random key predistribution schemes for sensor networks authors: haowen chan, adrian perrig, dawn...
Post on 20-Dec-2015
218 views
TRANSCRIPT
![Page 1: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/1.jpg)
Random Key Predistribution Schemes for Sensor Networks
Authors: Haowen Chan, Adrian Perrig, Dawn SongCarnegie Mellon University
Presented by: Johnny FlowersFebruary 28, 2008
![Page 2: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/2.jpg)
The Big Idea
Three key bootstrapping protocols for large sensor networks
Alternatives to public key cryptosystems
Each protocol trades a different drawback in exchange for the security it provides
![Page 3: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/3.jpg)
Outline
Background The problem with sensor networks Related work Three schemes
q-composite keys scheme Multipath-reinforcement scheme Random pairwise keys scheme
Future directions
![Page 4: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/4.jpg)
The Bootstrapping Problem
Initialization process Creating something
from nothing
![Page 5: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/5.jpg)
Bootstrapping Security in Sensor Networks Especially challenging because of the
limitations of sensor networks:Constrained resourcesPhysical vulnerabilityUnpredictability of future configurationsTemptation to rely on base stations
![Page 6: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/6.jpg)
Related Work
Previously proposed solutions often depend on: Asymmetric cryptographyArbitration by base stations (e.g., SPINS)
Some even require physical contact with a master device or assume that attackers do not arrive until after key exchange
![Page 7: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/7.jpg)
Finding a Solution
Authors’ proposed schemes are based on the basic random key predistribution scheme
Basic scheme is modified to meet the appropriate design goals
![Page 8: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/8.jpg)
What Makes a Key Predistribution Scheme Good?
![Page 9: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/9.jpg)
Key Predistribution Scheme Design Goals Secure node-to-node communication Must not rely on base stations for
decision-making Adaptable to addition of nodes after initial
network setup
![Page 10: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/10.jpg)
Key Predistribution Scheme Design Goals, Cont. Prevent unauthorized access No assumptions about which nodes will be
within communication range of each other Resource-efficient and robust to DoS
attacks
![Page 11: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/11.jpg)
Evaluation Metrics
Resilience against node capture Resistance against node replication Revocation of misbehaving nodes Scalability
![Page 12: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/12.jpg)
The Basic Scheme
![Page 13: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/13.jpg)
The Basic Scheme
Three phases of operation: Initialization Key setup Graph connection
![Page 14: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/14.jpg)
The Basic Scheme – Initialization
Pick a random key pool, S For each node, randomly
select m keys from S (this is the node’s key ring)
The size of S is chosen so that two key rings will share at least one key with probability p
![Page 15: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/15.jpg)
The Basic Scheme – Key Setup
Nodes search for neighbors that share a key
Broadcast short IDs assigned to each key prior to deployment
Keys verified through challenge-response
![Page 16: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/16.jpg)
The Basic Scheme – Graph Connection Nodes then set up path keys
with any unconnected neighbors through existing secure paths
# of secure links a node must establish during key setup (degree, d) to form a connected graph of size n with probability c is:
d = [(n-1)/n][ln(n) – ln(-ln(c))]
![Page 17: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/17.jpg)
The Basic Scheme – Graph Connection The probability, p, that two
nodes successfully connect is
p = d/n′
where n′ is the expected number of neighbor nodes within communication range of A
½
![Page 18: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/18.jpg)
Extensions of the Basic Scheme
q-composite Random Key Predistribution
Multipath Key Reinforcement
Random Pairwise Keys
![Page 19: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/19.jpg)
q-composite Random Key Predistribution Scheme
![Page 20: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/20.jpg)
q-composite Scheme
Instead of one key, a pair of nodes must share q keys to establish a secure link
Key pool must be shrunk in order to maintain probability p of two nodes sharing enough keys
![Page 21: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/21.jpg)
Initialization and Key Setup
Similar to basic schemeEach node has m keys on key ring
Two nodes must discover at least q common keys in order to connectBefore connecting, a new key is created as a
hash of the q shared keys Broadcasting IDs is dangerous, however
![Page 22: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/22.jpg)
Evaluation
Much harder for an attacker with a given key set to eavesdrop on a link
Necessary reduction in key pool size makes large-scale attacks even more powerful
![Page 23: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/23.jpg)
