distribution and revocation of cryptographic keys in sensor networks amrinder singh dept. of...
TRANSCRIPT
![Page 1: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/1.jpg)
Distribution and Revocation of Cryptographic Keys in Sensor Networks
Amrinder SinghDept. of Computer Science
Virginia Tech
![Page 2: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/2.jpg)
Agenda
Introduction Contributions Key Distribution Schemes Proposed Protocol Properties of Key Revocation Proof of Properties Conclusions
![Page 3: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/3.jpg)
Introduction Complexity of secure
communication Large number of nodes No knowledge of topology before hand Limited resources Exposure of nodes to adversary
Possible key revocation schemes Centralized Distributed
![Page 4: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/4.jpg)
Contributions
Rigorous definition of distributed revocation properties
A general active adversary model Protocol for distributed Key
revocation
![Page 5: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/5.jpg)
Key Distribution Schemes Fully Pairwise-Shared Keys
Every node shares key with every other node
Large number of keys Use of Trusted KDC
KDC distributes keys Small number of keys Centralized point of attack
λ-Secure n x n Keys Property of λ-Security
![Page 6: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/6.jpg)
Key Distribution Schemes
Random Key Distribution Scheme Key Ring of size m Key pool of size |Q| 2 random subsets of size m will share
at least 1 key with probability p Use of q-composite keys Tradeoff between initial resistance to
subsequent weakness
![Page 7: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/7.jpg)
Key Distribution Schemes
Random Pairwise Keys Proposed by Chan et al Preload just m keys, where m<<n Node share a key with neighbor with
probability p Can provide node authentication
![Page 8: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/8.jpg)
Key Distribution Schemes MultiSpace Keys
Select pools of keyspaces Common keyspace provide λ-security
Deterministic Key Predistribution Allocation to ensure key sharing Memory is O(√n) Same keys could be shared between
many nodes
![Page 9: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/9.jpg)
Node Revocation Problem Takes place in presence of active
adversaries Adversaries can modify and monitor
messages Limited resources available Distributed Scheme is more useful
Decisions made by neighbors Decision can be made faster More complex
![Page 10: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/10.jpg)
Attacker & Communications Model
Adversary has universal communication presence
Adversary can perform chosen node compromise
Compromised nodes collaborate Adversary cannot block or
significantly delay communications
![Page 11: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/11.jpg)
Assumptions Deployment Atomicity
Do not occur while there are active revocation sessions in the network
Locality Restriction of Compromised Nodes Nodes cannot replicate and move to other
places in the network Node Degrees
Number of local participants, di>>t Adversary can attempt to reduce degree of
legitimate nodes
![Page 12: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/12.jpg)
Assumptions Node Revocation Events are visible to the
neighborhood Malicious nodes providing spurious revocations
Revocation Sessions are always available Revocation attempts by legitimate nodes are
infrequent Malicious node tries to exhaust revocation
sessions against target, known by neighborhood Do not assume time synchronization
![Page 13: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/13.jpg)
Cryptographic Primitives
Random polynomial q(x) = a0 + a1x + a2x2 +… + at-1xt-1
Cryptographic Hash 1 way function, hash of coefficients
Authenticated Encryption Detect ciphertext forgeries Detect false decryption keys
![Page 14: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/14.jpg)
Merkle Tree
![Page 15: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/15.jpg)
Secret Share
How to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D.
![Page 16: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/16.jpg)
Offline Node Initialization
![Page 17: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/17.jpg)
Stages of Revocation A is initially in pending state for session s When 1st vote is cast or received, it moves
to active state It records votes of other participants After Δs time, it moves to completed state For full dissemination of messages,
Δs>2Δc, where Δc is the time to propagate a message in the neighborhood
![Page 18: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/18.jpg)
Voting in Revocation Session
When node A detects compromise, it votes in this session and the next
It transmits (qBs(XABs), XABs)
Also transmits (log m) Merkle tree authentication hash values
![Page 19: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/19.jpg)
Completing Revocation Session
If A receives t votes Able to compute qBs
Transmits Hash of the polynomial Other nodes verify this hash and delete the
shared keys with the target Otherwise
Session number is updated All nodes privately notify base station of
failed revocation
![Page 20: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/20.jpg)
Properties of Distributed Revocation
Completeness If a compromised node is detected by t or
more uncompromised neighboring nodes, then it is revoked from the entire network permanently.
