140 likes | 155 Views
On Concealed Data Aggregation for Wireless Sensor Networks. Steffen Peter Peter Langendörfer, Krzysztof Piotrowski. Outline. Concealed Data Aggregation? What does it mean? What is it for? Privacy homomorphism Example for an efficient CDA scheme CaMyTs-Algorithm
E N D
On Concealed Data Aggregation for Wireless Sensor Networks Steffen Peter Peter Langendörfer, Krzysztof Piotrowski
Outline • Concealed Data Aggregation?What does it mean? What is it for? Privacy homomorphism • Example for an efficient CDA scheme CaMyTs-Algorithm • Discussion of security propertiesAwareness to passive and active attacks • Solution to overcome security problemsCascaded privacy homomorphism • Conclusions
Scenario: WSN as movement/intruder detection Q: Sensed something since last request?
In-Network-Aggregation (INA) 1 Without INA: With INA: 1 1,0 1,0,0,0 1 0 0 0,0 0 0 1 1,0 1 1,0,0,0,1,0,1,0 3 1,2 3 0 1,0,1,0 2 1 1,0 1 0 Reduced packet traffic
Security Issues of in-network aggregation • Without cryptography No security • Classic End-to-End security (DES, AES, ECC) Encryption on sensor – decryption on sink + Very secure - No possibility of in-network aggregation • Hop-by-Hop encryption Packets are encrypted and decrypted on every routing node + In-network aggregation possible - No End-to-End security every routing node knows and can change every plaintext
Concealed (In-netwok) Data Aggregation • We need: End-to-End security that allows aggregation on routing nodes = Routing nodes do not know what they aggregate = Ability to compute with encrypted values Only sink node can decrypt the aggregated value • Solution:Privacy Homomorphism Encryption Encryption Value1 Value2 Encryption Value1 + Value2
CaMyTs (Castelluccia, Mykletun, Tsudik) Encryption: 1+15=16 (mod 32) Random Stream 1: 15 22 6 Random Stream: 15 22 6 Aggregation: 16+30+28 =74 =10 (mod 32) Random Stream 2: 30 9 11 Value: 1 Random Stream 3: 27 2 29 16 0+30=30 (mod 32) Random Stream: 30 9 11 10 30 Value: 0 Decryption: 10 - 15 – 30 - 27 = -62 =2 (mod 32) = 1 + 0 + 1 28 Random Stream: 27 2 29 Decryption: 16 – 15 = 1 Value: 1 1+27=28 (mod 32)
Attack Scenarios • Passive Attacks Eavesdropping Ciphertext analysis Chosen/known plaintext attacks • Active Attacks Unauthorized aggregation Forged packets Replay attacks Malleability
Active Attack - Replay Value: 1 (Previous: 0+15=15) 1+22=23 • ATTACK 1: • Take previous packet? • 15 insteadof 23 • wrongkey Key Stream: 15 22 6 23 9 15 Value: 0 Key: 9 Attack 1: 26-34 24 no plausible value 0+9=9 26 20 3 9 Decr: 3-34 1 Attack 2: 20-34 18 no plausible value • ATTACK 2: • Take packet fromanothernode? • 9 insteadof 23 • wrongkey Value: 0 Key: 2 2 0+2=2
Active Attack - Malleability Value: 1 Key: 15 Encryption: 1+15=16 Key1: 15 Key2: 30 Key3: 27 Aggregation: 16+30+27 =73 =9 (mod 32) Decryption: 9 -15 – 30 - 27 = -62 = 1 (mod 32) = Alert 16 8 Value: 0 Key: 30 Encryption: 0+30=30 -63 8 0 9 30 NO ALERT • ATTACK: • Catch 9 • Subtract 1 (9-1=8) • Send 8 insteadof 9 Value: 0 Key: 27 27 Encryption: 0+27=27
Increase Security – Combination of two PHs Encryption 2 Domingo-Ferrer Encryption 2 Domingo-Ferrer Encryption 1 CaMyTs Encryption 1 CaMyTs Value1 Value2 Value1 Value2 Domingo-Ferrer Encryption 2 CaMyTs Encryption 1 Value1 + Value2 Value1 + Value2
Conclusions • Concealed Data Aggregation in WSNs is required Reduced network traffic End-to-End security • Concealed Data Aggregation in WSNs is possible Computation overhead is reasonable (e.g. with CaMyTs, DF) • There is not one perfect CDA schemeThere are still some security issues (e.g. integrity) Trade-off security/computation effort Evaluation helps selecting application-fitted scheme • Combined (cascaded) privacy homomorphism increases security with very low additional costs (e.g. CaMyTs/DF)