180 likes | 205 Views
Key Infection (smart trust for smart dust). Ross Anderson (Cambridge) Haowen Chan (CMU) Adrian Perrig (CMU). Sensor Networks. 100s to 1000s of cheap sensor nodes Communicate peer-to-peer and route information to base stations
E N D
Key Infection(smart trust for smart dust) Ross Anderson (Cambridge) Haowen Chan (CMU) Adrian Perrig (CMU)
Sensor Networks • 100s to 1000s of cheap sensor nodes • Communicate peer-to-peer and route information to base stations • Example: Sensors could be scattered by air to monitor pollution - or track people
Typical Sensor Node Characteristics • Wireless communication • Battery powered • Immobile • Not tamper-resistant • Limited processing hardware and memory • Communicate peer-to-peer and route data to one or more base stations
Platform Technologies: UCB Mote • UCB Mote Evolution
Approaches to Key Distribution • Attempt #1: Use a PKI • Problem: Too computationally intensive • Attempt #2: Use a single symmetric master key • Problem: Single node capture exposes entire network • Attempt #3: Load each node with key for each neighbour • Problem: Don’t know neighbours a priori • Attempt #4: Load each node with many keys (n-1 keys/node, or fancier randomised scheme) • Problem: Memory cost too high
Threat Model • Attacker deploys white dust to monitor an area • Defender has a few black dust motes already, rapidly deploys more, and sends in ‘insects’ that reverse-engineer some white motes • Passive defense: see what movements yield sensor traffic • Active defense: transmit jamming / deceptive messages • Example: corrupt routing to partition network
Defender Model • During the deployment phase, we have a partial, passive defender - some links monitored but no jamming / flooding / physical attack • After deployment, the gloves come off! The defender is pervasive and active • Often reasonable because of economics: white can deploy dust anywhere while black must defend everywhere
Basic Idea • Suppose all nodes share an initial master key, and use this to bootstrap link keys • Once the reverse-engineering insect arrives, the enemy gets the master key • The enemy can now eavesdrop all the links it monitored • But it could only monitor a small fraction of them! We may still be OK • This is equivalent to broadcasting initial keys locally, and in the clear
Key Infection • Assume that mote i, when it comes to rest, transmits a key ki • When mote j hears it, it responds with a pairwise key, using only just enough power for the link: j -> i : { j, kji } ki The key is compromised if a hostile mote lies in the intersection of the two circles i j i E.g, 1 black mote for 100 white - 97.62% of links secure
Key Whispering • First improvement - instead of broadcasting ki at full power, whisper it - increase volume until response heard • In other words, whispering already reduces compromised links by 2/3
Key Capture Enemy / subverted nodes Keys of node A Keys of node B • Neither node A or node B was captured, but their shared key has been exposed
Multipath Privacy Amplification • If i talks via j to k, and link jk compromised, find any other paths, e.g., i -> l -> k, set up keys kik along all available paths, and hash them together • This gets a further significant reduction in compromised links:
Interaction with Routing • Even with no mobility, the network topology will change as a result of battery exhaustion / attacks • White may invest in preparing for failover - multipath key establishment helps • Many interesting questions, e.g. energy efficiency, clubbing, different logical paths on same physical path…
Other Applications (1) • Peer-to-peer systems typically start out optimistically with a large number of hopefully trustworthy nodes • ‘Black’ nodes join once the network starts to operate, and ‘white’ nodes may be subverted (e.g., by court order) • Here too the issue isn’t the initial key bootstrapping, but resilience in the face of what happens later
Other Applications (2) • Subversive networks are similar. Law enforcement can only monitor so many people, and so many phones… • Once subversive activity manifests, the task is to penetrate a network that may have been fairly open at the start, but has now closed up • Again, the important aspect is not the initial bootstrapping, but the subsequent lockdown, and any associated resilience
Security Economics • Economics provide the big showstopper for security in general • Here, the game depends on both initial and marginal costs of attack and defence • Initial keying increases initial cost to both • Equilibrium depends on marginal costs - defender efforts vs attacker resilience • Logically, defender will give up, or attacker have to go all out to maintain network • Attacker will logically make marginal investment in resilience, not bootstrapping
Research Problems • What are the relative costs of key establishment vs. maintenance in different types of network? • What are the best attack and defence strategies at equilibrium? • What’s the interaction with routing algorithms? • Can you deal with new motes joining? • Can you have multiple virtual networks (‘United Nations Dust’)? • Can multiple users interact locally (‘Neighbourhood Watch Dust’)?
Conclusions • Sensor networks present interesting and novel protection problems • They provide a tractable model for bigger problems, from P2P network design to some real-world policing problems • Challenge the conventional wisdom that authentication is about trust bootstrapping • In many real social networks, trust is more about group reinforcement / bonding • Will future pervasive computing systems be command-and-control, or societal?