500 likes | 539 Views
Key Infection: Smart Trust for Smart Dust. By Ross Anderson, Haowen Chan, Adrain Perrig. Presented by Sree P. Kollipara. Overview. Introduction Sensor Network Previous Work Real World Attacker Model Key Infection Secrecy Amplification Conclusion. Introduction. Sensor network
E N D
Key Infection: Smart Trust for Smart Dust By Ross Anderson, Haowen Chan, Adrain Perrig Presented by Sree P. Kollipara
Overview • Introduction • Sensor Network • Previous Work • Real World Attacker Model • Key Infection • Secrecy Amplification • Conclusion
Introduction • Sensor network • Widely used… i.e., factory instrumentation, climate control, building safety • Large number of sensors • Small and low cost • Self-organized network, peer-to-peer • Limited battery power, resources • Not tamper-proof hardware
Introduction • Security • Opponent [attacker, adversary] • Passive, just monitoring or • Active, jamming or network flooding • Key Distribution • Problem: Shared keys between sensor nodes • Asymmetric vs. Symmetric Cryptography • Enough computing & electronic power, & memory • Limited processor, memory & battery • Preloaded keys: memory, infrastructure to load • Setupof a key by touch: large scale deployment
Contributions • Identify realistic attacker model • Key-infection, an efficient light weight key-distribution mechanism • Analyze the security of key infection & design Secrecy Amplification • In real-world applications, the major cost is maintenance more than initial deployment
Sensor Network • A sensor network consists of multiple detection stations called sensor nodes, each of which is small, lightweight and portable. • Every sensor node is equipped with • transducer • microcomputer • transceiver • power source
Sensor Network • The development of wireless sensor networks (WSN) was originally done by military applications • These WSNs are also used by other applications such as civilian application areas, health care applications, home automation and traffic control
Sensor Network • The size of single sensor network can vary from shoebox sized nodes to the size of a grain of dust. • Here, size & cost constraints result in constraints on resources such as • energy • memory • speed • bandwidth
Sensor Network Sensors: • Sensors are hardware devices which produce responses to a change in a physical condition like temperature and pressure • Sensors are classified into 3 categories: • Passive, Omni Directional Sensors • Passive, Narrow-beam Sensors • Active Sensors
Sensor Network • There are two kinds of sensor nodes that are used in sensor network • One is normal sensor node that is deployed to sense phenomena • Other is gateway node which interfaces sensor network to the external world • Some commonly used commercial motes/sensor nodes are Bean, Btnode, Cots, Dot, Eyes, I Mote, etc.
Sensor Network • Various routing protocols used in sensor network are • Classic flooding • Gossiping • Ideal dissemination • SPIN (Sensor Protocols for Information Negotiation)
Previous Work • Sensor network with a source based routing protocol • Routing architecture executes the software with which they were loaded before deployment • Security architecture: • Authenticated broadcast with initial keys diversified from master keys • Using normal nodes as base stations • Generation of base stations to possess master keys
Previous Work • Alternative method • Symmetric keys are pre-loaded on each node • Shared keys are generated based on total # of nodes and expected density of deployment • Cost issues • Uses lot of memory to store keys
Related Work Non-Public Key Distribution, Rolf Blom • Investigation schemes which have Greater Theoretical Security with small demands on storage space • The straight-forward approach of distributing each user N-1 different keys is the strongest possibility of security but has largest requirement on user storage • There are 2 different key generation schemes that require same secret storage with simple functions for calculation of legal keys
Related Work • The first scheme, based on MDS codes is good when there is no need to protect the key scheme against large groups of cooperating users trying to generate extra keys. • The second scheme, can handle when enough users cooperate and succeed to generate one extra key in the polynomial based system, they can generate all keys in the system. • It would be nice to have systems that degrade more gracefully but here more research is needed.
Real World Attacker Model • By experience of World War 2, & World of international telephony post war years researchers assumed • highly capable & motivated attacker • Global passive adversary, that can monitor & store all communications • Global active adversary, that can modify and inject communications
Real World Attacker Model • More realistic attacker model • Non-critical commodity sensor network • extreme limitations on sensor hardware • requires minimal pre-deployment setup • less valuable as targets • little damage is done to user So, dubious to apply stronger attack model
Real World Attacker Model • Slightly relaxed attacker, attacker should use realistic protection requirements • Low cost commodity sensor network, • Extremely expensive to deploy surveillance devices • Main obstacle is availability of power • So, it is unlikely to be economical to attack comm. sensor n/w
Real World Attacker Model • During the deployment phase • attacker doesn’t have physical access to deployment site • monitor only a small proportion of network • cannot execute active attacks • After key exchange, both is possible
Real World Attacker Model • Contravening the attacker model: • An Adversary, • has to have foresight to deploy surveillance equipment • its eavesdropping devices must be operational & undetected • must be able to identify, retrieve & process the eavesdropped product to extract key exchange messages
Key Infection • Each node chooses a key & broadcasts it in plain text to its neighbor • Short range transmission will have about half a dozen nodes within a range of 10 meters • Detect each others presence & organize themselves into a network • Packets are transmitted with minimum power • Gives significant protection when opponents are present • Improvement with a slight change in the protocol, key whispering
Key Whispering • A node transmits a key very quietly & steadily increases the power until the response is heard • A link is established with responder & broadcasted with a new initial key • Two nodes within a range will exchange a secure key • The no of links an opponent can eavesdrop falls to 0.8% as opposed to 2.4% in key infection
Analysis • Key infection is secure if the attacker arrives after key infection phase • Considering the case when black dust nodes are installed before white dust nodes, then if black nodes collude, probability that a black node can eavesdrop is R2Nb / S • where R is max range of radio • Nb is number of black dust nodes • s is size of distribution of smart nodes over an area
Analysis • Using Key Whispering, the probability that a black node can eavesdrop is 1.2r2Nb /s • where 1.2r2 is the effective eavesdropping area • r, length of a link • Nb, no of black dust nodes • s, size of distribution of smart nodes over an area • Whisper mode extension results in approximately fewer compromised links
Analysis • We assume that black modes have the same receiver sensitivity as white nodes, which appears reasonable of the single-chip receiver technology. • This would have • larger batteries, or • wired network so as to transmit further more.
