Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Wireless Sensor Networks: Key Management Approaches

Similar presentations


Presentation on theme: "Security in Wireless Sensor Networks: Key Management Approaches"— Presentation transcript:

1 Security in Wireless Sensor Networks: Key Management Approaches
Vasyl A. Radzevych and Sunu Mathew

2 Overview Wireless Sensor Networks (WSN) Security issues in WSN
Key management approaches in WSN: Overview Pre-Deployed Keying Key pre-deployment Key derivation information pre-deployment Location aware pre-deployed keying Random Key Pre-deployment (P-RKP) Autonomous protocols Pairwise asymmetric (public key) Arbitrated protocols Identity based group keying Conclusions

3 Sensor Networks Sensor network is composed of a large number of sensor nodes Sensor nodes are small, low-cost, low-power devices that have following functionality: communicate on short distances sense environmental data perform limited data processing Network usually also contains “sink” node which connects it to the outside world

4 Applications WSN can be used to monitor the conditions of various objects / processes. Some examples: Military: friendly forces monitoring, battlefield surveillance, biological attack detection, targeting, battle damage assessment Ecological: fire detection, flood detection, agricultural uses Health related: human physiological data monitoring Miscellaneous: car theft detection, inventory control, habitat monitoring, home applications Sensors are densely deployed either inside or very close to the monitored object / process

5 Security issues in WSN The discussed applications require communication in WSN to be highly secure Main security threats in WSN are: Radio links are insecure – eavesdropping / injecting faulty information is possible Sensor nodes are not temper resistant – if it is compromised attacker obtains all security information Attacker types: Mote-class: attacker has access to some number of nodes with similar characteristics / laptop-class: attacker has access to more powerful devices Outside (discussed above) / inside: attacker compromised some number of nodes in the network

6 Attacks on WSN Main types of attacks on WSN are:
spoofed, altered, or replayed routing information selective forwarding sinkhole attack sybil attack wormholes HELLO flood attacks acknowledgment spoofing

7 False routing information
Injecting fake routing control packets into the network, examples: attract / repeal traffic, generate false error messages Consequences: routing loops, increased latency, decreased lifetime of the network, low reliability B A1 A3 A2 A4 Example: captured node attracts traffic by advertising shortest path to sink, high battery power, etc

8 Selective forwarding Multi hop paradigm is prevalent in WSN
It is assumed that nodes faithfully forward received messages Compromised node might refuse to forward packets, however neighbors might start using another route More dangerous: compromised node forwards selected packets

9 Sinkhole and Sybil attacks
Sinkhole attack: Idea: attacker creates metaphorical sinkhole by advertising for example high quality route to a base station Laptop class attacker can actually provide this kind of route connecting all nodes to real sink and then selectively drop packets Almost all traffic is directed to the fake sinkhole WSN are highly susceptible to this kind of attack because of the communication pattern: most of the traffic is directed towards sink – single point of failure Sybil attack: Idea: a single node pretends to be present in different parts of the network. Mostly affects geographical routing protocols

10 Wormholes Idea: tunnel packets received on one part of the network to another Well placed wormhole can completely disorder routing Wormholes may convince distant nodes that they are close to sink. This may lead to sinkhole if node on the other end advertises high-quality route to sink

11 Wormholes (cont.) Wormholes can exploit routing race conditions which happens when node takes routing decisions based on the first route advertisement Attacker may influence network topology by delivering routing information to the nodes before it would really reach them by multi hop routing Even encryption can not prevent this attack Wormholes may convince two nodes that they are neighbors when on fact they are far away from each other Wormholes may be used in conjunction with sybil attack

12 HELLO flood attack Many WSN routing protocols require nodes to broadcast HELLO packets after deployment, which is a sort of neighbor discovery based on radio range of the node Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink

13 Acknowledgment spoofing
Some routing protocols use link layer acknowledgments Attacker may spoof acks Goals: convince that weak link is strong or that dead node is alive. Consequently weak link may be selected for routing; packets send trough that link may be lost or corrupted

14 Overview of Countermeasures
Link layer encryption prevents majority of attacks: bogus routing information, Sybil attacks, acknowledgment spoofing, etc. This makes the development of an appropriate key management architecture a task of a great importance Wormhole attack, HELLO flood attacks and some others are still possible: attacker can tunnel legitimate packets to the other part of the network or broadcast large number of HELLO packets Multi path routing, bidirectional link verification can also be used to prevent particular types of attacks like selective forwarding, HELLO flood

