Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor.

Published byLily Park Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor."— Presentation transcript:

1 Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor Networks Presented by: Qin Chen

2 Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

3 Background µTESLA Based on symmetric cryptography Divide time period into n intervals, assign different keys to different intervals, which will be disclosed after some fixed time interval Messages during a particular interval are authenticated by the corresponding key for that time interval Authenticate disclosed key: one-way hash key chain

4 Background K1K1 K n-2 Assign key Disclose key (delay = 2) K2K2 K3K3 KnKn K1K1 R Sender Receiver K0K0 K0K0 FFFFF Security Condition: [ T c +Δ-T 0 / T int ]<I i + d Bootstrap a new receiver: T c : Local time when the packet is received T 0 : Start time of the interval 0 T int : Duration of each time interval Δ : Maximum clock difference Time Sender Receiver request T c, K i, T i, T int, d

5 Contributions Using pre-determination and broadcast instead of unicast-based message transmission. Introduce a multi-level key chain scheme, the higher- level key chains are used to authenticate the commitments of the lower level one. Proposed periodic broadcast of commitment distribution message (CDM) and random selection strategies to improve the survivability and defeat some DOS attacks. Nice properties such as low overhead, tolerance of message loss, scalability, résistance to some DOS,etc

6 Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

7 Scheme I Predetermined Key Chain Commitment Predetermine the following parameters along with the master key distribution during the initialization of the sensor nodes Commitments Start time Other parameters Shortcomings Long key chain or large time interval? Difficulties in setting up start time

8 Scheme II Naïve Two-Level Key Chains To overcome the shortcoming of scheme I, i t puts forward Naive Two-level Key chains One high level key chain and multiple low level key chains High level key chain: broadcast CDM messages Low level key chain: broadcast actual data messages K1K1 K2K2 KnKn … … … K 1,1 K 1,2 K 1,m … K 2,1 K 2,2 K 2,m … K n,1 K n,2 K n,m K 1,0 K 2,0 K n,0 F0F0 F0F0 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1

9 Scheme II Naïve Two-Level Key Chains To use the low-level key chain during the time interval I i, they must authenticate the commitment K i,0 Immediate authentication for CDM messages KiKi K i+1 K i+2 CDM i =i|K i+1,0 |H(K i+2,0 ) |MAC K’i (i|K i+1,0 |H(K i+2,0 ))|K i- 1 K i+1,0 K i+2,0 Include hash image of K i+2,0 in CDM i In the time interval I,K i+1,0 could be authenticated

10 Scheme II Naïve Two-Level Key Chains CDM i-2 =i-2|K i-1,0 |H(K i,0 ) |MAC K’i-2 (i-2|K i-1,0 |H(K i,0 ))|K i-3 CDM i-1 =i-1|K i,0 |H(K i+1,0 ) |MAC K’i-1 (i-1|K i-1,0 |H(K i+1,0 ))|K i-2 … K i-2,1 K i-2,2 K i-2,m … K i-1,1 K i-1,2 K i-1,m … K i,1 K i,2 K i,m K i-2,0 K i-1,0 K i,0 KiKi K i-2 K i-1 F0F0 F0F0 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 I i-2 I i-1 IiIi In the time interval i-1,naïve two-level key can disclose the upper level key K i-2 and authentication the lower level key K i,0

11 Scheme II Naïve Two-Level Key Chains Shortcoming: Does not tolerate message loss as well as TESLA or uTESLA Normal messages loss CDM messages loss KiKi K i+1 K i+2 … K i,1 K i,2 K i,m … K i+1,1 K i+1,2 K i+1,m … K i+2,1 K i+2,2 K i+2,m K i,0 K i+1,0 K i+2,0 F 01 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F0F0 F0F0 missing

12 Scheme III Fault tolerant Two-Level Key Chains Tolerate normal message loss: Further connect the low level key chains and the high level key chain Tolerate CDM message loss: Rebroadcast CDM messages KiKi K i+1 K i+2 … K i,1 K i,2 K i,m … K i+1,1 K i+1,2 K i+1,m … K i+2,1 K i+2,2 K i+2,m K i,0 K i+1,0 K i+2,0 K i,m =F 01 (K i+1 ), F 01 : one way hash function, different from F 0 and F 1 F 01 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F0F0 F0F0

