Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.

Published byShelby Blakeman Modified over 9 years ago

Similar presentations

Presentation on theme: "Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment."— Presentation transcript:

1 Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks 1

2 How do nodes receive cryptographic keys? “Distribution is simple; nodes are loaded with the shared key before deployment.” TinySec …send the key in the clear “thus resulting in a brief moment of vulnerability.” ZigBee 20032004 2005 20062002 SPINS Eschenauer and Gligor TinySec ZigBee MiniSecINSENS 2

3 Potential approach – Factory installation 3

4 Potential approach – Physical interface  Properties achieved Secrecy Ease of use  But… Batch deployment remains a tedious task USB interface will not exist on many commodity nodes Sensors deployed in harsh environments USB interface are expensive 4

5 An ideal practical solution  No physical interface No USB connectors, screens, or keypads  Deploy keys wirelessly Resistant to eavesdropping and injection attacks  Key deployment by end users End users are not security experts  Batch deployment for multiple nodes Scales for large deployments 5

6 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 6

7 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 7

8 Problem definition (1/2)  Securely setup a shared secret between a base station and a new node Key secrecy Attacker cannot compromise shared secret Key authenticity New node receives the key that base station intended it to receive Demonstrative identification Users are certain which devices are communicating 8

9 Problem definition (2/2) Robust to user error Fail safe - human error result in failure to setup a key, not key compromise Cost effective Does not require additional hardware on each node No asymmetric cryptography Even asymmetric crypto schemes need one authenticated value 9

10 Assumptions  Installer Trusted Not expert  Base station Trusted Generates keys  Sensor node Unmodified hardware Loose time synchronization Unmodified software 10

11 Strong attacker model  Dolev-Yao Overhear, intercept, modify, reorder, and send arbitrary messages Before, during, and after key deployment  More powerful malicious device deployed around vicinity of nodes Higher antenna gain Faster processor 11

12 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 12

13 Keying Device How to send key wirelessly to new node? Base station KMKM New Node KMKM KMKM Attacker eavesdrops on key! Attacker 13

14 Keying Device Need some type of isolation KMKM New Node KMKM Shielded messages Faraday cage approach proposed by Castelluccia and Mutaf, 2005 14

15 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 15

16 How does installer know when to open cage? Faraday Cage Keying Device New Node 16

17 How does installer know when to open cage? Faraday Cage Keying Device New Node Keying Beacon 17

18 ‘ Keying beacon interacts with user Faraday Cage Keying Device New Node Keying Beacon  Solid blue - performing key deployment  Blinking blue - done 18

19 Keying beacon interacts with user Faraday Cage Keying Device New Node Keying Beacon  Solid blue - performing key deployment  Blinking blue - done 19

20 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 20

21 How do nodes know when cage is closed? Faraday Cage Keying Device New Node Keying Beacon Authenticated heartbeats 21

22 ‘ Authenticated heartbeats determine whether cage is closed Faraday Cage Keying Device New Node Keying Beacon Authenticated heartbeats 22

23 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 23

24 What if cage leaks? Faraday Cage Keying Device New Node Keying Beacon 24

25 What if cage leaks? Faraday Cage Keying Device New Node Keying Beacon  Solution 1: Keying beacon eavesdrops I hear shielded messages! 25

26 How leaky is cage? Faraday Cage  L cage : Attenuation of cage (dBm) Strong attenuation (large negative number) Attacker cannot overhear shielded messages Weak attenuation (small negative number) Attacker can overhear shielded messages Keying beacon can also detect leaked messages  In order for leaking to go undetected… Attacker needs a sweet spot Based on our setup: -66 dBm 26

27 How far away does attacker have to be?  RS e : Eavesdroppers required radio sensitivity  Attacker antenna gain of 10dBm  P t : Transit power of keying device, at minimum power  L cage : Attenuation of cage  d min : Distance of eavesdropper 27 If cage leaks, attacker needs to be within 19cm