15 Key management: goals The protocol must establish a key between all sensor nodes that must exchange data securely Node addition / deletion should be supported It should work in undefined deployment environment Unauthorized nodes should not be allowed to establish communication with network nodes

16 Key management: constraints
Sensor node constraints: Battery power Computational energy consumption Communication energy consumption Transmission range Memory Temper protection Sleep pattern Network constraints: Ad-hoc network nature Packet size

17 Key management: evaluation/comparison metrics
Resilience against node capture: how many node are to be compromised in order to affect traffic of not compromised nodes? Addition: how complicated is dynamic node addition? Revocation: how complicated is dynamically node revocation? Supported network size: what is the maximum possible size of the network? Note: since WSN can be used in a lot of different ways it is not reasonable to look for one key management approach to suite all needs: node network deployed from the airplane over a battle field has quite different requirements from 10 node network installed to guard the perimeter of the house

18 Key management approaches classification

19 Approaches to be discussed
Pre-deployed keying: Key pre-deployment Straightforward approaches Eschenauer / Gligor random key pre-deployment Chan / Perrig q-composite approach Zhu / Xu approach DiPietro smart attacker model and PRK protocol Key derivation information pre-deployment Liu / Ning polynomial pre-deployment Self-enforcing autonomous approaches Pairwise asymmetric (public key) Arbitrated protocols Identity based hierarchical keying

20 Straight forward approaches
Single mission key is obviously unacceptable Pairwise private key sharing between every two nodes is impractical because of the following reasons: it requires pre-distribution and storage of n-1 keys in each node which is n(n-1)/2 per WSN. most of the keys would be unusable since direct communication is possible only in the nodes neighborhood addition / deletion of the node and re-keying are complex

21 Basic probabilistic approach
Due to Eschenauer and Gligor Relies on probabilistic key sharing among nodes of WSN Uses simple shared-key discovery protocol for key distribution, revocation and node re-keying Three phases are involved: key pre-distribution, shared-key discovery, path-key establishment

22 Key pre-distribution Generate a large key pool P ( keys) and corresponding key identifiers Create n key rings by randomly selecting k keys from P Load key rings into nodes memory Save key identifiers of a key ring and associated node identifier on a controller For each node load a key which it shares with a base station

23 Shared-key discovery Takes place during initialization phase after WSN deployment. Each node discovers its neighbor in communication range with which it shares at least one key Nodes can exchange ids of keys that they poses and in this way discover a common key A more secure approach would involve broadcasting a challenge for each key in the key ring such that each challenge is encrypted with some particular key. The decryption of a challenge is possible only if a shared key exists

24 Path-key establishment
During the path-key establishment phase path-keys are assigned to selected pairs of sensor nodes that are within communication range of each other, but do not share a key Node may broadcast the message with its id, id of intended node and some key that it posses but not currently uses, to all nodes with which it currently has an established link. Those nodes rebroadcast the message to their neighbors Once this message reaches the intended node (possible through a long path) this node contacts the initiator of path key establishment Analysis shows that after the shared-key discovery phase a number of keys on a key ring are left unused

25 Simulation results Path length to neighbors number of hops
1000 nodes, 40 nodes neighborhood, P=10000 number of hops Path length to neighbors

26 Key revocation Key revocation is accomplished in the following way: a controller node that has all keys and ids in its memory, broadcasts a message containing a list of k key identifiers for the key ring to be revoked This message is signed with signature key which is encrypted and unicasted to all nodes prior revocation. This encryption is done using individually shared between node and controller keys After obtaining a signature key, each node locate received identifiers in its key ring and removes the corresponding keys if they are present Since some links might disappear they should be reestablished using keys that are left in the key ring

27 Resiliency to node capture
More robust then approaches that use single mission key In case node is captured k<<n keys are obtained This means that the attacker has a probability of k/P to attack successfully any other WSN link

28 WSN connectivity Two nodes are connected if they share a key
Full connectivity of WSN is not required because of the limited communication capabilities of the sensor nodes Two important questions: What should be the expected degree of a node so that WSN is connected? Given expected degree of a node what values should the key ring size, k, and pool, P, have for a network of size n so that WSN is connected? Random-graph theory helps in answering the first question

