390 likes | 519 Views
Random Key Predistribution Schemes For Sensor Networks. Haowan Chen, Adrian Perigg, Dawn Song. Index . Introduction Basic Scheme Q-composite Scheme Multi path Key Reinforcement Scheme Random Pair wise Scheme Conclusion. Sensor Networks. What are Sensors ?
E N D
Random Key Predistribution Schemes For Sensor Networks Haowan Chen, Adrian Perigg, Dawn Song
Index • Introduction • Basic Scheme • Q-composite Scheme • Multi path Key Reinforcement Scheme • Random Pair wise Scheme • Conclusion
Sensor Networks • What are Sensors ? • A device that responds to physical stimulus (as heat, light, motion etc) and transmits a resulting measurement impulse • Revolutionizes information gathering and processing • Networking sensors: ability to coordinate among themselves on a larger sensing task
Applications • Real time traffic monitoring • Real time pollution and temperature monitoring • Building safety monitoring systems • Wild Life Monitoring and Tracking • Military sensing and tracking • Monitoring complex machinery and processes • Video surveillance
Sensor Network Limitations • Impracticality of public key cryptosystems • Vulnerability of nodes to physical capture • Nodes not tamper resistant (neighbor distrust) • Lack of a-priori knowledge of post deployment configuration • Limited memory resources • Limited bandwidth and transmission power • Over-reliance on base stations exposes vulnerabilities
Bootstrapping Security Requirements • Deployed nodes must be able to establish secure node to node communication • Scheme should be functional without involving the base station as arbiter or verifier • Additional legitimate nodes deployed at a later time can form secure connections with already-deployed nodes • Unauthorized nodes should not be able to establish communications with network nodes and thus gain entry into the network • The scheme must work without prior knowledge of which nodes will come into communication range of each other after deployment. • The computational and storage requirement of the scheme must be low, and the scheme should be robust to DoS attacks from out-of-network sources.
Evaluation Metrics In Key Setup Schemes • Resilience against node capture • Resistance against node replication • Revocation • Scale
Review Of “Basic Scheme” • Proposed by Eschenauer and Gligor • 4 phases - Initialization - Node Deployment - Key Setup - Path Key Generation
Initialization Phase • Pick a random set of keys S out of the total possible key space • “Key Ring” : for each node, randomly select m keys from S and store in node memory Criteria : two random subsets of size m in S will share at least one key with probability P
Deployment And Key Setup Phases • Sensor nodes are deployed • Key Setup Phase • key discovery: • a short identifier is assigned to each key before deployment • each node broadcasts its set of identifiers • verification: nodes containing shared keys in their “key rings” verify that neighbor actually holds key by challenge response protocol
Path Key Generation • A connected graph of secure links is formed • Nodes setup path keys with nodes in their vicinity whose share keys are not present in their key rings • Path can be found from source node to its neighbor from connected graph • Source node generates path key and sends it securely via the path to target node
Parameter choices for connected graph (Erdös-Rényis Formula) • For high graph connectivity during key-setup phase right parameters need to be picked • D -> degree for the vertices in graph such that graph is connected with a high probability c =0.999 • D = ((n-1)/n) (ln(n) – ln(-ln(c))) where n is network size • Probability of successful key setup with some neighbor, p = (d/n’) where n’ is expected no. of neighbors
Q-composite scheme : An improved “Basic Scheme” • Initialization same as Basic Scheme but with different size of selected key pool S • In Key Setup Phase, key discovery is more secure, using Merkle Puzzles • In Key Discovery every node identifies every neighbor node with which it shares at least ‘q’ keys • Link Key K is generated as a hash of all shared q’ keys, where q’ >= q eg : K = hash( k1 ll k2 ll k3 ll….ll kq’ ) • Key Setup is not performed between nodes that share fewer than q keys
Key Pool Size Computation- A Tradeoff • amount of key overlap required for key setup is q (increased from 1 in Basic) • Hence exponentially harder for adversary with a given key set to break a link • But to preserve probability of two nodes sharing sufficient keys to establish a secure link, size of key pool S to be reduced • Reduced pool size allows attacker to gain larger sample of S by breaking fewer nodes • Optimum overlap – best security !!
