240 likes | 498 Views
SPINS: Security Protocols for Sensor Networks. Authors: Adrian Perrig, Robert Szewczyk, Victor Wen,David Culler and J.D.Tygar. Outline. Security for sensor networks - Research Problem Proposed Techniques - SPINS building blocks Applications Related Work Discussion Conclusion.
E N D
SPINS: Security Protocols for Sensor Networks Authors: Adrian Perrig, Robert Szewczyk, Victor Wen,David Culler and J.D.Tygar
Outline • Security for sensor networks - Research Problem • Proposed Techniques - SPINS building blocks • Applications • Related Work • Discussion • Conclusion
Security for Sensor Networks • Data Authentication • Data Confidentiality • Data Integrity • Data Freshness - Weak Freshness - Partial message ordering, no delay information - Useful for sensor measurements - Strong Freshness - Total ordering on req-res pair, delay estimation - Useful for time synchronization
Challenge: Resource Constraints • Limited energy • Limited computation(4MHz 8-bit) • Limited memory(512 bytes) • Limited code size(8 Kbytes) • Limited communication(30 byte packets) • Energy consuming communication
Contributions • SNEP -Sensor Network Encryption Protocol -Secures point-to-point communication • µTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication -Provides broadcast authentication
Base Station G E F C D B A System Assumptions • Communication patterns -Node to base station (e.g. sensor readings) -Base station to node (e.g. specific requests) -Base station to all nodes • Base Station -Sufficient memory, power -Shares secret key with each node • Node -Limited resources, limited trust
SNEP • Data Confidentiality (Semantic Security ) • Data Authentication • Replay Protection • Weak Freshness • Low Communication Overhead
Key Generation /Setup Counter KeyEncryption RC5 Block Cipher KeyMAC Key Master Keyrandom • Nodes and base station share a master key pre-deployment • Other keys are bootstrapped from the master key: • Encryption key • Message Authentication code key • Random number generator key
Authentication, Confidentiality Node B Node A M, MAC(Kmac, M) {M}<Kencr, CA>, MAC(Kmac, CA|| {M}<Kencr, CA>) • Without encryption can have only authentication • For encrypted messages, the counter is included in the MAC • Base station keeps current counter for every node
Strong Freshness Node B Node A Request, NA {Response}<Kencr, CB), MAC(Kmac, NA || CB|| {Response}<encr, CB>) • Nonce generated randomly • Sender includes Nonce with request • Responder include nonce in MAC, but not in reply
Counter Exchange Protocol • Bootstrapping counter values Node B Node A CA CB, MAC(Kmac, CA||CB) • To synchronize: • A →B : CA • B →A : CB, MAC(Kmac,CA|| CB).
TESLA: Authenticated Broadcast • Uses purely symmetric primitives • Asymmetry from delayed key disclosure • Self-authenticating keys • Requires loose time synchronization • Use SNEP with strong freshness
Key Setup • Main idea: One-way key chains • K0 is initial commitment to chain • Base station gives K0 to all nodes F(Kn) F(K2) F(K1) Kn Kn-1 K1 K0 ……. X
Broadcast • Divide time into intervals • Associate Ki with interval i • Messages sent in interval i use Ki in MAC • Ki is revealed at time i + • Nodes authenticate Ki and messages using Ki K0 K1 K2 K3 … 0 1 2 3 4 time
Msg, MAC(Kj, Msg) Broadcasting Authenticated Packets • In interval j, base station broadcasts Msg • Node verifies that key Kj has not been disclosed yet • Node stores Msg Node A Base Station Nonce Tnow, Ki, Ti, Tint, , MAC(Kmaster, Nonce | Tnow | …)
Kj Node authenticating packets • After disclosure interval , base station broadcasts Kj • Node verifies that F(Kj) = Kj-1, or F(F(Kj)) = Kj-2, etc. • Node verifies MAC of Msg • Node delivers Msg Node A Base Station Nonce Tnow, Ki, Ti, Tint, , MAC(Kmaster, Nonce | Tnow | …) Msg, MAC(Kj, Msg)
Authenticate K3 F F P1 P2 P3 P4 P5 K0 K0 K1 K2 K3 Verify MACs Perfect robustness to packet loss K1 K2 K3 K4 K5 t Time 2 Time 3 Time 4 Time 5
TESLA Properties • Asymmetry from delayed key disclosure • Self-authenticating keys • Requires loose time synchronization • Low overhead (1 MAC) - Communication (same as SNEP) - Computation (~ 2 MAC computations) • Independent of number of receivers
Applications • Authenticated Routing • Node to Node Agreement A B: NA, A B S: NA,NB, A, B, MAC(K’BS, NA || NB || A || B) S A: {SKAB}KSA , MAC(K’SA,NA || A || {SKAB}KSA ) S B: {SKAB}KSB , MAC(K’SB,NB || B || {SKAB}KSB )
Related Work in Broadcast Authentication • Symmetric schemes - Link-state routing updates - Multi-MAC • Asymmetric schemes - Merkle hash tree • Chained hashes - EMSS • Hybrid schemes -Stream signature -K-times signature
Discussion: Drawbacks • The TESLA protocol lacks scalability - require initial key commitment with each nodes, which is very communication intensive • SPINS uses source routing, so vulnerable to traffic analysis
Discussion: Risks Un-addressed • Information leakage through covert channels • No mechanism to determine and deal with compromised nodes. • Denial of service attacks • No Non-repudiation
Conclusion • Strong security protocols affordable - First broadcast authentication • Low security overhead - Computation, memory, communication • Apply to future sensor networks -Energy limitations persist -Tendency to use minimal hardware • Base protocol for more sophisticated security services