Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.

Similar presentations


Presentation on theme: "Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment."— Presentation transcript:

1 Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks 1

2 How do nodes receive cryptographic keys? “Distribution is simple; nodes are loaded with the shared key before deployment.” TinySec …send the key in the clear “thus resulting in a brief moment of vulnerability.” ZigBee SPINS Eschenauer and Gligor TinySec ZigBee MiniSecINSENS 2

3 Potential approach – Factory installation 3

4 Potential approach – Physical interface  Properties achieved Secrecy Ease of use  But… Batch deployment remains a tedious task USB interface will not exist on many commodity nodes Sensors deployed in harsh environments USB interface are expensive 4

5 An ideal practical solution  No physical interface No USB connectors, screens, or keypads  Deploy keys wirelessly Resistant to eavesdropping and injection attacks  Key deployment by end users End users are not security experts  Batch deployment for multiple nodes Scales for large deployments 5

6 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 6

7 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 7

8 Problem definition (1/2)  Securely setup a shared secret between a base station and a new node Key secrecy Attacker cannot compromise shared secret Key authenticity New node receives the key that base station intended it to receive Demonstrative identification Users are certain which devices are communicating 8

9 Problem definition (2/2) Robust to user error Fail safe - human error result in failure to setup a key, not key compromise Cost effective Does not require additional hardware on each node No asymmetric cryptography Even asymmetric crypto schemes need one authenticated value 9

10 Assumptions  Installer Trusted Not expert  Base station Trusted Generates keys  Sensor node Unmodified hardware Loose time synchronization Unmodified software 10

11 Strong attacker model  Dolev-Yao Overhear, intercept, modify, reorder, and send arbitrary messages Before, during, and after key deployment  More powerful malicious device deployed around vicinity of nodes Higher antenna gain Faster processor 11

12 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 12

13 Keying Device How to send key wirelessly to new node? Base station KMKM New Node KMKM KMKM Attacker eavesdrops on key! Attacker 13

14 Keying Device Need some type of isolation KMKM New Node KMKM Shielded messages Faraday cage approach proposed by Castelluccia and Mutaf,

15 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 15

16 How does installer know when to open cage? Faraday Cage Keying Device New Node 16

17 How does installer know when to open cage? Faraday Cage Keying Device New Node Keying Beacon 17

18 ‘ Keying beacon interacts with user Faraday Cage Keying Device New Node Keying Beacon  Solid blue - performing key deployment  Blinking blue - done 18

19 Keying beacon interacts with user Faraday Cage Keying Device New Node Keying Beacon  Solid blue - performing key deployment  Blinking blue - done 19

20 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 20

21 How do nodes know when cage is closed? Faraday Cage Keying Device New Node Keying Beacon Authenticated heartbeats 21

22 ‘ Authenticated heartbeats determine whether cage is closed Faraday Cage Keying Device New Node Keying Beacon Authenticated heartbeats 22

23 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 23

24 What if cage leaks? Faraday Cage Keying Device New Node Keying Beacon 24

25 What if cage leaks? Faraday Cage Keying Device New Node Keying Beacon  Solution 1: Keying beacon eavesdrops I hear shielded messages! 25

26 How leaky is cage? Faraday Cage  L cage : Attenuation of cage (dBm) Strong attenuation (large negative number) Attacker cannot overhear shielded messages Weak attenuation (small negative number) Attacker can overhear shielded messages Keying beacon can also detect leaked messages  In order for leaking to go undetected… Attacker needs a sweet spot Based on our setup: -66 dBm 26

27 How far away does attacker have to be?  RS e : Eavesdroppers required radio sensitivity  Attacker antenna gain of 10dBm  P t : Transit power of keying device, at minimum power  L cage : Attenuation of cage  d min : Distance of eavesdropper 27 If cage leaks, attacker needs to be within 19cm

28 What if cage leaks? Faraday Cage Keying Device New node Keying Beacon  Solution 2: Keying beacon jams at full power Leaked messages overpowered by jamming signal 28

29 How do nodes know jammed at correct time? Faraday Cage Keying Device New node Keying Beacon 29  Requires loose time synchronization

30 Summary: Protecting shielded messages  Faraday cage attenuates shielded messages  Shielded messages sent at minimum power  Keying beacon jams at full power 30

31 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 31

32 Rsp Chal How does installer know if node has correct key? Faraday Cage Keying Device New Node Keying Beacon KMKM KMKM MAC KMKM 32

33 How does installer know if node has correct key? Faraday Cage Keying Device New node Keying Beacon KMKM KMKM KMKM 33

34 Key verification Faraday Cage Keying Device New node Keying Beacon KMKM KMKM KMKM Rsp Chal Rsp’ = KMKM MAC 34

35 What if there was an error? Faraday Cage Keying Device New node Keying Beacon KMKM KMKM K M’  Easy for user to detect  Fail-safe 35 Rsp’ Rsp !=

36 Summary: Single node key deployment  Installer places… New Node and Keying Device inside Faraday cage Keying Beacon outside Faraday cage  Keying Device and Beacon exchange authenticated heartbeats to determine whether cage is closed  Installer closes cage… Key exchange inside cage (Shielded messages) Beacon jams at full power  Beacon notifies installer to open cage  Key verification Compares jamming schedule Challenge response protocol  Beacon signals to installer whether keying was successful 36

37 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 37

38 User study 38

39 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 39

40 Batch deployment New Nodes Faraday Cage Keying Beacon Keying Device 40 K1K1 K2K2 K3K3

41 Same questions apply for batch deployment  How does installer know when to open cage? Keying might take variable time! Need to determine number of nodes in batch  How does installer know cage is closed? Authenticated heartbeats  What happens if Faraday cage leaks signal? Beacon jams at full power  How does installer know if node has correct key? Key verification 41

42 Batch deployment New Nodes Faraday Cage Keying Beacon Keying Device 42 Weight Scale

43 Batch deployment New Nodes Faraday Cage Keying Beacon Keying Device  Same protocol from user’s perspective 43 Weight Scale # nodes = Weight / Unit weight Heartbeat: Weight

44 Related Work 44  Physical interface  Resurrecting Duckling [Stajano 01]  Seeing is Believing [McCune 04]  Other side channel as sensors  Talking to Strangers [Balfanz 03]  Shake Them Up [Castelluccia 05]  Requires pre-existing information  Integrity code [Cagalj 06]  Insecure  Key Infection [Chan 03]

45 Conclusion  Key deployment Hard problem Not currently addressed for highly secure environments Needed by all secure sensor network protocols  Message-in-a-Bottle Secure Robust to user error 45


Download ppt "Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment."

Similar presentations


Ads by Google