Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer.

Published byBertram Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer."— Presentation transcript:

1 Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu http://swarm.cs.virginia.edu Department of Computer Science University of Virginia Charlottesville, VA

2 WSAAN 28 Jan 2003Hu & Evans2 Scenario Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly High-power base station

3 WSAAN 28 Jan 2003Hu & Evans3 Scenario Transmitting each message all the way to the base station wastes resources. High-power base station

4 WSAAN 28 Jan 2003Hu & Evans4 Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.

5 WSAAN 28 Jan 2003Hu & Evans5 Integrity of Data With data aggregation, authentication becomes harder. Compromised Node

6 WSAAN 28 Jan 2003Hu & Evans6 Problem Can we provide the power-saving benefits of in-network data aggregation but limit the amount of damage a single compromised node can do? Rest of Talk: 1.Background: Inexpensive Authentication without Aggregation 2.Secure Aggregation 3.Security and Cost Analysis 4.Scalable Solution

7 WSAAN 28 Jan 2003Hu & Evans7 Cryptographic Hash Chains fff x f (x) f (f (x))f (f (f (x))) Initially store:K 0 = f 4 (x) K 1 = f 3 (x) verify f (K 1 ) = K 0 K 2 = f 2 (x) verify f (K 1 ) = K 0 time f is a one-way function: easy to calculate f(x), but difficult to invert f.

8 WSAAN 28 Jan 2003Hu & Evans8 µTesla [Perrig, et. al., 2002] Initially: sensor nodes know K 0 = f n (x) base station knows x Base station messages encrypted using K 1 = f n-1 (x) Nodes store and time stamp messages, but cannot decrypt them (yet) At time t 1, base station broadcasts K 1 Nodes verify f (K 1 ) = K 0 Nodes use K 1 decrypt earlier messages Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K 1 after K 1 was revealed

9 WSAAN 28 Jan 2003Hu & Evans9 Node Authentication Before deployment, establish a shared symmetric secret key between each node and base station: K NS Send readings with a MAC: R A | MAC (K AS, R A ) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.

10 WSAAN 28 Jan 2003Hu & Evans10 Authenticated Sensor Net Each node transmits: N | R N | MAC (K NS, R N ) Base station verifies MAC before accepting R N.

11 WSAAN 28 Jan 2003Hu & Evans11 Authenticated Data Aggregation A B C A | R A | MAC (K AS, R A ) B | R B | MAC (K BS, R B ) C | Aggr (R A, R B ) | MAC (K CS, Aggr (R A, R B ))

12 WSAAN 28 Jan 2003Hu & Evans12 Secure Aggregation Delayed Aggregation: Only aggregate messages after they have traveled one hop Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication

13 WSAAN 28 Jan 2003Hu & Evans13 Protocol Example ID A | R A | MAC (K Ai, R A ) | ID B | R B | MAC (K Bi, R B ) | MAC (K Ei, Aggr (R A, R B )) ID B | R B | MAC (K Bi, R B ) ID C | R C | MAC (K Ci, R C ) | ID D | R D | MAC (K Di, R D ) | MAC (K Fi, Aggr (R C, R D )) ID A | R A | MAC (K Ai, R A ) A B C D E F G ID E | Aggr (R A, R B ) | MAC (K Ei, Aggr (R A, R B ) | ID F | Aggr (R C, R D ) | MAC (K Fi, Aggr (R C, R D ) | MAC (K Gi, Aggr (R A, R B, R C, R D )) K Ai is the i th key in a µTesla key chain starting from K AS

14 WSAAN 28 Jan 2003Hu & Evans14 ID A | R A | MAC (K Ai, R A ) | ID B | R B | MAC (K Bi, R B ) | MAC (K Ei, Aggr (R A, R B )) ID B | R B | MAC (K Bi, R B ) ID C | R C | MAC (K Ci, R C ) | ID D | R D | MAC (K Di, R D ) | MAC (K Fi, Aggr (R C, R D )) ID A | R A | MAC (K Ai, R A ) AB C D E F G ID E | Aggr (R A, R B ) | MAC (K Ei, Aggr (R A, R B ) | ID F | Aggr (R C, R D ) | MAC (K Fi, Aggr (R C, R D ) | MAC (K Gi, Aggr (R A, R B, R C, R D )) H ID G | Aggr (Aggr (R A, R B ), Aggr (R C, R D )) | MAC (K Gi, Aggr (R A, R B, R C, R D ) | … (same from right side) | MAC (K Hi, Aggr (R A, R B, R C, R D,... readings from right side))

15 WSAAN 28 Jan 2003Hu & Evans15 Data Transmission Summary Children send their data reading and MAC (using K Ni ) to their parents. Parents forward the data and MACs they receive to grandparents, along with a calculated MAC of the aggregation Grandparents forward MACs and aggregate values from parents and a calculated MAC of aggregation

16 WSAAN 28 Jan 2003Hu & Evans16 Data Validation At some later time, the Base Station reveals K Ni for each node N that transmitted data, along with MAC (K i, K Ni ) The parent of N uses K Ni to verify MAC (K Ni, R N ) Nodes increment i to use the next µTesla key The Base Station broadcasts K i (which nodes verify) and advances to the new µTesla key

17 WSAAN 28 Jan 2003Hu & Evans17 Abridged Attack Analysis Intruder Node (no key material) –Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys –Replay attacks ineffective: keys change, can only replay readings within this time period –Denial-of-service attack can succeed (but alerts operator) Compromised Node (all keys on one node) –Can lie about its own reading –But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level

18 WSAAN 28 Jan 2003Hu & Evans18 Successful Attacks Compromised node selectively drops child readings –Nothing to prevent this (but unlikely to change much without base station noticing) –Can use child snooping to catch it earlier Compromise two consecutive (parent and grandparent) nodes –Can forge readings for entire subtree

19 WSAAN 28 Jan 2003Hu & Evans19 Communication Cost Sensor Nodes Total Kilobytes Transmitted Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation.

20 WSAAN 28 Jan 2003Hu & Evans20 Scalability Base station must broadcast next node key for every node To scale to larger sensor networks, use local µTesla between parent-child –Need base station to validate start of hash chain Two µTESLA keys are used each time, one for immediate authentication, and another for later authentication: A  ParentID A | R A | K A1 | MAC (K A2, R A ) Authenticate the origin of message (node A) immediately Authenticate reading later

21 WSAAN 28 Jan 2003Hu & Evans21 Summary / Moral (?) With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. Not trusting your children is reasonable (inexpensive) Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol http://swarm.cs.virginia.edu

Download ppt "Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
DoS Attacks on Sensor Networks Hossein Nikoonia Department of Computer Engineering Sharif University of Technology

DoS Attacks on Sensor Networks Hossein Nikoonia Department of Computer Engineering Sharif University of Technology
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Efficiently Authenticating Code Images in Dynamically Reprogrammed Wireless Sensor Networks PerSec 2006 Speaker: Prof. Rick Han Coauthors Jing Deng and.

Efficiently Authenticating Code Images in Dynamically Reprogrammed Wireless Sensor Networks PerSec 2006 Speaker: Prof. Rick Han Coauthors Jing Deng and.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)

Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.

INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit

Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

Similar presentations

Ads by Google