29 Random graphs A random graph G(n,p) is a graph of n nodes for which the probability that a link between any two nodes exists is p Question: what value should p have so that it is “almost certainly true” that graph G(p,n) is connected? Pc is a desired probability for the graph connectivity Based on the formulas above p and d=p(n-1) can be found (d-expected degree of a node) Erdos-Renyi formula: (1) (2)

30 Random-graphs (cont.) Expected degree of node vs. number of nodes, where Pc=Pr[G(n,p) is connected]

31 Key ring and key pool sizes
Due to the limited communication capabilities a number of nodes with which a particular node can communicate is n’<<n This means that the probability of two nodes sharing at least one key in their key rings of size k is p’=d/(n’-1)>>p Key pool size P can be derived as a function of k: p – probability of sharing a key among any pair of nodes, p’ probability of sharing a key among nodes, given communication constraints (node neighborhood). p’>>p because n’ << n (less nodes, higher probability)

32 Key ring and key pool sizes (cont.)
Since keys are drawn out of a pool P without replacement, the number of key rings can be expressed as follows: Let’s pick the first key ring, the total number of possible key rings that do not share a key with this key ring is the number of key-rings that can be drawn out of remaining P-k unused keys in pool, which is: Drawn without replacement – for a single experiment

33 Key ring and key pool sizes (cont.)
Consequently, the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings. Since P is very large Stirling’s approximation can be used to derive the final expression for p’: (3)

34 Key ring and key pool size (cont.)
Probability of sharing at least one key when two nodes choose k keys from a pool of size P

35 Key ring and key pool size: example
WSN contains n=10000 nodes, desired probability of network connectivity is Pc= , communication range supports 40 nodes neighborhoods According to the formula (1) c=11.5, therefore p=2*10-3 d=2*10-3*9999=20 This means that if each node can communicate with on average 20 other nodes the network will be connected p’=20/(40-1)=0.5 According to formula (3) k can be set to 250 and P can be set to

36 q-composite approach Enhancement of the basic probabilistic approach
Idea: nodes should share q keys instead of only one Approach: Key pool P is an ordered set During initialization phase nodes broadcast ids of keys that they have After discovery each nodes identifies the neighbor with which it share at least q keys Communication key is computed as a hash of all shared keys Keys appear in hash in the same order as in key pool

37 Benefits of q-composite approach
q-composite approach has greater resiliency to node capture than the basic approach if small number of nodes were captured Simulations show that for q=2, the amount of additional communications compromised when 50 nodes (out of 10000) have been compromised is 4.74%, as opposed to 9.52% in the basic scheme However if large number of nodes have been compromised q-composite scheme exposes larger portion of network than the basic approach The larger q is the harder it is to obtain initial information Parameter q can be customized to achieve required balance for a particular network

38 Zhu / Xu approach Another modification of the basic probabilistic approach Major enhancement: Pseudorandom number generator is used to improve security of key discovery algorithm Also uses secret sharing which jointly with logical paths allows nodes to establish a pairwise key that is exclusively known to the two nodes (in contrast to basic probabilistic approach, where other nodes might also know some particular key)

39 Zhu / Xu approach: key pre-distribution
Background: a pseudo-random number generator, or PRNG, is a random number generator that produces a sequence of values based on a seed and a current state. Given the same seed, a PRNG will always output the same sequence of values. Key pool P of size l is generated For each node u, pseudorandom number generator is used to generate the set of m distinct integers between 1 and l (key ids). Nodes unique id u is used as a seed for the generator Each node is loaded with key ring of size m Keys for the key rings are selected from key pool P in correspondence with integers (key ids) generated for a particular node by pseudorandom number generator This allows any node u that knows another nodes v id to determine the set of ids of keys that v poses

40 Zhu / Xu approach: Logical path establishment
The established on previous step keys are not exclusive and consequently not secure enough, however they can be used to establish exclusive key During the network initialization phase, nodes discover so called logical paths Nodes can establish a direct path in case they share a common key on their key rings This can easily be accomplished as was described in the previous slide by discovering common key id In case nodes do not share a key authors propose a path-key establishment algorithm similar to one in basic probabilistic approach, the difference is that nodes try to establish several logical paths, which later should help in establishing a pairwise key

