1 / 45

Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks

Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks. Cynthia Kuo, Mark Luk , Rohit Negi, Adrian Perrig Carnegie Mellon University. INSENS. SPINS. TinySec. MiniSec. 2005. 2002. 2003. 2004. 2006. Eschenauer and Gligor. ZigBee.

dessa
Download Presentation

Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Message-In-a-Bottle:User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University

  2. INSENS SPINS TinySec MiniSec 2005 2002 2003 2004 2006 Eschenauer and Gligor ZigBee How do nodes receive cryptographic keys? “Distribution is simple; nodes are loaded with the shared key before deployment.” TinySec …send the key in the clear “thus resulting in a brief moment of vulnerability.” ZigBee

  3. Potential approach – Factory installation

  4. Potential approach – Physical interface • Properties achieved • Secrecy • Ease of use • But… • Batch deployment remains a tedious task • USB interface will not exist on many commodity nodes • Sensors deployed in harsh environments • USB interface are expensive

  5. An ideal practical solution • No physical interface • No USB connectors, screens, or keypads • Deploy keys wirelessly • Resistant to eavesdropping and injection attacks • Key deployment by end users • End users are not security experts • Batch deployment for multiple nodes • Scales for large deployments

  6. Agenda • Motivation • Problem definition • Single node key deployment • User study • Batch deployment

  7. Agenda • Motivation • Problem definition • Single node key deployment • User study • Batch deployment

  8. Problem definition (1/2) • Securely setup a shared secret between a base station and a new node • Key secrecy • Attacker cannot compromise shared secret • Key authenticity • New node receives the key that base station intended it to receive • Demonstrative identification • Users are certain which devices are communicating

  9. Problem definition (2/2) • Robust to user error • Fail safe - human error result in failure to setup a key, not key compromise • Cost effective • Does not require additional hardware on each node • No asymmetric cryptography • Even asymmetric crypto schemes need one authenticated value

  10. Assumptions • Installer • Trusted • Not expert • Base station • Trusted • Generates keys • Sensor node • Unmodified hardware • Loose time synchronization • Unmodified software

  11. Strong attacker model • Dolev-Yao • Overhear, intercept, modify, reorder, and send arbitrary messages • Before, during, and after key deployment • More powerful malicious device deployed around vicinity of nodes • Higher antenna gain • Faster processor

  12. Agenda • Motivation • Problem definition • Single node key deployment • User study • Batch deployment

  13. Base station KM KM KM Keying Device New Node How to send key wirelessly to new node? Attacker eavesdrops on key! Attacker

  14. Shielded messages KM KM Keying Device New Node Need some type of isolation Faraday cage approach proposed by Castelluccia and Mutaf, 2005

  15. Why isn’t a Faraday cage sufficient? • How does installer know when to open cage? • How does installer know cage is closed? • What happens if Faraday cage is imperfect? • How does installer know if node has correct key?

  16. Keying Device New Node How does installer know when to open cage? Faraday Cage

  17. Keying Beacon Keying Device New Node How does installer know when to open cage? Faraday Cage

  18. Keying Beacon Keying Device New Node Keying beacon interacts with user • Solid blue - performing key deployment • Blinking blue - done Faraday Cage

  19. Keying Beacon Keying Device New Node Keying beacon interacts with user • Solid blue - performing key deployment • Blinking blue - done Faraday Cage

  20. Why isn’t a Faraday cage sufficient? • How does installer know when to open cage? • How does installer know cage is closed? • What happens if Faraday cage is imperfect? • How does installer know if node has correct key?

  21. Authenticated heartbeats Keying Beacon Keying Device New Node How do nodes know when cage is closed? Faraday Cage

  22. Authenticated heartbeats ‘ Keying Beacon Keying Device New Node Authenticated heartbeats determine whether cage is closed Faraday Cage

  23. Why isn’t a Faraday cage sufficient? • How does installer know when to open cage? • How does installer know cage is closed? • What happens if Faraday cage is imperfect? • How does installer know if node has correct key?

