efficient distribution of key chain commitments for broadcast authentication in distributed sensor...
TRANSCRIPT
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks
Random Key Predistribution Schemes for Sensor Networks
Presented by: Qin Chen
Outline Efficient Distribution of Key Chain
Commitments Background and Contributions Five proposed schemes Implementation and Experimental results
Random Key Predistribution Schemes Three schemes Scalability
Comparison and discussion
Background µTESLA
Based on symmetric cryptography Divide time period into n intervals, assign
different keys to different intervals, which will be disclosed after some fixed time interval
Messages during a particular interval are authenticated by the corresponding key for that time interval
Authenticate disclosed key: one-way hash key chain
Background
K1 Kn-2
Assign key
Disclose key
(delay = 2)
K2 K3 KnK1
RSender
Receiver
K0
K0
FFFFF
Security Condition: [Tc+Δ-T0 / Tint]<Ii+ d
Bootstrap a new receiver:
Tc : Local time when the packet is receivedT0 : Start time of the interval 0Tint: Duration of each time intervalΔ : Maximum clock difference
Time
Sender Receiver
request
Tc, Ki, Ti, Tint, d
Contributions Using pre-determination and broadcast instead of
unicast-based message transmission.
Introduce a multi-level key chain scheme, the higher-level key chains are used to authenticate the commitments of the lower level one.
Proposed periodic broadcast of commitment distribution message (CDM) and random selection strategies to improve the survivability and defeat some DOS attacks.
Nice properties such as low overhead, tolerance of message loss, scalability , résistance to some DOS,etc
Outline Efficient Distribution of Key Chain
Commitments Background and Contributions Five proposed schemes Implementation and Experimental results
Random Key Predistribution Schemes Three schemes Scalability
Comparison and discussion
Scheme I Predetermined Key Chain Commitment
Predetermine the following parameters along with the master key distribution during the initialization of the sensor nodes Commitments Start time Other parameters
Shortcomings Long key chain or large time interval? Difficulties in setting up start time
Scheme II Naïve Two-Level Key Chains
To overcome the shortcoming of scheme I, it puts forward Naive Two-level Key chains
One high level key chain and multiple low level key chains
High level key chain: broadcast CDM messages Low level key chain: broadcast actual data messages
K1 K2 Kn…
……
K1,1 K1,2 K1,m…
K2,1 K2,2 K2,m…
Kn,1 Kn,2 Kn,m
K1,0 K2,0 Kn,0
F0 F0
F1 F1 F1 F1 F1 F1
F1 F1 F1
Scheme II Naïve Two-Level Key Chains
To use the low-level key chain<Ki,0>during the time interval Ii, they must authenticate the commitment Ki,0
Immediate authentication for CDM messages
Ki Ki+1 Ki+2
CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1
Ki+1,0 Ki+2,0
Include hash image of Ki+2 ,0 in CDMi
In the time interval I,Ki+1 ,0 could be authenticated
Scheme II Naïve Two-Level Key Chains
CDMi-2=i-2|Ki-1,0|H(Ki ,0) |MACK’i-2(i-2|Ki-1 ,0|H(Ki,0 ))|K i-3
CDMi-1=i-1|Ki,0|H(Ki+1 ,0) |MACK’i-1(i-1|Ki-1 ,0|H(Ki+1,0 ))|K i-2
…Ki-2,1 Ki-2,2 Ki-2,m …
Ki-1,1 Ki-1,2 Ki-1,m …Ki,1 Ki,2 Ki,m
Ki-2,0 Ki-1,0 Ki,0
KiKi-2 Ki-1
F0 F0
F1 F1 F1
F1F1F1
Ii-2 Ii-1 Ii
In the time interval i-1,naïve two-level key can disclose the upper level key K i-2
and authentication the lower level key Ki,0
Scheme II Naïve Two-Level Key Chains
Shortcoming: Does not tolerate message loss as well as TESLA or uTESLA Normal messages loss CDM messages loss
Ki Ki+1 Ki+2
…Ki,1 Ki,2 Ki,m
…Ki+1,1 Ki+1,2 Ki+1,m
…Ki+2,1 Ki+2,2 Ki+2,m
Ki,0 Ki+1,0 Ki+2,0
F01
F01
F1 F1F1
F1 F1 F1
F1 F1 F1
F0F0
missing
Scheme III Fault tolerant Two-Level Key Chains
Tolerate normal message loss: Further connect the low level key chains
and the high level key chain
Tolerate CDM message loss: Rebroadcast CDM messages
Ki Ki+1 Ki+2
…Ki,1 Ki,2 Ki,m
…Ki+1,1 Ki+1,2 Ki+1,m
…Ki+2,1 Ki+2,2 Ki+2,m
Ki,0 Ki+1,0 Ki+2,0
Ki,m=F01(Ki+1), F01: one way hash function, different from F0 and F1
F01
F01
F1 F1F1
F1 F1 F1