41 Zhu / Xu: pairwise key establishment
The next step of network initialization is pairwise key establishment A sender node randomly generates a secret key ks Then derives n-1 random strings sk1, sk2,…, skn-1 skn is computed as follows: skn = ks XOR sk1XOR sk2 XOR,…, XOR skn-1 This way a recipient has to receive all n shares in order to derive a secret key ks After secret shares are computed, each of them is send to the recipient using different logical path Once all shares are received the recipient can confirm the establishment of pairwise key by sending a HELLO message encoded with a new key Authors provide a framework according to which number of shares and the way they are send is decided

42 Further enhancements So far all the discussed approaches have used one of the following algorithms for shared-key discovery: Key id notification Challenge response Pseudorandom key id generation Those algorithms work well against so called “oblivious” attacker, the one that randomly selects next sensor to compromise What if attacker selects nodes that will allow him to compromise the network faster, based on already obtained information (key ids)? This is the case of so called “smart” attacker

43 Smart attacker More precisely smart attacker can be defined as follows: at each step of the attack sequence, the next sensor to tamper is sensor s, where s maximizes E[G(s)| I(s)], the expectation of the key information gain G(s) given the information I(s) the attacker knows on sensor s key-ring Simulations show that Key id notification and pseudorandom key id generation can be easily beaten by the smart attacker Challenge response performs better

44 Simulation results Experimental results on id notification and pseudorandom key id generation: Number of sensors to corrupt in order to compromise an arbitrary channel.

45 Simulation results Experimental results on challenge response:
Number of sensors to corrupt in order to compromise an arbitrary channel.

46 PRK algorithm Why not using challenge response? Inefficient
The goal is to define a key pre-deployment scheme that supports an efficient and secure key discovery phase, as efficient as pseudorandom key id generation (no message exchange) and as secure as challenge response DiPietro et al. suggested a new algorithm that achieves the above described requirements

47 PRK algorithm Key pre-distribution Key discovery For each sensor sa
For all keys vPi of the pool P, compute z=fy(a || vPi) Iff z≡0 mod (P/K), then put vPi into the key ring Va of sensor sa Assumption P/K divides by 2h, where h is the size of the input Key discovery In case sensor sb wants to establish a secure channel with sensor sa it has to perform the following calculations: For each key vbj in its key ring sensor sb computes z=fy(a||vbj) If z≡0 mod (P/K), sensor sa also has key sb

48 PRK algorithm analysis
Benefits: Complexity is comparable to pseudo-random index transformation: no message exchange and K applications of the pseudo-random function. Only who already knows key vPi can know whether sensor sa has that key or not by computing z=fy(a||vbj) and checking out if z≡0 mod( P/K ). All other entities gets no information from z. This is exactly the same information revealed by challenge response Drawbacks: Not enough control of key ring size: it is possible that applying the formula to sensor id and key in a key pool will yield key ring that is too large - larger than sensor memory too small – not enough for the network to be connected In either case node id a should be regenerated Authors prove that it is feasible to regenerate sensor ids to achieve required properties

49 PRK algorithm: simulations
Experimental results on PRK algorithm: number of sensors to corrupt in order to compromise an arbitrary channel. The PRK algorithm is as secure as challenge response and in the same time as efficient as pseudorandom key id generation

50 Background: polynomial based key pre-distribution
Polynomial based key pre-distribution scheme reduces the amount of pre-distributed information still allowing each pair of nodes to compute a shared key Polynomial based key pre-distribution is λ-collusion resistant, meaning that as long as λ or less nodes are compromised the rest of the network is secure Utilizes polynomial shares

51 Polynomial based key pre-distribution : initialization
Special case: λ=1 Each node has an id rU which is unique and is a member of finite field Zp Three elements a, b, c are chosen from Zp Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated For each node polynomial share gu(x) = (an+ bnx) mod p where an= (a + brU) mod p and bn= (b + crU) mod p is formed and pre-distributed A ring consists of a set R with two binary operations arbitrarily denoted + (addition) and * (multiplication) on R, satisfying set of axioms. A field is a commutative ring in which all non-zero elements have multiplicative inverses. A finite field is a field with a finite field order (i.e., number of elements), also called a Galois field.