  24. Keying Beacon Keying Device New Node What if cage leaks? Faraday Cage

  25. Keying Beacon Keying Device New Node What if cage leaks? • Solution 1: Keying beacon eavesdrops I hear shielded messages! Faraday Cage

  26. How leaky is cage? • Lcage : Attenuation of cage (dBm) • Strong attenuation (large negative number) • Attacker cannot overhear shielded messages • Weak attenuation (small negative number) • Attacker can overhear shielded messages • Keying beacon can also detect leaked messages • In order for leaking to go undetected… • Attacker needs a sweet spot • Based on our setup: -66 dBm Faraday Cage

  27. How far away does attacker have to be? • RSe : Eavesdroppers required radio sensitivity • Attacker antenna gain of 10dBm • Pt : Transit power of keying device, at minimum power • Lcage : Attenuation of cage • dmin : Distance of eavesdropper If cage leaks, attacker needs to be within 19cm

  28. Keying Beacon Keying Device New node What if cage leaks? • Solution 2: Keying beacon jams at full power • Leaked messages overpowered by jamming signal Faraday Cage

  29. Keying Beacon Keying Device New node How do nodes know jammed at correct time? • Requires loose time synchronization Faraday Cage

  30. Summary: Protecting shielded messages • Faraday cage attenuates shielded messages • Shielded messages sent at minimum power • Keying beacon jams at full power

  31. Why isn’t a Faraday cage sufficient? • How does installer know when to open cage? • How does installer know cage is closed? • What happens if Faraday cage is imperfect? • How does installer know if node has correct key?

  32. KM KM KM Keying Beacon Keying Device New Node How does installer know if node has correct key? Chal MAC Rsp Faraday Cage

  33. KM KM KM Keying Beacon Keying Device New node How does installer know if node has correct key? Faraday Cage

  34. MAC KM KM KM KM Keying Beacon Keying Device New node Key verification Rsp’ Chal = Rsp Faraday Cage

  35. KM’ KM KM Keying Beacon Keying Device New node What if there was an error? • Easy for user to detect • Fail-safe Rsp’ != Rsp Faraday Cage

  36. Summary: Single node key deployment • Installer places… • New Node and Keying Device inside Faraday cage • Keying Beacon outside Faraday cage • Keying Device and Beacon exchange authenticated heartbeats to determine whether cage is closed • Installer closes cage… • Key exchange inside cage (Shielded messages) • Beacon jams at full power • Beacon notifies installer to open cage • Key verification • Compares jamming schedule • Challenge response protocol • Beacon signals to installer whether keying was successful

  37. Agenda • Motivation • Problem definition • Single node key deployment • User study • Batch deployment

  38. User study

  39. Agenda • Motivation • Problem definition • Single node key deployment • User study • Batch deployment

  40. K1 K2 K3 Keying Beacon Batch deployment New Nodes Keying Device Faraday Cage

  41. Same questions apply for batch deployment • How does installer know when to open cage? • Keying might take variable time! • Need to determine number of nodes in batch • How does installer know cage is closed? • Authenticated heartbeats • What happens if Faraday cage leaks signal? • Beacon jams at full power • How does installer know if node has correct key? • Key verification

  42. Keying Beacon Batch deployment New Nodes Weight Scale Keying Device Faraday Cage

  43. Keying Beacon Batch deployment • Same protocol from user’s perspective # nodes = Weight / Unit weight Heartbeat: Weight New Nodes Weight Scale Keying Device Faraday Cage

  44. Related Work • Physical interface • Resurrecting Duckling [Stajano 01] • Seeing is Believing [McCune 04] • Other side channel as sensors • Talking to Strangers [Balfanz 03] • Shake Them Up [Castelluccia 05] • Requires pre-existing information • Integrity code [Cagalj 06] • Insecure • Key Infection [Chan 03]

  45. Conclusion • Key deployment • Hard problem • Not currently addressed for highly secure environments • Needed by all secure sensor network protocols • Message-in-a-Bottle • Secure • Robust to user error

More Related