Secrecy Amplification • Uses multipath key establishment to make job harder • Simulate different strategies for key establishment • Here, we combine keys along different paths • We suppose the nodes W1, W2 & W3 are neighbors • W1, W2 set up the key k12 • W1, W3 set up the key k13 • W2, W3 set up the key k23 • To amplify the secrecy of key k12, W1 asks W3 to exchange an additional key with W2.
Secrecy Amplification W1 W3 : {W1,W2,N1}k13 W3 W2 : {W1,W2,N1}k23 W2 computes : k′12 = H(k12 || N1) W2 W1 : {N1,N2}k′12 W1 W2 : {N2}k′12 W3 W2 W1 W2 W1
Key Establishment • Uniformly distributed, 1000 white dust equals transmission range • Key infection vs. Key whispering • d, average no of neighbors of a node • other columns shows the ratio of the links
Key Establishment • Key infection vs. Secrecy Amplification • d, average no of neighbors of a node • other columns shows the ratio of the links • Here, the secrecy amplification is improved
Secrecy Amplification • The tables list the ratio of links for a density α of black dust nodes: 1%, 2% & 3% • SA is not limited to two path hops • Source routing algo in sensor n/ws give limited information • SA is significantly better because of its complexity.
Multihop Keys • When we link W1 & W2 with W3, then we can invoke W2 to set up a key with the help of W1 & W3 • This has 2 purposes • Supports end-t-end cryptography • Energy efficient for base-to-node communications • When memory is not restricted, multihop keying may seem like a natural mechanism for using.
Multihop Keys • In Smart Dust, memory size & cost of messages are limited & have limited types of traffic, • Messages between base stations & nodes • local routing messages • time beacons, i.e., broadcast of signals • Here, Base-to-node traffic should be end-to-end encrypted
Interaction with Routing Algorithms • Existing prototypes use strategies that are based on dynamic source routing mechanisms. • Multipath key infection automatically discovers multipaths that are used • Here, the analogy with biological infection is coming to a break down • Multihop keying enables keying to try different logical paths along the same physical path
Interaction with Routing Algorithms • Identify & isolate faulty or subverted node • If pairs of motes can no longer route to each other, then a recovery phase may be initiated. • This involves back-up nodes, re-run of n/w discovery algo, sticky random routing. • Most sensor networks do not need to do mobile routing
Interaction with Routing Algorithms • Topology can be changed • when the battery is exhausted, and • a node is destroyed • In future, we need routing strategies that work for mobile principals.
Key Establishment • Key whispering vs. Secrecy Amplification • Here, the basic key infection uses key whispering • d, average no of neighbors in a node • Other columns shows the ratio of the links • Table shows the improvement of secrecy amplification over key infection
Key Establishment • Basic two-hop key infection, with multipath extension • d, average no of neighbors in a node • basic column, return path of the key infection is the same as the forward path • m-path column, return path of the key infection is different from forward path
Experiment Results KI KW SA over KW <table1> <table2> <table3>
Other Applications • Peer-to-peer systems typically start out optimistically with a large number of hopefully trustworthy nodes • ‘Black’ nodes join once the network starts to operate, and ‘white’ nodes may be subverted (e.g., by court order) • Here too the issue isn’t the initial key bootstrapping, but resilience in the face of what happens later
Other Applications • Subversive networks are similar. Law enforcement can only monitor so many people, and so many phones… • Once subversive activity manifests, the task is to penetrate a network that may have been fairly open at the start, but has now closed up • Again, the important aspect is not the initial bootstrapping, but the subsequent lockdown, and any associated resilience
Security Economic Issues • Economics provide the big showstopper for security in general • Here, the game depends on both initial and marginal costs of attack and defense • Initial keying increases initial cost to both • Equilibrium depends on marginal costs - defender efforts vs. attacker resilience
Security Economy Issues • Logically, defender will give up, or attacker have to go all out to maintain network • Attacker will logically make marginal investment in resilience, not bootstrapping
Research Problems • What are the relative costs of key establishment vs. maintenance in different types of network? • What are the best attack and defense strategies at equilibrium? • What’s the interaction with routing algorithms? • Can you deal with new motes joining?
Research Problems • Can you have multiple virtual networks (‘United Nations Dust’)? • Can multiple users interact locally (‘Neighborhood Watch Dust’)?
Conclusion • Sensor networks present interesting and novel protection problems • They provide a tractable model for bigger problems, from P2P network design to some real-world policing problems • Challenge the conventional wisdom that authentication is about trust bootstrapping
Conclusion • In many real social networks, trust is more about group reinforcement / bonding • Will future pervasive computing systems be command-and-control, or societal?
R. Blom. Non-public key distribution. In Advances in Cryptology: Proceedings of Crypto ’82, pages 231–236, 1982. C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro,and M. Yung. Perfectly-secure key distribution for dynamic conferences. In Advances in Cryptology - Crypto ’92, pages 471–486, 1992. D. Liu and P. Ning. Location-based pairwise key establishments for static sensor networks. In ACMWorkshop on Security in Ad Hoc and Sensor Networks (SASN ’03), Oct. 2003. K. Sirois and S. Kent. Securing the nimrod routing architecture. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS ’97). Internet Society, Feb1997. References