Evaluation
Compromising a given # of nodes is more damaging
Harder to compromise nodes, however
![Page 24: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/24.jpg)
Evaluation
Dangerous under large-scale attack
Absolute # of compromised nodes vs. fraction of compromised communications
![Page 25: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/25.jpg)
Multipath Key Reinforcement Scheme
![Page 26: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/26.jpg)
Multipath Key Reinforcement Scheme Initialization and key setup as in basic
scheme Key update over multiple independent
paths between nodes Key update is damage control in the event
that other nodes are captured
![Page 27: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/27.jpg)
Evaluation
Better resistance against node capture Significantly higher maximum network size Comes at cost of greater communication
overhead
![Page 28: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/28.jpg)
Random Pairwise Keys Scheme
![Page 29: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/29.jpg)
Random Pairwise Keys Scheme
Key feature is node-to-node identity authentication
Ability to verify node identities opens up several security features
![Page 30: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/30.jpg)
The Basics
Sensor network of n nodesPairwise scheme:
Each node holds n-1 keys Each key is shared with exactly one other node
Random pairwise scheme: Not all n-1 keys are needed for a connected graph Only np keys are needed to connect with
probability p
![Page 31: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/31.jpg)
Initialization
n# of unique node IDs
mkeys on each node’s key ring
pProbability of two nodes connecting
n = m/p
![Page 32: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/32.jpg)
Initialization
Each node ID pairs with m other random & distinct node IDs
Each pair is assigned a key Nodes store key-ID pairs on key rings
![Page 33: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/33.jpg)
Key Setup
Node IDs are broadcast to neighbors Verified through cryptographic handshake
![Page 34: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/34.jpg)
Multi-hop Range Extension
Node IDs are small Can be re-broadcast
at low cost Neighbors forward
IDs during key setup Increases
communication radius Increases max.
network size
![Page 35: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/35.jpg)
Distributed Node Revocation
Faster than relying on base stations
Public votes are broadcast against compromised nodes
Offending node is cut off when votes reach threshold
![Page 36: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/36.jpg)
Scheme Requirements
Compromised nodes can’t revoke arbitrary nodes
No vote spoofing Verifiable vote validity Votes have no replay value Not vulnerable to DoS
![Page 37: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/37.jpg)
The Voting Process
A node’s voting members are those that share a pairwise key with it
All voting members are assigned a voting key
Votes are verified through a Merkle tree Voting members keep track of votes
received up to a threshold, t
![Page 38: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/38.jpg)
Voting Threshold
If too high A node may not have
enough voting members to be revoked
If too low Easy for a group of
compromised nodes to revoke many legitimate nodes
![Page 39: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/39.jpg)
Resisting Revocation Attacks
Node B’s revocation key for node A must be activated before useHashed with secret value known only by A
A gives B its secret value only after the two establish communication
Other DoS attacks are more practical
![Page 40: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/40.jpg)
Resistance to Node Replication and Node Generation Place a cap, dmax , on the degree of a node
dmax is some small multiple of d Nodes keep track of degree and node IDs using
same method as vote counting
![Page 41: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/41.jpg)
Evaluation
Perfect resilience against node capture All pairwise keys are unique, so capturing one node
reveals no information about communications outside of the compromised node’s
![Page 42: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/42.jpg)
Evaluation, Cont.
Maximum network size suffers slightly
![Page 43: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/43.jpg)
Evaluation, Cont.
Resistance to revocation attackSmall number of compromised nodes only
compromises a small portion of communications
Compromising large number of nodes is not economical
![Page 44: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/44.jpg)
Summary
Three efficient schemes for secure key bootstrapping
Each scheme has trade-offs q-composite: good for small attacks, bad for large Multipath-reinforcement: improved security, more
communication overhead Random pairwise: max. network size is smaller
![Page 45: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/45.jpg)
Future Work
How does the random pairwise scheme perform in small networks?
Can the random pairwise scheme be modified to handle larger networks?
![Page 46: Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers](https://reader035.vdocument.in/reader035/viewer/2022062714/56649d475503460f94a22b37/html5/thumbnails/46.jpg)