Path key establishment using multiple secured paths in wireless sensor networks CoNEXT’05 Guanfeng Li  University of Pittsburgh, Pittsburgh, PA Hui Ling   University of Pittsburgh, Pittsburgh, PA Taieb Znati   University of Pittsburgh, Pittsburgh, PA Sep. 28th 2006 KAIST Dependable Software LAB. Jun Sup Lee 이준섭(20063449) 1 1

Agenda Motivation Related Work Contents Conclusion Q&A Multi-path key establishment with Proxy Experiment Result Security Analrysis Conclusion Q&A

Motivation Motivation: why security? Protecting confidentiality, integrity, and availability of the communications and computations S ensor networks are vulnerable to security attacks due to the broadcast nature of transmission Sensor nodes can be physically captured or destroyed Why not use existing security mechanisms? WSN features that affect security. Sensor Node Constraints Battery, CPU power, Memory. Networking Constraints and Features Wireless, Ad hoc, Unattended. This paper’s work : Improved key establish and maintain schemes within WSNs Path Key Establishment Scheme which leverage multiple secure paths with only one proxy for key negotiation and establishment

Related Work | Security support in WSNs Existing schemes: Asymmetric cryptography Slow 2~4 times slower than symmetric encryption Hardware is complicated Energy consumption is high Trusted server schemes (e.g. Kerberos) Lacking of infrastructure Key pre-distribution schemes proposed by L. Eschenauer and V. Gligor (2002) Battery Power Constraints Computational Energy Consumption Crypto algorithms Public key vs. Symmetric key Communications Energy Consumption Exchange of keys, certificates, etc. Per-message additions (padding, signatures, authentication tags) Memory Constraints Program Storage and Working Memory Embedded OS, security functions (Flash) Working memory (RAM)

Related Work | Key pre-distribution in WSNs Loading Keys into sensor nodes prior to deployment Two nodes find a common key between them after deployment Challenges Memory/Energy efficiency Security: nodes can be compromised Scalability: new nodes might be added later Each node randomly selects R keys (Key Ring) N1 N2 … Key Pool P N4 N3 When |P| = 1000, R=20 / 30 p (two nodes have a common key) = 0.335 / 0.605

Related Work | Key pre-distribution in WSNs Node Keys N1 K1,K3,K5,K7 N2 K2,K4,K13,K18 N3 K5,K11,K13,K20 N4 K6,K9,K12,K16 N5 K3,K11,K12,K19 N6 K7,K8,K13,K19 N7 K1,K8,K12,K14 Key pool K1..K20 N5 N4 N3 N2 N7 N1 N6 N1 N2 N3 N4 N5 N6 N7 K12 K1 K7 K5 K13 K11 Physical link Secure link

Related Work | Path-key establishment Nodes not directly sharing a key will establish one through a secure path. Path key of node 4 and 6 (k4,6) is transmitted through node 7 and node 1. Node 4 -- Node 7 -- Node1-- Node6 K4,6 is revealed to node 7 and node 1 during the transmission. Generally, a path key is revealed to all intermediate nodes in the secure link path N1 N2 N3 N4 N5 N6 N7 K12 K1 K7 K5 K13 K11 K46 Path-key establishment problem!!

Contents | Multi-path key establishment Use multiple node disjoint secure paths to send the path-key. The path-key is divided into k pieces(nuggets) and one piece is sent through one path. Therefore, the attacker has to capture at least one node from all these k node-disjoint paths in order to capture the path-key. N2 N4 N1 N5 N6 N3 k1 K16=k1+ K2 k2 k1+ K2=K16 It involves a high level of overhead to find nodes disjoint path. Increasing the number of node disjoint paths does not necessarily improve the level of security.

Contents | Multi-path key establishment with Proxy To reduce the exposure of the key nugget along the path. Proxy ensures that no more than one node (Proxy) along a path knows the key nugget. The proxy shares a key with each end node respectively. it becomes feasible to relax the node disjoint requirement of the k paths without increasing the vulnerability of the path key. N1 N2 N3 N4 N5 N6 N7 K12 K1 K7 K5 K13 K11 Node Keys N1 K1,K3,K5,K7 N2 K2,K4,K13,K18 N3 K5,K11,K13,K20 N4 K6,K9,K12,K16 N5 K3,K11,K12,K19 N6 K7,K8,K13,K19 N7 K1,K8,K12,K14 Proxy Physical link Secure link

Contents | End-to-End Key Establishment Scheme u sends out its key ID list to invite v to set up a path key. v randomly construct a key and breaks it down to k nuggets, K1;K2 : : :Kk v then selects k proxies Upon receiving all k nuggets, node u reconstructs the key K based on the sequence number carried by each nugget v N1 N2 N3 N4 N5 N6 N7 K12 K1 K7 K5 K13 K11 Proxy Proxy u Physical link Secure link

Contents | Finding Proxy Algorithm #1 v randomly selects k neighbors and sends out request-for-proxy packets containing key IDs from both u and v. Each recipient examines the ID list to see if it shares keys with both u and v. If it does, it responds to v with key ID that is chosen to communicate with v, If it does not, or it has received the same request from v, it forwards this request to a random neighbor other than the sender. v N1 N2 N3 N4 N5 N6 N7 K12 K1 K7 K5 K13 K11 u Physical link Secure link

Contents | Finding Proxy Algorithm #2 v creates a request packet and set its Time-To-Leave (TTL) field to t before locally flooding it into the network. Nodes which receive a request packet respond with positive acknowledgment only if they share a key with u and a key with v respectively. Upon receiving k positive acknowledgment, v selects the sender of these acknowledgments as k proxies. v N1 N2 N3 N4 N5 N6 N7 K12 K1 K7 K5 K13 K11 u Physical link Secure link

Contents | Experiment Results of Algorithm #1 & #2 The Algorithm #2 discovers proxies faster than Algorithm #1 It is specially true in dense WSNs. Requires more nodes than Algorithm #1 for local flooding. The result shows if p is large, algorithm #1 is preferred, while the second approach should be used if the network is dense.

Contents | Security Analysis The vulnerability of the system to node capture is measured by computing the likelihood that an attacker who captures x nodes may obtain all k key nuggets. Assume that there are 2k distinct keys used to secure key nuggets by k proxies. Consider a set of x collusive nodes. Probability of colluding x nodes cover all 2k keys is:

Contents | Security Analysis If either u or v is captured, the path key is revealed. The probability of x nodes containing no end nodes but covering all k proxies is : The probability Pc of all key shared being revealed after capture of x nodes is :

Contents | Security Analysis A satisfactory security level (0.00051%) can be achieved even when a large percentage of nodes (5%) are captured and k is small (k = 4)

Conclusion The path-key establishment exposure problem commonly encountered in key pre-distribution schemes in WSNs. A Path Key Establishment scheme, which uses multiple secured paths for the negotiation and exchange of symmetric keys between end nodes. Strength Furthermore this scheme assumes no specific routing protocols thus it is not dependent on the physical topology of the network. It will be able to greatly improve the security of key establishment Weakness Currently, the proposed scheme cannot defend against Denial of Service attacks, such as the case when an attacker lies on one or multiple paths from the proxies to the end nodes and drops packets.

Thank you Question? For more discussion: Rm4428, Jslee@dependable.kaist.ac.kr