13 Scheme II Naïve Two-Level Key Chains CDM messages are more attractive to attackers DOS attacks on CDM messages Jamming Smart attacks: only change hash image so that the receiver can not discard it until get the corresponding disclosed key CDM i =i|K i+1,0 |H(K’ i+2,0 ) |MAC K’i (i|K i+1,0 |H(K i+2,0 ))|K i-1 CDM i+1 =i+1|K i+2,0 |H(K i+3,0 ) |MAC K’i+1 (i+1|K i+2,0 |H(K i+3,0 ))|K i

14 Scheme IV: (Final) Two–Level Key Chains Randomize CDM distribution to mitigate channel jamming attacks Randomize CDM buffering to mitigate smart DOS attacks Single buffer random selection Multiple buffer random selection

15 Scheme V: Multi-Level Key Chain Multi-level key chain scheme: each higher level key chain is used to distribute the commitments for its immediate low level key chain. Every adjacent level works the same way as the two level key chain scheme works.

16 Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

17 Implementation Network model Simulate communication channel on IP multicast One base station and one attacker component Multiple sensor nodes; one-hop neighbors of base station and attacker Parameters Channel loss rate Percentage of forged CDM packets Buffer size (data packets and CDM packets)

18 Implementation Metrics %authenticated data packets at sensor node (#authenticated data packets/received data packets) Average data authentication delay (the average time between the receipt and the authentication of a data packet).

19 Experimental result Buffer allocation schemes

20 Experimental result %authenticated data packets

21 Experimental result Average data packet authentication delay

22 Conclusion Advantages Remove uni-cast based key commitments distribution Resistance to message loss, DOS attacks Communication efficient Low overhead Scalable to large sensor networks Limitation Long delay after commitments loss failure

23 Future work Seeking solutions to reduce the long delay after commitments loss failure Broadcast authentication with multiple base stations Implement this scheme in real sensor networks

24 Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

25 Random Key Predistribution Schemes To establish keys in a sensor network Three new mechanisms for key establishment Enhance the security of the network and increase the cost of potential attacks

26 The Task Problem Distribute symmetric keys in a physically insecure network with a broadcast channel The solutions q-composite keys Multipath-reinforcement Random-pairwise keys The metrics Resilience against node capture, resistance against node replication, revocation capability, and scalability

27 Basic Scheme n nodes, each having m keys out of the key pool S A common key ensures secure communication K1, k2, k3, …, k100 S has 100 keys K1, k3 K1, k5 K3, k7

28 Basic Scheme Problems Easy to compromise Difficult to authenticate K1, k3 K3, k7 CompromisedCompromised node Compromised communicatio n

29 q-composite Keys q: the amount of key overlap Requires a least q common keys to establish a secure communication channel K1, k3, k5 K1, k3, k9 K3, k5, k7 m = 3 q = 2

30 q-composite Keys Performance concerns Parameters |S|, m, d, p We want to increase |S| and decrease m to mitigate the effect of compromised nodes We want to maintain d and p to ensure good connectivity

31 q-composite keys Performance concerns To increase |S| and decrease |m| will often decrease p, so there must be a tradeoff We choose the largest |S| while maintain a suitable p

32 q-composite Keys Performance concerns The effect of compromised nodes The proportion of compromised network links goes up when the number of compromised nodes increases This adversely affect the reasonable scale of the network

33 Key Reinforcement How to make the keys stronger? Increase m? It may make it weaker What if we make the keys much more difficult to figure out? Use multiple paths to transmit multiple parts of a key to the communication partner To figure out the real key used, the attacker needs to compromise all the paths

34 Key Reinforcement Usually, the paths of length two are used v1 v2 v3

35 Performance The number of connected nodes depends on the area A(x), which depends on the length of x Integrating over the distribution of x, the expected number of reinforcing neighbors are With k paths and the possibility of compromising a link as b, the possibility of an additional compromised link is The reinforcement can be pretty strong Key Reinforcement A(x) BC x

