IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos Marcin Poturalski Prof. Jean-Pierre Hubaux

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani2 Outline  Problem context  Related work  System model  SHIA  Proposed schemes Scheme 1 : Approximate Attacker Localization Scheme 2 : Attacker Localization  Conclusion  Future Work

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani3 Problem Context  Wireless Sensor Networks Often deployed in security-critical applications Sensors have limited resources → Efficient aggregation techniques Hostile environment → Secure aggregation

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani4 Related work  [Yang06] “SDAP: a secure hop-by-Hop data aggregation protocol for sensor networks”, Yi Yang, Xinran Wang, Sencun Zhu. 7th ACM Interational Symposium on Mobile Ad Hoc Networking and Computing, May  [Chan06] “Secure Hierarchical In-Network Aggregation in Sensor Networks”, Haowen Chan, Adrian Perrig and Dawn Song.13 ACM conf. on computer and communications security, November  [Wu07] “Secure data aggregation without persistent cryptographic operations in wireless sensor networks”, K. Wu, D. Dreef, B. Sun, and Y. Xiao, Ad Hoc Networks, vol. 5, no. 1, pp. 100–111, 2007.

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani5 System Model Network Assumptions  Wireless sensor network of n sensors  A single base station (querier) Security Associations  Each sensor shares a unique symmetric key with the querier Attacker model  Attacker is in complete control of t<n nodes lie about its measurement modify aggregation messages and relay

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani6 Secure In-Network Aggregation (SHIA) [Chan06] 0. Aggregation Tree Formation 1. Query Dissemination - Query Message contains a nonce N

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani7 Secure In-Network Aggregation (SHIA) [Chan06] (cont’d) 2. Aggregation-Commit Goal : Constructing a commitment structure (hash tree) Leaf nodes: send up their values Internal nodes: perform aggregation, create a commitment to the set of inputs used to calculate the aggregation

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani8 Secure In-Network Aggregation (SHIA) [Chan06] (cont’d) 3. Result check 3a. Dissemination of off-path values 3b. Collection of Confirmation -Value Inclusion Possible based on off-path values -Ack only if inclusion verified 3c. Verification of Confirmation

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani9 Secure In-Network Aggregation (SHIA) [Chan06] (cont’d)  Main Pros Optimally Secure Low Edge Congestion Complexity  Naïve approach : O(h)  Delayed aggregation : O(log 2 n)  Main Cons Even a single node not acknowledging = querier drops the aggregation result Required Info : Exact number of alive nodes and their corresponding keys.

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani10 Lets not Forget….  The querier’s goal is to acquire some knowledge out of the network.  The querier should query the network again SHIA proposes : No Aggregation  Therefore, If attacker exists SHIA-No Aggregation …  As a result : Even higher complexity than when using no aggregation!!

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani11 Proposed Schemes  Approach Localize the attacker Eventually omit it from the network  We Propose 2 schemes for attacker localization  Extra Assumption in both schemes: The BS knows the topology of the aggregation tree

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani12 Scheme 1: Approximate Attacker Localization If inclusion verified -A leaf node a: -- Send up ACK a and level info -An intermediate node b: -- XOR ACKs of all received messages with the same level info -- Add its own ACK b and level info Otherwise -Send nothing  Replacing the result-check phase of SHIA

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani13 Scheme 1 (cont’d)  BS receives one message per level  BS knows the topology Can verify messages in each level Can go down until it encounters dicrepency!  Complexity O(h)

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani14 Scheme 1 (cont’d)  Example : maximum one node failure in each level, no attackers Maximum number of checks in level l is : n l +1

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani15 Scheme 1 (cont’d)  Attacker can act in three possible ways Follow the protocol in the check-phase  For BS: Similar to having several dead nodes’ in a level Inject garbage: send random messages pretending it has received from its children  For BS: Disables BS from proceeding to the next layers Pretend to be dead by sending nothing  For BS: Similar to dead node case  Worst case: BS stops at the level in which the attacker lies

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani16 Scheme 1 (cont’d)  An important constraint Assuming BS can at most check if at least k nodes out of n l nodes in level l have confirmed num of legitimate messages: MAC of size M Probability of an attacker success:

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani17 Scheme 2: Attacker Localization  Goal: Localize the attacker more precisely Have an estimate of the aggregation value’s closeness to the true value  Apply IF the result-check phase of SHIA fails  Complexity O(n)

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani18 Scheme 2 (cont’d) 1. Hierarchical Collection of Confirmation If value inclusion verified -Leaf node s --M s = Enc Ks (N) --Send M s to parent -Intermediate node u, with children {u1,u2,…uk} --Wait a certain time --If did not receive from uj ---M nr : “no message received” flag ---M uj = M nr --N s : Separation flag --M u = Enc Ku (N||M u1 ||N s ||M u2 …N s ||M uk ) --send M u Otherwise -Send nothing

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani19 Scheme 2 (cont’d) 2. Hierarchical Decryption of Confirmations at BS, using the topology of the aggregation tree  Three Possible cases: Enc Ku (N||M u1 ||Ns||M u2 …Ns||M uk ) Enc Ku (N||M u1 ||Ns…||M nr ||…Ns||M uk )  BS Marks u and u d Enc Ku (N||M u1 ||Ns…|| nonsense ||…Ns||M uk )  BS Marks u and u d

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani20 Scheme 2 (cont’d)  Theorem 1 The attacker localizer scheme enables the BS to mark all attackers, for which another attacker does not exist in their path to BS.  Theorem 2 The BS is able to estimate the aggregation value’s closeness to the true value.

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani21 Conclusion  Existing schemes have significant limitations  We proposed two schemes Scheme 1  More robust against node failure and single attackers  O(h) complexity Scheme 2:  Localize the attacker more precisely  Give an estimate of the aggregation value  O(n) complexity

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani22 Future Work  Proposing methods for local recovery of the aggregation tree Schemes for omitting attackers !  Investigating iterative methods Lower communication load?

8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani23  Thank you !  Questions ?