Key Infection (smart trust for smart dust) Ross Anderson (Cambridge) Haowen Chan (CMU) Adrian Perrig (CMU)

Sensor Networks  100s to 1000s of cheap sensor nodes  Communicate peer-to-peer and route information to base stations  Example: Sensors could be scattered by air to monitor pollution - or track people

Typical Sensor Node Characteristics  Wireless communication  Battery powered  Immobile  Not tamper-resistant  Limited processing hardware and memory  Communicate peer-to-peer and route data to one or more base stations

Platform Technologies: UCB Mote  UCB Mote Evolution

Approaches to Key Distribution  Attempt #1: Use a PKI Problem: Too computationally intensive  Attempt #2: Use a single symmetric master key Problem: Single node capture exposes entire network  Attempt #3: Load each node with key for each neighbour Problem: Don’t know neighbours a priori  Attempt #4: Load each node with many keys (n-1 keys/node, or fancier randomised scheme) Problem: Memory cost too high

Threat Model  Attacker deploys white dust to monitor an area  Defender has a few black dust motes already, rapidly deploys more, and sends in ‘insects’ that reverse-engineer some white motes  Passive defense: see what movements yield sensor traffic  Active defense: transmit jamming / deceptive messages  Example: corrupt routing to partition network

Defender Model  During the deployment phase, we have a partial, passive defender - some links monitored but no jamming / flooding / physical attack  After deployment, the gloves come off! The defender is pervasive and active  Often reasonable because of economics: white can deploy dust anywhere while black must defend everywhere

Basic Idea  Suppose all nodes share an initial master key, and use this to bootstrap link keys  Once the reverse-engineering insect arrives, the enemy gets the master key  The enemy can now eavesdrop all the links it monitored  But it could only monitor a small fraction of them! We may still be OK  This is equivalent to broadcasting initial keys locally, and in the clear

Key Infection  Assume that mote i, when it comes to rest, transmits a key ki  When mote j hears it, it responds with a pairwise key, using only just enough power for the link: j -> i : { j, k ji } ki i j The key is compromised if a hostile mote lies in the intersection of the two circles i E.g, 1 black mote for 100 white % of links secure

Key Whispering  First improvement - instead of broadcasting ki at full power, whisper it - increase volume until response heard  In other words, whispering already reduces compromised links by 2/3 d1% basic1% whisper3% basic3% whisper 21.13%0.40%3.48%1.19% 31.75%0.61%5.06%1.81% 42.38%0.83%6.75%2.44% 52.92%1.01%8.40%3.02%

Key Capture Enemy / subverted nodes  Neither node A or node B was captured, but their shared key has been exposed Keys of node A Keys of node B

Multipath Privacy Amplification  If i talks via j to k, and link jk compromised, find any other paths, e.g., i -> l -> k, set up keys k ik along all available paths, and hash them together  This gets a further significant reduction in compromised links: d1% basic1% multipath 3% basic3% multipath 20.61%0.38%2.23%1.11% 30.55%0.26%1.76%0.91% 40.40%0.16%1.57%0.80% 50.35%0.04%1.29%0.40%

Interaction with Routing  Even with no mobility, the network topology will change as a result of battery exhaustion / attacks  White may invest in preparing for failover - multipath key establishment helps  Many interesting questions, e.g. energy efficiency, clubbing, different logical paths on same physical path…

Other Applications (1)  Peer-to-peer systems typically start out optimistically with a large number of hopefully trustworthy nodes  ‘Black’ nodes join once the network starts to operate, and ‘white’ nodes may be subverted (e.g., by court order)  Here too the issue isn’t the initial key bootstrapping, but resilience in the face of what happens later

Other Applications (2)  Subversive networks are similar. Law enforcement can only monitor so many people, and so many phones…  Once subversive activity manifests, the task is to penetrate a network that may have been fairly open at the start, but has now closed up  Again, the important aspect is not the initial bootstrapping, but the subsequent lockdown, and any associated resilience

Security Economics  Economics provide the big showstopper for security in general  Here, the game depends on both initial and marginal costs of attack and defence  Initial keying increases initial cost to both  Equilibrium depends on marginal costs - defender efforts vs attacker resilience  Logically, defender will give up, or attacker have to go all out to maintain network  Attacker will logically make marginal investment in resilience, not bootstrapping

Research Problems  What are the relative costs of key establishment vs. maintenance in different types of network?  What are the best attack and defence strategies at equilibrium?  What’s the interaction with routing algorithms?  Can you deal with new motes joining?  Can you have multiple virtual networks (‘United Nations Dust’)?  Can multiple users interact locally (‘Neighbourhood Watch Dust’)?

Conclusions  Sensor networks present interesting and novel protection problems  They provide a tractable model for bigger problems, from P2P network design to some real-world policing problems  Challenge the conventional wisdom that authentication is about trust bootstrapping  In many real social networks, trust is more about group reinforcement / bonding  Will future pervasive computing systems be command-and-control, or societal?