52 Polynomial based key pre-distribution : key discovery
In order for node U to be able to communicate with node V the following computations have to be performed: Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv )mod p U computes Ku,v= gu(rv) V computes Kv,u= gv(ru)

53 Polynomial based key pre-distribution : example
3 nodes: U, V, W, with the following id’s 12, 7, 1 respectively p=17 (chosen parameter) a=8, b=7, c=2 (chosen parameters) Polynomial f(x,y) = 8+7(x+y)+2xy g polynomials are gu(x) = x, gv(x) = 6 + 4x, gw(x) = 15+9x Keys are Ku,v=3, Ku,v=4, Ku,v=10 U computes Ku,v= gu(rv) = 7+14*7mod17 = 3 V computes Kv,u= gv(ru) = 6+4*12mod17 = 3

54 Polynomial based key pre-distribution : generalization
Polynomial based key pre-distribution scheme can be generalized to any λ by changing polynomials in the following way: is a randomly generated, bivariate λ-degree, symmetric polynomial over finite field Zp, p≥n is prime

55 Liu-Ning approach Combination of polynomial-based key pre-distribution and the key pool idea discussed above Increases network resilience to node capture Can tolerate no more than λ compromised nodes, where λ is constrained by the size of memory of a node Idea: use a pool of randomly generated polynomials When pool contains only one polynomial the approach degenerates to basic polynomial based key pre-distribution scheme When all polynomials are of degree 0 the approach degenerates to key pool approach Three phases are involved: setup, direct key establishment, path key establishment

56 Setup phase Set F of bivariate λ-degree polynomials over finite field Fq is generated Each polynomial is assigned a unique id For each sensor node a subset of s’ polynomial is randomly chosen from F For each polynomial in the chosen subset a polynomial share is loaded into nodes memory

57 Direct key establishment phase
During this phase all possible direct links are established A node can establish a direct link with another node if they both share a polynomial share of a particular polynomial How to find common polynomial? Use above discussed approaches

58 Path key establishment phase
If direct connection establishment fails nodes have to start path key establishment phase Nodes need to find a path such that each intermediate nodes share a common key Node may broadcast the message with polynomials ids that it posses to all nodes with which it currently has an established link Once this message reaches the intended node (possible through a long path) this node computes a key and contacts the initiator of path key establishment Drawback: may introduce considerable communication overhead

59 Simulation results The probability p that 2 sensors share a polynomial vs size s of the polynomial pool (s’ – number of polynomial shares in each sensor)

60 Simulation results: comparison with already discussed approaches
t – degree of polynomial Fraction of compromised links between non compromised nodes vs number of compromised nodes (20000 nodes, nodes can store equivalent of 200 keys)

61 Grid-based key pre-distribution
Instance of general framework discussed above Benefits: Guarantees that any two nodes can establish a pairwise key, if no nodes were compromised Allows sensors to directly determine whether it can establish a pairwise key with another node and which polynomial to use in case of positive answer

62 Subset assignment 2m λ-degree polynomials are generated , where
and N is the size of the network Each row of the grid is associated with polynomial and each column is associated with polynomial For each sensor an unoccupied intersection (i, j) of the grid is selected and assigned to the node

63 Subset assignment (cont.)
The id of the node is created by concatenation of binary representations of i and j. ID=< ib:: jb > Intersections should be densely selected within a rectangle area of the grid Polynomial shares of corresponding (row / column) polynomials together with id are pre-distributed to each node

64 Node assignment in the grid

65 Polynomial share discovery
To establish a pairwise key with node j, node i checks whether ci=cj or ri=rj If either of conditions hold, nodes have a polynomial share of the same polynomial, consequently they can compute a common key directly Otherwise nodes have to go through path discovery

66 Path discovery Idea: nodes can use intermediate nodes to help in establishing a common key The intermediate node should be located in either the same row / column as first node or same column / row as a second node This way intermediate node definitely share a polynomial with both nodes Note: there are only two of such intermediate nodes for each pair of nodes What if both if them are compromised / unreachable? The path through the grid should be established Authors developed an efficient protocol to accomplish this The main idea of the protocol is that intermediate nodes try to forward the request to the node that is located in the same row / column as a destination

67 Path discovery: example
Establishing a path through the grid

68 Public key infrastructure
The limited computation and power resources of sensor nodes often makes it undesirable to use existing public-key algorithms, such as Diffie-Hellman key agreement or RSA signatures

69 Symmetric vs. asymmetric algorithms

70 Public key scheme for WSN
Is it possible to develop a public key infrastructure suitable for wireless sensor networks? Recent studies show that it is still possible to utilize public key ideas for the purposes of securing WSN Gaubatz et al. developed an ultra low power implementation of Rabin's Scheme and NtruEncrypt Algorithm Authors have demonstrated that it is possible to design public key encryption architectures with power consumption of less than 20 mW using the right selection of algorithms and associated parameters, optimization and low power techniques The details of solutions will not be discussed, since it mainly involves VLSI / circuit design

