240 likes | 407 Views
Mitigating Sandwich Attacks against a Secure Key Management in WSNs for PCS/SCADA . Hani Alzaid, DongGook Park, Juan Gonzalez, and Ernest Foo. Key Management in WSNs for PCS/SCADA. Introduction. WSNs & SCADA. Related Work. Nilsson et al.’s & Alzaid et al.’s schemes. Sandwich Attack.
E N D
Mitigating Sandwich Attacks against a Secure Key Management in WSNs for PCS/SCADA Hani Alzaid, DongGook Park, Juan Gonzalez, and Ernest Foo
Key Management in WSNs for PCS/SCADA • Introduction. • WSNs & SCADA. • Related Work. • Nilsson et al.’s & Alzaid et al.’s schemes. • Sandwich Attack. • Performance Analysis • Memory overhead, communication cost, & computation cost. • Conclusion 2
Introduction: WSNs 1Kbps - 1Mbps, 3-100 Meters, Transceiver Embedded Processor Memory Limited Storage Slow Computations Sensors Battery Limited Lifetime 3
Introduction: SCADA Master Center Fiber Optics Gateways Network Manager Radio IEDs Human Interaction Remote field Database Storage Satellite Sensors Processing Servers Separate Subnet Communication Systems Historian 4
Related Work • Several papers proposed key management designs for SCADA. • They use heavy cryptographic mechanisms. • Do not consider the integration of WSNs with SCADA. • The works that consider the integration, proposed by Nilsson et al. and Alzaid et al.. 5
Related Work – Nilsson et al. • Nilsson et al. designed two key update protocols: • The 1st protocol updates the pairwise symmetric key between and . • The 2nd protocol updates the global or group key among and . • They claimed that these protocols provide both forward and backward secrecy (past and future key secrecy). It is not the case! 6
Related Work – Nilsson et al. • Node compromise attacks was not considered in Nilsson et al.. • The new group key is directly carried by the protocols messages, encrypted under the pairwise key. • The value of new pairwise key is determined by the sensor node. • etc. • Alzaid et al.’s addressed these weaknesses. 7
Related Work – Alzaid et al. Adversary Model • The adversary can launch node compromise • All the credentials stored in sensors. • All the software code installed within the sensors, especially random number generation functions. • It cannot compromise the network manager. 8
Related Work – Alzaid et al. Security Requirements • Past key secrecy: the past keys should not be compromised. • Future key secrecy: the future keys should not be compromised. 9
The Proposed Key Management Pastkey secrecy Future key secrecy The Group Key Update Protocol Reverse hash chain Forward hash chain 10
The Proposed Key Management The Group Key Update Protocol (Protocol-1) 11
The Proposed Key Management The Pairwise Key Update Protocol (Protocol-2) 12
Sandwich Attack The Problem • Alzaid et al.’s scheme suffers from a new kind of attack called “Sandwich Attack”. • Suppose an attacker captures a node at • are revealed. • All the subsequent hash images of the forward hash chain (but not the reverse hash chain) can be computed. 13
Sandwich Attack The Problem • When the attacker captures another node at where . • The adversary is able to compute all the preimages of the reverse hash chain between . • Then, the attacker can compute all the group keys from to by computing: 14
Sandwich Attack Forward hash chain Reverse hash chain unknown unknown unknown unknown unknown 15
Sandwich Attack Forward hash chain Reverse hash chain unknown known known unknown 16
Sandwich Attack The Solution (Protocol-3) • Break the reverse hash chain into smaller ones. 17
Sandwich Attack • can play two strategies: • Replace Protocol-1 completely with Protocol-3. • rerun Protocol-3 until receives 2nd message of the protocol from to ensure the reestablishment of the reverse hash chain. • Switch between Protocol-1 and Protocol-3 whenever it is needed. • The choice between these two strategies depends on how much the Sandwich attack concerns the network designers. 18
Performance Analysis Memory Overhead 19
Performance Analysis Communication Cost 20
Performance Analysis Computation Cost 21
Conclusion • Lamport’s reverse hash chain as well as usual hash chain are employed to ensure past and future key secrecy against node compromise. • No delivery for the whole value of the new group key for group key update. • Sandwich Attack is mitigated by breaking the reverse hash chain into shorter ones. 22
References [1] Alzaid, Hani and Park, DongGook and Gonzalez Nieto, Juan and Boyd, Colin and Foo, Ernest. A Forward & Backward Secure Key Management in Wireless Sensor Networks for PCS/SCADA. [2] Nilsson, Dennis K. and Roosta, Tanya and Lindqvist, Ulf and Valdes, Alfonso. Key management and secure software updates in wireless process control environments. 23
Mitigating Sandwich Attacks against a Secure Key Management in WSNs for PCS/SCADA Questions