Soundness If a node is revoked from the network using
this scheme, then at least t nodes must have agreed on its revocation.
![Page 21: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/21.jpg)
Properties of Distributed Revocation Bounded Time Revocation
Completion Revocation decision and execution occur
within a bounded time period from the time of sending of the first revocation vote.
Unitary Revocation Revocations of nodes are unitary (all-or-
nothing) in the network. Specifically, if a node is revoked in one part of the network, then it will be revoked in the whole network.
![Page 22: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/22.jpg)
Properties of Distributed Revocation
Revocation attack resistance If c nodes are compromised, then they can
only revoke at most αc other nodes where α is a constant and α<<m/t .
Comes from definition of Revocation AttackAn attack where an adversary uses the distributed node revocation protocol to selectively revoke uncompromised nodes from the network.
![Page 23: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/23.jpg)
Session Agreement Two nodes are in session agreement with
respect to a target node at some instant in time if, for some session s, either session s is pending for both nodes, session s is active for both nodes, session s is active for one node B and session
s is completed for another node A, but session s is completing within time Δc for node B, or
session s is active for one node A and pending for the other node B, but node B is activating session s within Δc time.
![Page 24: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/24.jpg)
Lemmas
Every node is deployed with the correct current revocation session for its participants.
At any given point in time, any two uncompromised local participants are in session agreement for any target node.
![Page 25: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/25.jpg)
Proof of Lemma
Case1 Session s is pending for both nodes at
time T, and at time T+ε, node A activated session s.
Case2 Session s is active for both nodes at
time T. At time T+ε, node A completed session s, but node B still has the session active.
![Page 26: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/26.jpg)
Proof of Lemma
Case3 Session s is active for node B and
session s is complete for node A at time T. At time T+ε, session s has completed for node B.
Case4 At time t, session s is active for A and
pending for B. At time T+ε, session s has completed for node A.
![Page 27: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/27.jpg)
Proof for Completeness Node B has lowest session number Arbitrary Node A Case1
Session s is pending for B Node A has either session s pending or active
Case2 Session s-1 is active for B
Node A has session s-1 pending or s-1 active or s pending or s active
![Page 28: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/28.jpg)
Proof for Soundness
If Node C is revoked, H(qcs) is broadcast
For this qcs must be obtained By secret share, only possible from
t shares
![Page 29: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/29.jpg)
Proof for Bounded Time Revocation
First vote cast at time T All nodes activate session within
T+Δc Decision taken within time Δs Time to propagate decision is Δd Total time is bounded
![Page 30: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/30.jpg)
Proof for Unitary Revocation Case 1
Node is revoked in 1 part of the network Correct value of qcs is received and
transmitted and revoked in time Δd Case 2
If a node is not revoked in some part of the network, then it was not revoked in any part of the network in the time prior to the last Δd
![Page 31: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/31.jpg)
Proof for Attack Resistance Each compromised node can form
connections with di nodes Thus, each compromised node can
unmask at most di votes each. The total number of unmasked votes is thus
![Page 32: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/32.jpg)
Conclusions
Overview of key distribution techniques Precise formulation of distributed
revocation problem Protocol for distributed revocation Distributed algorithms are more
complex but are faster than centralized Avoidance of single point of failure
![Page 33: Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech](https://reader035.vdocument.in/reader035/viewer/2022062518/56649ca15503460f949604b3/html5/thumbnails/33.jpg)
Questions?