IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved On Concealed Data Aggregation for Wireless Sensor Networks Steffen Peter Peter Langendörfer, Krzysztof Piotrowski
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Outline Concealed Data Aggregation? What does it mean? What is it for? Privacy homomorphism Example for an efficient CDA scheme CaMyTs-Algorithm Discussion of security properties Awareness to passive and active attacks Solution to overcome security problems Cascaded privacy homomorphism Conclusions
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Scenario: WSN as movement/intruder detection Q: Sensed something since last request?
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved In-Network-Aggregation (INA) ,0 0,0 1,0 1,0,1,0 1,0,0,0 1,0,0,0,1,0,1,0 3 Without INA: ,2 3 With INA: Reduced packet traffic
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Security Issues of in-network aggregation Without cryptography No security Classic End-to-End security (DES, AES, ECC) Encryption on sensor – decryption on sink + Very secure - No possibility of in-network aggregation Hop-by-Hop encryption Packets are encrypted and decrypted on every routing node + In-network aggregation possible - No End-to-End security every routing node knows and can change every plaintext
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Concealed (In-netwok) Data Aggregation We need: End-to-End security that allows aggregation on routing nodes = Routing nodes do not know what they aggregate = Ability to compute with encrypted values Only sink node can decrypt the aggregated value Solution: Privacy Homomorphism Encryption Value1 Encryption Value2 Encryption Value1 + Value2
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved CaMyTs (Castelluccia, Mykletun, Tsudik) Random Stream: Random Stream: Random Stream: Value: 1 Value: 0 Value: 1 Encryption: 1+15=16 (mod 32) Aggregation: =74 =10 (mod 32) 10 Decryption: – = -62 =2 (mod 32) = Random Stream 1: Random Stream 2: Random Stream 3: =30 (mod 32) 1+27=28 (mod 32) Decryption: 16 – 15 = 1
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Attack Scenarios Passive Attacks Eavesdropping Ciphertext analysis Chosen/known plaintext attacks Active Attacks Unauthorized aggregation Forged packets Replay attacks Malleability
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved 23 Active Attack - Replay Value: 1 Value: 0 Key: 9 Value: 0 Key: 2 (Previous: 0+15=15) 1+22= =9 0+2=2 Key Stream: Decr: 3-34 1 Attack 1: 24 no plausible value Attack 2: 18 no plausible value
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Active Attack - Malleability Value: 1 Key: 15 Value: 0 Key: 30 Value: 0 Key: 27 Encryption: 1+15=16 Aggregation: =73 =9 (mod 32) 9 Decryption: – = -62 = 1 (mod 32) = Alert Key1: 15 Key2: 30 Key3: 27 Encryption: 0+30=30 Encryption: 0+27= NO ALERT 0 -63
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Evaluation Domingo-Ferrer (DF) CaMyTsElliptic Curve ElGamal (ECEG) Ciphertext size-+o Encryptiono+- Decryptiono-- Aggregationo+- Security/Resistance Ciphertext only attack+++ Chosen plaintext attack-++ Replay attack-+- Malleability+-- Malicious aggregation-+- Forged packets++- Captured Sensors-++
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Increase Security – Combination of two PHs Encryption 2 Encryption 1 Value1 Encryption 2 Encryption 1 Value2 Encryption 2 Encryption 1 Value1 + Value2 Domingo-Ferrer CaMyTs Value1 Domingo-Ferrer CaMyTs Value2 Domingo-Ferrer CaMyTs Value1 + Value2
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved CMT/DF combination - o - o - o - o CaMyTs + DF combination Domingo-Ferrer (DF) CaMyTs Ciphertext size-+ Encryptiono+ Decryptiono- Aggregationo+ Security/Resistance Ciphertext only attack++ Chosen plaintext attack-+ Replay attack-+ Malleability+- Malicious aggregation-+ Forged packets++ Captured Sensors-+
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Conclusions Concealed Data Aggregation in WSNs is required Reduced network traffic End-to-End security Concealed Data Aggregation in WSNs is possible Computation overhead is reasonable (e.g. with CaMyTs, DF) There is not one perfect CDA scheme There are still some security issues (e.g. integrity) Trade-off security/computation effort Evaluation helps selecting application-fitted scheme Combined (cascaded) privacy homomorphism increases security with very low additional costs (e.g. CaMyTs/DF)