71 Arbitrated keying protocols: system model
According to the model, network consists of three types of nodes: command node, gateways and regular sensor nodes Gateways partition the network into distinct clusters as follows

72 Arbitrated keying protocols: node requirements
Sensor nodes Are equipped with GPS modules and can determine its location during bootstrapping Remain stationary Gateways Can unicast / broadcast information to other gateways on the network Can establish the group key using a group key agreement protocols Command node is assumed to be secure and is trusted by all of the nodes in the sensor network

73 Identity based hierarchical keying: initialization phase (description)
Description of the initialization phase: Prior deployment each gateway is assigned |S|/|G| keys, where |S| is the number of sensors on the network and |G| is the number of gateways Each sensor is preloaded with id if the gateway with which it share a key After deployment each gateway forms a cluster using cluster formation algorithm and acquires the keys of the sensors in its cluster from the other gateways After key exchange is performed gateways erases key of sensors that do not belong to its cluster

74 Identity based hierarchical keying: initialization phase (protocol)
Each sensor Si broadcasts its id (idSi ) and id (idGj) of the gateway with which it shares a key Clustering process is performed After clustering gateways identify set of sensors that belong to its cluster {id}i and broadcasts it to other gateways Each gateway Gj replies to Gi with the set of keys and corresponding sensor ids {(KSk,Gj, idSk)}i On the last step, each sensor receives a message that assigns it to the gateway

75 Identity based hierarchical keying: node addition
Each new sensor is preloaded with two keys as other sensors Command node transmits the list of (identifier, key) pairs to a randomly selected gateway Gh, which becomes the gateway that shares the keys of the new sensors: Each added node broadcasts a hello message (same as on initialization phase) Clustering mechanisms adjusts itself Each gateway broadcasts the sensors in its range to the gateways in G, requesting the keys for those sensors

76 Identity based hierarchical keying: node addition (cont.)
Gh responds to those requests Each new sensor Si is assigned to the gateway Gi

77 Identity based hierarchical keying: node revocation
If a group of sensors are compromised, they can be trivially evicted from the command node’s sensor list by the command node, as well as from their cluster by the gateway. Gateway revocation is slightly more complicated Command node evicts gateway G from the list of gateways and chooses a head gateway Gh randomly Command node sends the identifiers of each sensor and their new gateway Gi to Gh Also the new keys that sensors share with Gi are sent

78 Identity based hierarchical keying: node revocation (cont)
Clustering process takes place Second and third parts of the message is sent to Gi Gi notifies each sensor on its cluster about new shared key

79 Identity based hierarchical keying: simulations
Distribution of sensor energy consumption with our approach.

80 Identity based hierarchical keying: analysis
Benefits: Low energy consumption Low communication overhead for key establishment Low memory requirements for sensor nodes Good resilience against sensor capture Drawbacks: Specific network model requirements Sensors have to be equipped with GPS modules Efficient clustering algorithm is required

81 Location Aware Key Management for WSN
Problem: How to pick a large key pool while still maintaining high connectivity? (i.e maintain resilience while ensuring connectivity) (e.g. 100,000 vs 200) Solution: Exploit Location information (Deployment Knowledge) Du et. al. Infocom Exploit Location Knowledge for P-RKP Huang et. Al. SASN Exploit Location Knowledge for SK-RKP

82 Location Aware Purely Random Key Predistribution (P-RKP)
Du et. al (IEEE Infocom 2004) Improves Random Key Predistribution (Eschenauer and Gligor) by exploiting Location Information. Studies a Gaussian distribution for deployment of Sensor nodes to improve security and memory usage.

83 Location Aware Purely Random Key Predistribution (P-RKP)
Rectangular Deployment area (X x Y) General Deployment Model (Individual) Current predeployment schemes assume pdf for location f(x,y) as 1/XY. Group based Deployment Model. Group based Deployment Model: N sensor nodes divided into t x n equal size groups. Group G(i,j) has deployment point x(i,j). Deployment points arranged in a grid Resident points of node k follow pdf

84 Location Aware Purely Random Key Predistribution (P-RKP)
Groups select from key group S (i,j) Probability node is in a certain group is (1 / tn).

