domingo-Ferrer
(DF)
CaMyTs
Elliptic Curve
ElGamal (ECEG)
Ciphertext size
-
+
o
Encryption
o
+
-
Decryption
o
-
-
Aggregation
o
+
-
Ciphertext only attack
+
+
+
Chosen plaintext attack
-
+
+
Replay attack
-
+
-
Malleability
+
-
-
Malicious aggregation
-
+
-
Forged packets
+
+
-
Captured Sensors
-
+
+
Security/Resistance
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Increase Security – Combination of two PHs
Encryption 2
Domingo-Ferrer
Encryption 2
Domingo-Ferrer
Encryption 1
CaMyTs
Encryption 1
CaMyTs
Value1
Value2
Encryption 2
Domingo-Ferrer
Encryption 1
CaMyTs
Value1 + Value2
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
CaMyTs + DF combination
Domingo-Ferrer
(DF)
CaMyTs
CMT/DF
combination
Ciphertext size
-
+
-
Encryption
o
+
o
Decryption
o
-
-
Aggregation
o
+
o
Ciphertext only attack
+
+
+
Chosen plaintext attack
-
+
+
Replay attack
-
+
+
Malleability
+
-
+
Malicious aggregation
-
+
+
Forged packets
+
+
+
Captured Sensors
-
+
+
Security/Resistance
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved
Conclusions
•
Concealed Data Aggregation in WSNs is required
Reduced network traffic
End-to-End security
•
Concealed Data Aggregation in WSNs is possible
Computation overhead is reasonable (e.g. with CaMyTs, DF)
•
There is not one perfect CDA scheme
There are still some security issues (e.g. integrity)
Trade-off security/computation effort
Evaluation helps selecting application-fitted scheme
•
Combined (cascaded) privacy homomorphism increases security
with very low additional costs (e.g. CaMyTs/DF)
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany
www.ihp-microelectronics.com
© 2007 - All rights reserved