28 What if cage leaks? Faraday Cage Keying Device New node Keying Beacon  Solution 2: Keying beacon jams at full power Leaked messages overpowered by jamming signal 28

29 How do nodes know jammed at correct time? Faraday Cage Keying Device New node Keying Beacon 29  Requires loose time synchronization

30 Summary: Protecting shielded messages  Faraday cage attenuates shielded messages  Shielded messages sent at minimum power  Keying beacon jams at full power 30

31 Why isn’t a Faraday cage sufficient?  How does installer know when to open cage?  How does installer know cage is closed?  What happens if Faraday cage is imperfect?  How does installer know if node has correct key? 31

32 Rsp Chal How does installer know if node has correct key? Faraday Cage Keying Device New Node Keying Beacon KMKM KMKM MAC KMKM 32

33 How does installer know if node has correct key? Faraday Cage Keying Device New node Keying Beacon KMKM KMKM KMKM 33

34 Key verification Faraday Cage Keying Device New node Keying Beacon KMKM KMKM KMKM Rsp Chal Rsp’ = KMKM MAC 34

35 What if there was an error? Faraday Cage Keying Device New node Keying Beacon KMKM KMKM K M’  Easy for user to detect  Fail-safe 35 Rsp’ Rsp !=

36 Summary: Single node key deployment  Installer places… New Node and Keying Device inside Faraday cage Keying Beacon outside Faraday cage  Keying Device and Beacon exchange authenticated heartbeats to determine whether cage is closed  Installer closes cage… Key exchange inside cage (Shielded messages) Beacon jams at full power  Beacon notifies installer to open cage  Key verification Compares jamming schedule Challenge response protocol  Beacon signals to installer whether keying was successful 36

37 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 37

38 User study 38

39 Agenda  Motivation  Problem definition  Single node key deployment  User study  Batch deployment 39

40 Batch deployment New Nodes Faraday Cage Keying Beacon Keying Device 40 K1K1 K2K2 K3K3

41 Same questions apply for batch deployment  How does installer know when to open cage? Keying might take variable time! Need to determine number of nodes in batch  How does installer know cage is closed? Authenticated heartbeats  What happens if Faraday cage leaks signal? Beacon jams at full power  How does installer know if node has correct key? Key verification 41

42 Batch deployment New Nodes Faraday Cage Keying Beacon Keying Device 42 Weight Scale

43 Batch deployment New Nodes Faraday Cage Keying Beacon Keying Device  Same protocol from user’s perspective 43 Weight Scale # nodes = Weight / Unit weight Heartbeat: Weight

44 Related Work 44  Physical interface  Resurrecting Duckling [Stajano 01]  Seeing is Believing [McCune 04]  Other side channel as sensors  Talking to Strangers [Balfanz 03]  Shake Them Up [Castelluccia 05]  Requires pre-existing information  Integrity code [Cagalj 06]  Insecure  Key Infection [Chan 03]

45 Conclusion  Key deployment Hard problem Not currently addressed for highly secure environments Needed by all secure sensor network protocols  Message-in-a-Bottle Secure Robust to user error 45

Download ppt "Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
Message Integrity in Wireless Senor Networks CSCI 5235 Instructor: Dr. T. Andrew Yang Presented by: Steven Turner Abstract.

Message Integrity in Wireless Senor Networks CSCI 5235 Instructor: Dr. T. Andrew Yang Presented by: Steven Turner Abstract.
Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.

Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.
Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.
Trust relationships in sensor networks Ruben Torres October 2004.

Trust relationships in sensor networks Ruben Torres October 2004.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys07 2007.

KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.

Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003

TinySec: Security for TinyOS Chris Karlof Naveen Sastry David Wagner January 15, 2003
1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.

1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.

Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
CS 239: Advanced Security Spring 04 Security in Pervasive and Ubiquitous Environments Sam Irvine

CS 239: Advanced Security Spring 04 Security in Pervasive and Ubiquitous Environments Sam Irvine
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Similar presentations

Ads by Google