85 Location Aware Purely Random Key Predistribution (P-RKP)
Key sharing graphs used to enable connectivity Use flooding to find secure path (Limit to 3 hops) Setting up the key pools Two horizontally or vertically neighboring pools share a|Sc| keys where 0<= a <= 0.25 Two diagonally neighboring key pools share b|Sc| keys, where 0<=b<=0.25 Two non-neighboring key pools share no keys. Overlapping factors - a,b

86 Location Aware Purely Random Key Predistribution (P-RKP)

87 Location Aware Purely Random Key Predistribution (P-RKP)
Key Assignment for Key Pools For group , select keys from the global key pool S, then remove these keys from S. For group , select a keys from pool , then select keys from global pool S For group select a from each of the key pools , and if they exist; select b Keys from each of the key pools and if they exist; then select w keys from the global key pool S, and remove these w keys from S.

88 Location Aware Purely Random Key Predistribution (P-RKP)
Detemining |Sc| When |S| = 100,000, t = n = 10, a = 0.167, b = 0.083 |Sc| = 1770

89 Location Aware Purely Random Key Predistribution (P-RKP)
Performance Evaluation Evaluation Metrics Connectivity (Local and Global) Communication overhead Resilience against node capture System configuration |S| = 100,000. N = 10,000. Deployment area = 1000m x 1000m T =n =10m. Each grid is 100m x 100m. Center of grid is deployment point. Wireless communication range is 40m.

90 Location Aware Purely Random Key Predistribution (P-RKP)

91 Location Aware Purely Random Key Predistribution (P-RKP)
Local Connectivity Plocal = Pr((B(n1,n2)|A(n1,n2)) Probability node is in a certain group is (1 / tn) Probability that nodes i and j have local connectivity) is 1)Probability that and share a key (p-lambda) * 2)Probability that resides around the point Z(x,y) * 3)Probability that is a neighbor of Plocal is the average of this value across the whole region

92 Location Aware Purely Random Key Predistribution (P-RKP)
Performance – Local connectivity With 100 keys, location management improves local connectivity from to 0.687

93 Location Aware Purely Random Key Predistribution (P-RKP)
Global connectivity Only simulation results are available

94 Location Aware Purely Random Key Predistribution (P-RKP)
Effects of the Overlapping Factors (a,b)

95 Location Aware Purely Random Key Predistribution (P-RKP)
Communication overhead Path needed when two neighbours cannot find a common key. ph(i) is the probability that the smallest number of hops needed to connect two neighbouring nodes is i. i is at most 3.

96 Location Aware Purely Random Key Predistribution (P-RKP)
Resilience against node capture Fraction of additional communication (among uncaptured nodes) that can be compromised based on capture of x nodes. Location of the x captured nodes affects results. Assume random location of x nodes (unrealistic) Location knowledge significantly improves network resilience 1 – (1 – m/|S|)^x

97 Location Aware Purely Random Key Predistribution (P-RKP)

98 Location Aware Structured Key Random Key Predistribution (SK-RKP)
Huang et. al. (SASN 2004) Claims random node capture assumption too weak (selective capture possible) Grid–group deployment scheme. Introduces the node fabrication attack Uses location based information and a structured key pool Claims fewer number of keys and resilience to selective node capture and node fabrication attacks

99 Location Aware SK-RKP P-RKP vs SK-RKP
Robustness of both weakened by selective node capture attack

100 Location Aware SK-RKP Both are also weakened by node fabrication attack P-RKP – By capturing two nodes, attacker can fabricate and deploy (2m new nodes. SK-RKP is harder to compromise (still possible) Grid-Group Deployment Scheme Partition N sensors into i.j groups with sensors in each group Assign the identifier [(i,j),b] to each sensor in the G(i,j) where b= 1,….N Assign m keys to each sensor in group G(i,j) Uniformly distribute the sensors for the group G(i,j) in zone Z(i,j)

101 Key Predistribution (I –Scheme) within a given zone
Divide key poll P into L x M sub-key pools (P(i,j), i = 1….L,j = 1…M)). Each sub-key pool is divided into w sub-key spaces. A sub-key space is a N x ( ) key matrix A, where each element of A is a unique key) Divide the N sensors into L x M groups (a group is represented by G(i,j) where i = 1,….L, j = 1,…M) Assign unique identifiers to the sensors. For each sensor, assign id = [(i,j),b], where (i,j) is the group id and b = 1,….N For sensor [(i,j),b], randomly select T sub-key spaces in P(i,j) making sure the selected sub-key space is not already selected times. Load sensor with the bth row of matrix A for each sub key space selected

