1 / 27

Key Management in Mobile and Sensor Networks

Key Management in Mobile and Sensor Networks. Class 17. Outline. Challenges in key distribution, trust bootstrapping Pre-setup keys (point-to-point, public) Resurrected ducking PGP trust graph Trusted third party (TTP) Kerberos, SPINS PKI Key infection Random-key predistribution.

claude
Download Presentation

Key Management in Mobile and Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key Managementin Mobile and Sensor Networks Class 17

  2. Outline • Challenges in key distribution, trust bootstrapping • Pre-setup keys (point-to-point, public) • Resurrected ducking • PGP trust graph • Trusted third party (TTP) • Kerberos, SPINS • PKI • Key infection • Random-key predistribution

  3. Key Management • Goal: set up and maintain secure keys • Public keys for signature verification or node-to-node key setup • Shared keys for confidentiality or authenticity • Group keys for secure group communication • Challenges • Trust establishment (Class example?) • Node compromise • Dynamic node addition/removal

  4. Network Architectures • Closed networks, centralized deployment (trusted authority controls and deploys nodes) • All-pairs shared keys, or all public keys • PKI, TTP (Kerberos, SPINS) • Zhou & Haas threshold key management • Randomkey predistribution • Open networks, autonomous deployment • Resurrected duckling • PGP web of trust • Key infection

  5. Full Key Deployment • Symmetric case • All-pairs shared keys (need O(n2) keys) • Challenge: node addition • Asymmetric case • Distribute every node’s public key (n keys) • Nodes can easily set up secure shared keys

  6. Trusted Key Management Center • Symmetric case • Trusted third party (TTP) shares key with each node (n keys) • Set up key between two nodes through TTP • Kerberos, SPINS key agreement protocol • Asymmetric case • Public-key infrastructure (PKI) • Certification authority (CA) signs public keys of nodes • All nodes know CA’s public key

  7. Zhou & Haas Key Management • PKI drawbacks • Revocation requires on-line PKI • Single point of failure, CA replication increases vulnerability to node compromise • Distributed CA Model, tolerates t faulty nodes • Threshold signatures • Signing needs coalition of t+1 correct nodes • Secret sharing prevents t malicious nodes from reconstructing CA private key • Proactive security • Defend against mobile adversary

  8. Discussion • How can share refreshing tolerate faulty nodes? • How can we tolerate compromised combiner? • Who decides to be a combiner? • How can we bootstrap this system? • How can we introduce a new node? • Why should node sign a message? • How does node authenticate message? • Is signature combination expensive if we have t faulty nodes? • How efficient are these mechanisms?

  9. Randomkey Predistribution • Scenario: deploy 104 mote sensor from airplane • Goal: set up secure node-to-node keys • Simple approaches impractical • Network-wide secret key • Pairwise shared key with every other node • Pairwise shared key with neighbors • Public key infrastructure

  10. Basic Random Key Scheme • Eschenauer and Gligor, ACM CCS 2002 • Observation: no need for all pairs of nodes to be able to communicate to get a connected network • For any 2 nodes, if they can communicate with some probability p, then the network is a random graph that is connected with high probability (e.g. 0.999) • p is a given parameter, dictated by communication range and density of deployment of the nodes

  11. Randomly choose |P| keys Key ring of node A Pick |P| s.t probability of any 2 nodes sharing at least 1 key = p Key Pool P Randomly choose m keys Key ring of node B Basic Random Key Scheme 2128 Total Key Space

  12. Key capture • Security of the basic scheme is dependent on the adversary not knowing the key pool P • Suppose adversary can compromise sensor nodes and read the keys off their key rings • E.g., adversary captures node X and discovers key k. If node A and B were communicating using key k, the adversary can now eavesdrop although neither A or B was compromised. • How can we improve resilience to node capture?

  13. q-Composite Keys scheme • Require any 2 nodes to share at least q keys to communicate • Adversary must discover all q keys to eavesdrop • To maintain probability of communication between any 2 nodes = p, must reduce size of key pool (samples from a smaller pool are more likely to overlap) • Smaller key pool  keys are more likely to be reused

  14. Resilience vs node capture

  15. Duckling Key Establishment • Anderson and Stajano, IWSP ‘99 • Problem: how can we set up keys in a ubiquitous computing environment? • Devices use wireless communication • How to set up a key between household devices and PDA? • Solution: set up keys using trusted communication channel • Physical contact establishes a secure channel

  16. Duckling Security Model 1 • Assumes wireless communication • Goals • Availability • Guard against jamming and battery exhaustion • “Sleep deprivation torture attack” • Secure transient association with device • Even in absence of a trusted server • Security assiciations keep changing, as devices change owners, or owner changes controller

  17. Duckling Security Model 2 • Life cycle “similarities” • Life cycle of a device • Buy device in store • Unpack it at home • Device breaks or gets a new owner • Life cycle of a duckling • Duckling is in egg • When duckling hatches, first object is viewed as mother: imprinting • Duckling dies • Device ownership similar to duck’s soul

  18. Duckling Security Model 3 • Device life cycle • Imprinting: device meets master when it wakes up • Reverse metempsychosis: device dies and gets new owner • Escrowed seppuku: manufacturer can kill device to enable renewed imprinting • Physical contact establishes secure key during imprinting phase

  19. PGP Web of Trust • Problem: how can we establish shared keys in ad hoc network without trusted PKI? • Approach: use PGP web of trust approach • Jean-Pierre Hubaux, Srđan Čapkun and Levente Buttyán: The Quest for Security in Mobile Ad Hoc Networks, MobiHoc 2001

  20. Distributed storage of local certificates • Nodes issue certificates (sign others’ keys), as in PGP • Each node stores thecertificates that it issued (out-bound certificates)and the certificates that other nodes issued for it (in-bound certificates) v u

  21. Creating the subgraphs • Each node builds up its own out-bound and in-bound subgraphs • To establish secure communication, u and v merge their subgraphs and see if they intersect v u

  22. Key Infection • Ross Anderson and Adrian Perrig, 2001 • Goal: Light-weight key setup among neighbors • Assumptions: • Attacker nodes have same capability as good nodes • Attacker nodes less dense than good nodes • Attacker compromises small fraction of good nodes • Basic key agreement protocol • A * : A, KA • B A : { A, B, KB }KA • KAB = H( A | B | KA | KB )

  23. Key Infection • Broadcast keys with maximum signal strength M1 M4 M3 B A M2

  24. Key Whispering Extension • Broadcast keys with minimum signal strength to reach neighbor M1 M4 M3 B A M2

  25. Secrecy Amplification • A & B share KAB, A & C share KAC, , etc. • Strengthen secrecy of K’AB • A C : { B, A, NA }KAC • C B : { B, A, NA }KCB • B D : { A, B, NB }KBD • D E : { A, B, NB }KDE • E A : { A, B, NB }KAE • K’AB = H( KAB| NA | NB ) C B A E D

  26. Key Infection Summary • Highly efficient • Detailed analysis in progress • Preliminary simulation results: • Nodes uniformly distributed over a plane • D (density): average # of nodes within radio range • # of attacker nodes = 1% of good nodes • Table shows fraction of compromised links

  27. Discussion • Tradeoff • Trust perimeter and security? • Security and management?

More Related