36 Performance The distribution of links with different reinforcing neighbors and the compromised links The compromised links can be pretty small fraction in the total number of links Key Reinforcement

37 Random-pairwise keys If a pair of nodes share a unique symmetric key, they can Establish a secure channel Authenticate each other Potentially achieve good performance in security and scalability K12, k13 K12, k29 k13, k37 m = 2

38 Random-pairwise Keys Revocation Since nodes can authenticate each other, a group of nodes can selectively revoke a specific (adverse) node ’ s privilege in the network This is done in a distributed way K12, k13 K12, k23 k13, k23 m = 2 t = 2 Node 1 Node 2 Node 3 Node 2 and 3 vote to revoke node 1

39 Random-pairwise Keys Question: How to revoke a node The revoked node may still jam the part of network after it knows it has been revoked The revoked node can impersonate another node, given that it has another compromised key ring K12, k23 k13, k23 m = 2 t = 2 Node “ 2 ” Node 2 Node 3 Node “ 2 ” jams the real node 2 and impersonate node 2 to communicate with node 3

40 Random-pairwise Keys How to detect a bad node? Integrity check Some methods are recommended in the paper but there may not be a perfect solution How to avoid the revocation mechanism ’ s being misused? Limit the nodes ’ revocation capability to resist revocation attack Limit the nodes ’ broadcast capability to resist DoS K12, k23 k23, k35 m = 2 t = 2 Node 1 Node 2 Node 3 Node 2 can vote to revoke node 1 but node 3 cannot

41 Random-pairwise Keys Question: do the security measures affect other aspects of the network? Does it affect the connectivity? This paper has a good example of applying restricted broadcast measure without obviously reducing the connectivity Does it affect other protocols, like routing? Based on the distribution of the keys, the security topology of the network may differ greatly from the physical topology Some routing protocols may have difficulty working correctly, or have degraded performance Geographic forwarding Trajectory based routing Direct diffusion

42 Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

43 Scalability Network size Limited global payoff requirement After simplifying and approximation q-composite keys increase the reasonable network size

44 Scalability Network size Compare different schemes Multipath reinforcement greatly enhance the reasonable size of the network

45 Comparison and discussion Both protocols target sensor networks Same resource limit: bandwidth, computing capacity, memory, … Some common assumptions: trustworthy base stations, insecure communication channel, inexpensive hardware that can be compromised Both take the advantage of existing cryptographic techniques

46 Comparison and discussion The two papers focus on different aspects of security E-paper focuses on 1-to-many broadcast R-paper focuses on key distribution, which can be used to construct more general semantics and more varied traffic patterns

47 Comparison and discussion Are the assumptions in the papers reasonable? Are base stations really secure? Does the network has a density to maintain a reasonable p in the key predistribution schemes?

48 Thank you!

Download ppt "Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
Scalable Content-Addressable Network Lintao Liu 2001.11.19.

Scalable Content-Addressable Network Lintao Liu
Trust relationships in sensor networks Ruben Torres October 2004.

Trust relationships in sensor networks Ruben Torres October 2004.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.

Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.

Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.
Using Auxiliary Sensors for Pair-Wise Key Establishment in WSN Source: Lecture Notes in Computer Science (2010) Authors: Qi Dong and Donggang Liu Presenter:

Using Auxiliary Sensors for Pair-Wise Key Establishment in WSN Source: Lecture Notes in Computer Science (2010) Authors: Qi Dong and Donggang Liu Presenter:
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.

Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.

ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.

INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
Random Key Predistribution Schemes For Sensor Networks Haowan Chen, Adrian Perigg, Dawn Song.

Random Key Predistribution Schemes For Sensor Networks Haowan Chen, Adrian Perigg, Dawn Song.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Bluenet a New Scatternet Formation Scheme * Huseyin Ozgur Tan * Zifang Wang,Robert J.Thomas, Zygmunt Haas ECE Cornell Univ*

Bluenet a New Scatternet Formation Scheme * Huseyin Ozgur Tan * Zifang Wang,Robert J.Thomas, Zygmunt Haas ECE Cornell Univ*
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

Similar presentations

Ads by Google