102 Key Predistribution (E-Scheme) for adjacent zones
For each sensor in group G(i,j), randomly select one sensor, say j, from a neighbouring group, say G(i2,j2). Install duple < , > in i and duple < , > in j, where key is unique and , are the node ids. Once a peer node is selected, it cannot select another node in the same group If all sensors have selected a node in each of its neighboring groups, stop, otherwise go to the first step

103 Location Aware SK-RKP

104 Key establishment within the same zone
Each sensor, say [(i,j),b], broadcasts identifier [(i,j),b] and key space identifiers [ , ] For each neighbor, sensor adds a link in key-graph if they share a key . Sensor broadcasts list of neighbors who share key-space with it. Uses similar messages from others to expand key-graph. Source routing to to request and establish pairwise keys with all its neighbors.

105 Key establishment within adjacent zones
Each sensor, broadcasts desired node list (of nodes in the adjacent zone) A neighbor of the requestor within the same zone who already shares a key with the nodes For each neighbor, sensor adds a link in key-graph if they share a key Sensor broadcasts list of neighbors who share key-space with it. Uses similar messages from others to expand key-graph. Source routing to request and establish pairwise keys with all its neighbors.

106 Performance Analysis Memory overhead Security Analysis
For p = , m = 68 (similar to Du et. Al.) Security Analysis Secure against Random Node capture, Selective Node capture and Node Fabrication attacks

107 Performance Analysis (Security)

108 Summary Robust security mechanisms are vital to the wide acceptance and use of sensor networks for many applications Key management in turns is one the most important aspects in any security architecture Various peculiarities of Wireless Sensor Networks make the development of good key management scheme a challenging task We have discussed several approaches to key management in WSN All of them have strong and weak points The diverse nature of WSN usage makes it not reasonable to look for some particular approach that would be suitable for all cases

109 Bibliography I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cyirci. Wireless Sensor Networks: A Survey. Computer Networks, 38(4): , 2002. C. Karlof and D. Wagner, Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures. First IEEE International Workshop on Sensor Network Protocols and Applications, May 2003 D. Carman, P. Kruus, and B. Matt. Constraints and approaches for distributed sensor network security. NAI Labs Technical Report #00-010, September 2000 L. Eschenauer and V. Gligor. A Key-Management Scheme for Distributed Sensor Networks. In Proc. of ACM CCS’02, November 2002 H. Chan, A. Perrig, D. Song Random Key Predistribution Schemes for Sensor Networks. In 2003 IEEE Symposium on Research in Security and Privacy S. Zhu, S. Xu, S. Setia, S. Jajodia Establishing Pair-wise Keys For Secure Communication in Ad Hoc Networks: A Probabilistic Approach. In Proc. of the 11th IEEE International Conference on Network Protocols R. Di Pietro, L. Mancini, A. Mei. Efficient and Resilient Key Discovery Based on Pseudo-Random Key Pre-Deployment. 18th International Parallel and Distributed Processing Symposium

110 Bibliography D. Liu, P. Ning, Establishing Pairwise Keys in Distributed Sensor Networks, 10th ACM CCS '03, Washington D.C., October, 2003 G. Jolly, M. Kusçu, P. Kokate, M. Younis. A Low-Energy Key Management Protocol for Wireless Sensor Networks. Eighth IEEE International Symposium on Computers and Communications G. Gaubatz, J.Kaps, B. Sunar Public Key Cryptography in Sensor Networks – Revisited. 1st European Workshop on Security in Ad-Hoc and Sensor Networks C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung. Perfectly secure key distribution for dynamic conferences. In Information and Computation, 146 (1), 1998, pp 1-23. “Introduction to Modern Cryptography” by M. Bellare, P. Rogaway November 3, 2003 “Handbook of Applied Cryptography”, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. “The Strange Logic of Random Graphs”, Joel H. Spencer Nanotechnology website

111 Bibliography W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A Key Management Scheme for Wireless Sensor Networks Using Deployment Knowledge. IEEE Infocom 2004. D. Huang, M. Mehta, D. Medhi, L. Harn. Location-aware Key Management for Wireless Sensor Networks ACM Workshop on Security of Ad Hoc and Sensor Networks. (SASN 04)


Download ppt "Security in Wireless Sensor Networks: Key Management Approaches"

Similar presentations


Ads by Google