F1 F1 F1
F0F0
Scheme II Naïve Two-Level Key Chains
CDM messages are more attractive to attackers
DOS attacks on CDM messages Jamming Smart attacks: only change hash
image so that the receiver can not discard it until get the corresponding disclosed key
CDMi=i|Ki+1,0|H(K’i+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1
CDMi+1=i+1|Ki+2,0|H(Ki+3 ,0) |MACK’i+1(i+1|Ki+2 ,0|H(Ki+3 ,0 ))|K i
Scheme IV: (Final) Two–Level Key Chains
Randomize CDM distribution to mitigate channel jamming attacks
Randomize CDM buffering to mitigate smart DOS attacks Single buffer random selection Multiple buffer random selection
Scheme V: Multi-Level Key Chain
Multi-level key chain scheme: each higher level key chain is used to distribute the commitments for its immediate low level key chain.
Every adjacent level works the same way as the two level key chain scheme works.
Outline Efficient Distribution of Key Chain
Commitments Background and Contributions Five proposed schemes Implementation and Experimental results
Random Key Predistribution Schemes Three schemes Scalability
Comparison and discussion
Implementation Network model
Simulate communication channel on IP multicast
One base station and one attacker component
Multiple sensor nodes; one-hop neighbors of base station and attacker
Parameters Channel loss rate Percentage of forged CDM packets Buffer size (data packets and CDM packets)
Implementation
Metrics %authenticated data packets at
sensor node (#authenticated data packets/received data packets)
Average data authentication delay (the average time between the receipt and the authentication of a data packet).
Experimental result Buffer allocation schemes
Experimental result %authenticated data packets
Experimental result Average data packet authentication delay
Conclusion Advantages
Remove uni-cast based key commitments distribution
Resistance to message loss, DOS attacks Communication efficient Low overhead Scalable to large sensor networks
Limitation Long delay after commitments loss failure
Future work
Seeking solutions to reduce the long delay after commitments loss failure
Broadcast authentication with multiple base stations
Implement this scheme in real sensor networks
Outline Efficient Distribution of Key Chain
Commitments Background and Contributions Five proposed schemes Implementation and Experimental results
Random Key Predistribution Schemes Three schemes Scalability
Comparison and discussion
Random Key Predistribution Schemes
To establish keys in a sensor network
Three new mechanisms for key establishment
Enhance the security of the network and increase the cost of potential attacks
The Task Problem
Distribute symmetric keys in a physically insecure network with a broadcast channel
The solutions q-composite keys Multipath-reinforcement Random-pairwise keys
The metrics Resilience against node capture, resistance
against node replication, revocation capability, and scalability
Basic Scheme n nodes, each having m keys out of the
key pool S A common key ensures secure
communication
K1, k2, k3, …, k100
S has 100 keys
K1, k3
K1, k5
K3, k7
Basic Scheme Problems
Easy to compromise Difficult to authenticate
K1, k3
K1, k3
K3, k7
Compromised
Compromised node
Compromised
communication
q-composite Keys q: the amount of key overlap Requires a least q common keys to
establish a secure communication channel
K1, k3, k5
K1, k3, k9
K3, k5, k7m = 3q = 2
q-composite Keys Performance concerns
Parameters |S|, m, d, p
We want to increase |S| and decrease m to mitigate the effect of compromised nodes
We want to maintain d and p to ensure good connectivity
q-composite keys Performance concerns
To increase |S| and decrease |m| will often decrease p, so there must be a tradeoff
We choose the largest |S| while maintain a suitable p
q-composite Keys Performance concerns
The effect of compromised nodes
The proportion of compromised network links goes up when the number of compromised nodes increases
This adversely affect the reasonable scale of the network
Key Reinforcement How to make the keys stronger?