Evaluation: Pool Size Computation M = 200 keys P = 0.5 Observation : For Optimal Choice of key overlap, expected no. of nodes to be captured for eavesdropping (0.1 probability) is high
Pool Size Computation • P(i) -> no. of ways to choose two key ring with i common keys • Pconnect -> probability of any two nodes sharing sufficient keys to form a secure connection • Then p(i) is given as : Pconnect = 1 – (p(0) + p(1) +…..+p(q-1)) For minimum key overlap q and min. connection probability p, choose largest ISI such that pconnect >= p
Evaluation Metric : resilience against node capture by calculating the fraction of links in the network that an attacker is able to eavesdrop on indirectly as a result of recovering keys from captured nodes
Evaluation Metric : estimation of max. supported size of network given certain security properties hold
Multipath Key Reinforcement – An Add On to “Basic Scheme” • Initial Key Setup using Basic Scheme • Now, consider the secure link between nodes A and B after key-setup • This link is secured using a single key k from pool S
Problem • Problem - k may be present in key ring memory of some other nodes • If any of these nodes are captured, security of A->B is in jeopardy • Solution : update communication key to a random value after key – setup • Coordinate key update over multiple independent paths
Multipath Key Update • Assumption : j be the no. of disjoint paths between A and B created during key setup • Node A generates j random values v1,v2…vj of same length as shared key • Each value is routed along a different path to B and when B receives all j keys, new link key is computed as: k’ = k + v1 + v2 + ….+ vj • Long paths are not suitable • 2-hop multipath key reinforcement is optimal • Discovery overhead is minimized
Evaluation Metric : Resistance against node capture Observation : reinforced basic scheme works best
Evaluation Metric : Maximum Supportable Network Sizes Observation : Multipath Key Reinforcement gives boost when implemented with basic scheme
Random-pairwise keys scheme • In all schemes so far, no node can authenticate the identity of a neighbor it is communicating with • Ex. A shares some set of keys with B • It is possible that C could also posses this key • Hence, A does not know if is communicating with B for sure
Node to node authentication • Possible if a node can ascertain the identity of the nodes that it is communicating with • Useful in many cases: • Detecting node misbehavior • Resisting node replication attack • Shift security functions away from the base station
Random pairwise scheme: properties • Perfect resilience against node capture • Node to node identity authentication • Distributed node revocation • Resistance to node replication • Comparable scalability
Random pairwise scheme: description • To achieve the probability p described by ER formula, in a network of n nodes: • Each node need only store a random set of nppairwise keys (instead of n-1) • Thus, if node can store m keys, network size n=m/p • “n should increase with increasing m and decreasing p”
Phase 1: Initialization • n=m/punique node identities generated • Each node identity matched with m other randomly selected distinct node IDs • Pairwise key generated for each pair of nodes • Along with ID of other node that also knows the key, key is stored at both nodes
Phase 2: Key Setup • Each node broadcasts node ID to immediate neighbors • By searching in each others key rings, neighboring nodes can tell if they share a common pairwise key • Cryptographic handshake performed between neighbors to accept the fact that they both have knowledge of key
Multihop range extension • Key discovery involves much less traffic than random key predistribution • Hence can have nodes rebroadcast node ID for certain number of hops
Multihop range extension • Has impact on maximum supportable network size n • n=mn’/d (as seen earlier,p=d/n’, n=m/p) • Since n’ increases, maximum network size n also increases • Should be used with caution: since message rebroadcast is performed without authentication/verification: can lead to potential DoS attacks • To prevent, can remove multihop range extension, as is not required for random pairwise scheme
Support for Distributed Node Revocation • Node revocation in random pairwise possible via base stations (but is slow) • Assumption: mechanism present in each sensor to detect if neighboring nodes have been compromised • Nodes broadcast public votes against a detected misbehaving node. • If any B observes more than threshold number t of public votes against A, then B breaks off all communication with A • Voting scheme, voting members
Support for Distributed Node Revocation • Scheme 1: Consider any node A in the network; there are m nodes matched with it • These are voting members for A • Each assigned a random voting key Ki • Each also knows hashes of other nodes’ keys • Nodes compute hash of Ki to verify vote • Increases memory requirement to O(m2)
Support for Distributed Node Revocation • Scheme 2: Merkle tree mechanism: O(log m) computation per output (fractal traversal) • Only a single verifying hash value (root) needs to be stored • Drawback: necessary to remember which nodes already traversed, to avoid replay votes
Threshold issues • t should be • Low enough that unlikely that any node has degree < t • High enough that compromised nodes cannot revoke legitimate nodes
Broadcast Mechanism • Voting scheme uses naïve broadcast, vulnerable to DoS attack • Network of voting members form random graph with almost same (high) probability of being connected as original network (mn’/n)
Resisting revocation attack • To prevent widespread release of revocation keys by compromised nodes, only nodes that have established direct communication with a node B have ability to revoke B • Done by distributing revocation keys to voting members in deactivated form, source node knows secret SBi, which voting members request during key discovery and setup
Resistance against node replication/node generation • To be resistant to addition of infiltrator nodes derived form captured nodes, in case of capture being undetected by the network • Degree of a node limited to counter replication • Method for degree counting implemented with public vote counting, thus a node able to track nodes which share pairwise keys with it
Conclusion • Efficient bootstrapping of secure keys important for secure sensor networks • Tradeoffs exist in each scheme, choice depends on which tradeoff is most appealing (scenario dependent) • q-composite scheme: good security for small scale attacks/vulnerable to large scale • 2-hop multipath: improved security/network traffic overhead • Random pairwise: resilient, good security/does not support as large networks as other schemes