220 likes | 327 Views
Secure Aggregation for Wireless Networks. Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu http://swarm.cs.virginia.edu Department of Computer Science University of Virginia Charlottesville, VA. Scenario. High-power base station.
E N D
Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu http://swarm.cs.virginia.edu Department of Computer Science University of Virginia Charlottesville, VA
Scenario High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly Hu & Evans
Scenario High-power base station Transmitting each message all the way to the base station wastes resources. Hu & Evans
Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station. Hu & Evans
Integrity of Data Compromised Node With data aggregation, authentication becomes harder. Hu & Evans
Problem Can we provide the power-saving benefits of in-network data aggregation but limit the amount of damage a single compromised node can do? Rest of Talk: • Background: Inexpensive Authentication without Aggregation • Secure Aggregation • Security and Cost Analysis • Scalable Solution Hu & Evans
Cryptographic Hash Chains f f f x f (x) f (f (f (x))) f (f (x)) f is a one-way function: easy to calculate f(x), but difficult to invert f. time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = K0 K2 = f2(x) verify f (K1) = K0 Hu & Evans
µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed Hu & Evans
Node Authentication • Before deployment, establish a shared symmetric secret key between each node and base station: KNS • Send readings with a MAC: RA | MAC (KAS, RA) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity. Hu & Evans
Authenticated Sensor Net Each node transmits: N |RN | MAC (KNS, RN) Base station verifies MAC before accepting RN. Hu & Evans
Authenticated Data Aggregation A |RA | MAC (KAS, RA) C A B C |Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB)) B |RB | MAC (KBS, RB) Hu & Evans
Secure Aggregation • Delayed Aggregation: Only aggregate messages after they have traveled one hop • Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication Hu & Evans
Protocol Example IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) F E D IDB | RB | MAC (KBi, RB) IDA | RA | MAC (KAi, RA) C KAi is the ith key in a µTesla key chain starting from KAS A B Hu & Evans
IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD) | … (same from right side) | MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side)) H IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) F E D IDA | RA | MAC (KAi, RA) IDB | RB | MAC (KBi, RB) C A B Hu & Evans
Data Transmission Summary • Children send their data reading and MAC (using KNi) to their parents. • Parents forward the data and MACs they receive to grandparents, along with a calculated MAC of the aggregation • Grandparents forward MACs and aggregate values from parents and a calculated MAC of aggregation Hu & Evans
Data Validation • At some later time, the Base Station reveals KNi for each node N that transmitted data, along with MAC (Ki, KNi) • The parent of N uses KNi to verify MAC (KNi, RN) • Nodes increment i to use the next µTesla key • The Base Station broadcasts Ki (which nodes verify) and advances to the new µTesla key Hu & Evans
Abridged Attack Analysis • Intruder Node (no key material) • Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys • Replay attacks ineffective: keys change, can only replay readings within this time period • Denial-of-service attack can succeed (but alerts operator) • Compromised Node (all keys on one node) • Can lie about its own reading • But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level Hu & Evans
Successful Attacks • Compromised node selectively drops child readings • Nothing to prevent this (but unlikely to change much without base station noticing) • Can use child snooping to catch it earlier • Compromise two consecutive (parent and grandparent) nodes • Can forge readings for entire subtree Hu & Evans
Communication Cost • Total Kilobytes Transmitted Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network • Sensor Nodes Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation. Hu & Evans
Scalability • Base station must broadcast next node key for every node • To scale to larger sensor networks, use local µTesla between parent-child • Need base station to validate start of hash chain • Two µTESLA keys are used each time, one for immediate authentication, and another for later authentication: AParentIDA | RA | KA1| MAC (KA2, RA) Authenticate reading later Authenticate the origin of message (node A) immediately Hu & Evans
Summary / Moral (?) • With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. • Not trusting your children is reasonable (inexpensive) • Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol http://swarm.cs.virginia.edu Hu & Evans