1. IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos Marcin Poturalski Prof. Jean-Pierre Hubaux

2. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani2 Outline  Problem context  Related work  System model  SHIA  Proposed schemes Scheme 1 : Approximate Attacker Localization Scheme 2 : Attacker Localization  Conclusion  Future Work

3. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani3 Problem Context  Wireless Sensor Networks Often deployed in security-critical applications Sensors have limited resources → Efficient aggregation techniques Hostile environment → Secure aggregation

4. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani4 Related work  [Yang06] “SDAP: a secure hop-by-Hop data aggregation protocol for sensor networks”, Yi Yang, Xinran Wang, Sencun Zhu. 7th ACM Interational Symposium on Mobile Ad Hoc Networking and Computing, May  [Chan06] “Secure Hierarchical In-Network Aggregation in Sensor Networks”, Haowen Chan, Adrian Perrig and Dawn Song.13 ACM conf. on computer and communications security, November 2006.  [Wu07] “Secure data aggregation without persistent cryptographic operations in wireless sensor networks”, K. Wu, D. Dreef, B. Sun, and Y. Xiao, Ad Hoc Networks, vol. 5, no. 1, pp. 100–111, 2007.

5. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani5 System Model Network Assumptions  Wireless sensor network of n sensors  A single base station (querier) Security Associations  Each sensor shares a unique symmetric key with the querier Attacker model  Attacker is in complete control of t<n nodes lie about its measurement modify aggregation messages and relay

6. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani6 Secure In-Network Aggregation (SHIA) [Chan06] 0. Aggregation Tree Formation 1. Query Dissemination - Query Message contains a nonce N

7. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani7 Secure In-Network Aggregation (SHIA) [Chan06] (cont’d) 2. Aggregation-Commit Goal : Constructing a commitment structure (hash tree) Leaf nodes: send up their values Internal nodes: perform aggregation, create a commitment to the set of inputs used to calculate the aggregation

8. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani8 Secure In-Network Aggregation (SHIA) [Chan06] (cont’d) 3. Result check 3a. Dissemination of off-path values 3b. Collection of Confirmation -Value Inclusion Possible based on off-path values -Ack only if inclusion verified 3c. Verification of Confirmation

9. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani9 Secure In-Network Aggregation (SHIA) [Chan06] (cont’d)  Main Pros Optimally Secure Low Edge Congestion Complexity  Naïve approach : O(h)  Delayed aggregation : O(log 2 n)  Main Cons Even a single node not acknowledging = querier drops the aggregation result Required Info : Exact number of alive nodes and their corresponding keys.

10. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani10 Lets not Forget….  The querier’s goal is to acquire some knowledge out of the network.  The querier should query the network again SHIA proposes : No Aggregation  Therefore, If attacker exists SHIA-No Aggregation …  As a result : Even higher complexity than when using no aggregation!!

11. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani11 Proposed Schemes  Approach Localize the attacker Eventually omit it from the network  We Propose 2 schemes for attacker localization  Extra Assumption in both schemes: The BS knows the topology of the aggregation tree

12. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani12 Scheme 1: Approximate Attacker Localization If inclusion verified -A leaf node a: -- Send up ACK a and level info -An intermediate node b: -- XOR ACKs of all received messages with the same level info -- Add its own ACK b and level info Otherwise -Send nothing  Replacing the result-check phase of SHIA

13. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani13 Scheme 1 (cont’d)  BS receives one message per level  BS knows the topology Can verify messages in each level Can go down until it encounters dicrepency!  Complexity O(h)

14. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani14 Scheme 1 (cont’d)  Example : maximum one node failure in each level, no attackers Maximum number of checks in level l is : n l +1

15. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani15 Scheme 1 (cont’d)  Attacker can act in three possible ways Follow the protocol in the check-phase  For BS: Similar to having several dead nodes’ in a level Inject garbage: send random messages pretending it has received from its children  For BS: Disables BS from proceeding to the next layers Pretend to be dead by sending nothing  For BS: Similar to dead node case  Worst case: BS stops at the level in which the attacker lies

16. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani16 Scheme 1 (cont’d)  An important constraint Assuming BS can at most check if at least k nodes out of n l nodes in level l have confirmed num of legitimate messages: MAC of size M Probability of an attacker success:

17. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani17 Scheme 2: Attacker Localization  Goal: Localize the attacker more precisely Have an estimate of the aggregation value’s closeness to the true value  Apply IF the result-check phase of SHIA fails  Complexity O(n)

18. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani18 Scheme 2 (cont’d) 1. Hierarchical Collection of Confirmation If value inclusion verified -Leaf node s --M s = Enc Ks (N) --Send M s to parent -Intermediate node u, with children {u1,u2,…uk} --Wait a certain time --If did not receive from uj ---M nr : “no message received” flag ---M uj = M nr --N s : Separation flag --M u = Enc Ku (N||M u1 ||N s ||M u2 …N s ||M uk ) --send M u Otherwise -Send nothing

19. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani19 Scheme 2 (cont’d) 2. Hierarchical Decryption of Confirmations at BS, using the topology of the aggregation tree  Three Possible cases: Enc Ku (N||M u1 ||Ns||M u2 …Ns||M uk ) Enc Ku (N||M u1 ||Ns…||M nr ||…Ns||M uk )  BS Marks u and u d Enc Ku (N||M u1 ||Ns…|| nonsense ||…Ns||M uk )  BS Marks u and u d

20. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani20 Scheme 2 (cont’d)  Theorem 1 The attacker localizer scheme enables the BS to mark all attackers, for which another attacker does not exist in their path to BS.  Theorem 2 The BS is able to estimate the aggregation value’s closeness to the true value.

21. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani21 Conclusion  Existing schemes have significant limitations  We proposed two schemes Scheme 1  More robust against node failure and single attackers  O(h) complexity Scheme 2:  Localize the attacker more precisely  Give an estimate of the aggregation value  O(n) complexity

22. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani22 Future Work  Proposing methods for local recovery of the aggregation tree Schemes for omitting attackers !  Investigating iterative methods Lower communication load?

23. 8 March 07 IC-29 Security and Cooperation in Wireless Networks Parisa Haghani23  Thank you !  Questions ?