Increase m? It may make it weaker
What if we make the keys much more difficult to figure out?
Use multiple paths to transmit multiple parts of a key to the communication partner To figure out the real key used, the
attacker needs to compromise all the paths
Key Reinforcement Usually, the paths of length two are
used
v1v1
v2v2
v3v3
Performance The number of connected nodes
depends on the area A(x), which depends on the length of x
Integrating over the distribution of x, the expected number of reinforcing neighbors are
With k paths and the possibility of compromising a link as b, the possibility of an additional compromised link is
The reinforcement can be pretty strong
Key Reinforcement
A(x)
B Cx
Performance The distribution of
links with different reinforcing neighbors and the compromised links
The compromised links can be pretty small fraction in the total number of links
Key Reinforcement
Random-pairwise keys If a pair of nodes share a unique symmetric key, they
can Establish a secure channel Authenticate each other Potentially achieve good performance in security and
scalability
K12, k13
K12, k29
k13, k37m = 2
Random-pairwise Keys Revocation
Since nodes can authenticate each other, a group of nodes can selectively revoke a specific (adverse) node’s privilege in the network
This is done in a distributed way
K12, k13
K12, k23
k13, k23m = 2t = 2
Node 1
Node 2
Node 3
Node 2 and 3 vote to revoke node 1
Random-pairwise Keys Question: How to revoke a node
The revoked node may still jam the part of network after it knows it has been revoked
The revoked node can impersonate another node, given that it has another compromised key ring
K12, k23
K12, k23
k13, k23m = 2t = 2
Node “2”
Node 2
Node 3
Node “2” jams the real node 2 and impersonate node 2 to communicate with node 3
Random-pairwise Keys How to detect a bad node?
Integrity check Some methods are recommended in the paper but there may not be a
perfect solution How to avoid the revocation mechanism’s being misused?
Limit the nodes’ revocation capability to resist revocation attack Limit the nodes’ broadcast capability to resist DoS
K12, k23
K12, k23
k23, k35m = 2t = 2
Node 1
Node 2
Node 3
Node 2 can vote to revoke node 1 but node 3 cannot
Random-pairwise Keys Question: do the security measures affect
other aspects of the network? Does it affect the connectivity?
This paper has a good example of applying restricted broadcast measure without obviously reducing the connectivity
Does it affect other protocols, like routing? Based on the distribution of the keys, the security
topology of the network may differ greatly from the physical topology
Some routing protocols may have difficulty working correctly, or have degraded performance
Geographic forwarding Trajectory based routing Direct diffusion
Outline Efficient Distribution of Key Chain
Commitments Background and Contributions Five proposed schemes Implementation and Experimental results
Random Key Predistribution Schemes Three schemes Scalability
Comparison and discussion
Scalability Network size
Limited global payoff requirement
After simplifying and approximation
q-composite keys increase the reasonable network size
Scalability Network size
Compare different schemes
Multipath reinforcement greatly enhance the reasonable size of the network
Comparison and discussion Both protocols target sensor networks
Same resource limit: bandwidth, computing capacity, memory, …
Some common assumptions: trustworthy base stations, insecure communication channel, inexpensive hardware that can be compromised
Both take the advantage of existing cryptographic techniques
Comparison and discussion The two papers focus on different
aspects of security E-paper focuses on 1-to-many
broadcast R-paper focuses on key distribution,
which can be used to construct more general semantics and more varied traffic patterns
Comparison and discussion Are the assumptions in the papers
reasonable? Are base stations really secure? Does the network has a density to
maintain a reasonable p in the key predistribution schemes?
Thank you!