spin-ppt
TRANSCRIPT
SPINS: Security Protocols for SPINS: Security Protocols for Sensor NetworksSensor Networks
Presented By Presented By Kiran ShindeKiran Shinde
What are Sensor Networks?What are Sensor Networks?
Wireless networks consisting of Wireless networks consisting of a large number of small, low-a large number of small, low-cost and low-power nodes cost and low-power nodes ((motesmotes))
Sensor nodes can be densely Sensor nodes can be densely deployed very close to the deployed very close to the phenomenon to be observedphenomenon to be observed
Can also be deployed in hostile Can also be deployed in hostile environments where physical environments where physical access to nodes not possibleaccess to nodes not possible
Possess Possess self-organizingself-organizing capabilities – nodes can get capabilities – nodes can get added and deleted dynamicallyadded and deleted dynamically
Sensor Network nodesSensor Network nodes
Core of a mote is a small, low-cost, low-power Core of a mote is a small, low-cost, low-power computercomputer
Computer monitors one or more sensors and Computer monitors one or more sensors and connects to outside world with a radio linkconnects to outside world with a radio link
Radio communication range is typically a few Radio communication range is typically a few tens of meterstens of meters
Typical power consumption is 10 mA while Typical power consumption is 10 mA while running, and 10 μA in sleep moderunning, and 10 μA in sleep mode
Computer, sensors, antenna and batteries Computer, sensors, antenna and batteries packaged in small containers a few mm thickpackaged in small containers a few mm thick
Security GoalsSecurity Goals ConfidentialityConfidentiality
Data in transit to be kept secret Data in transit to be kept secret from eavesdroppersfrom eavesdroppers
Symmetric key ciphers preferred for Symmetric key ciphers preferred for their low power consumptiontheir low power consumption
Adversary
Node1Base StationMsg
Node2
Security Goals…Security Goals… AuthenticationAuthentication
Nodes need to verify each others' identitiesNodes need to verify each others' identities Public key digital signatures too expensivePublic key digital signatures too expensive Symmetric key MACs commonly usedSymmetric key MACs commonly used
Base StationAdversary
Node 1
Node 2
Node 3
Node 4
I am the Base Station,Change these parameters
Security GoalsSecurity Goals
IntegrityIntegrity Wireless networks inherently unreliableWireless networks inherently unreliable Adversary can tamper with messagesAdversary can tamper with messages Message integrity codes for data integrityMessage integrity codes for data integrity
Adversary
Node1Base StationMsg1
Msg1’
Security GoalsSecurity Goals FreshnessFreshness
Prevent adversaries from replaying old Prevent adversaries from replaying old protocol instances and stale data protocol instances and stale data readingsreadings
Session keys from past associations Session keys from past associations should not be reused in later ones.should not be reused in later ones.
System AssumptionsSystem Assumptions Communication patternsCommunication patterns
-Node to base station (e.g. sensor readings)-Node to base station (e.g. sensor readings)
--Base station to node (e.g. specific requests)Base station to node (e.g. specific requests)
--Base station to all nodesBase station to all nodes Base StationBase Station
--Sufficient memory, powerSufficient memory, power
--Shares secret key with each nodeShares secret key with each node NodeNode
-Limited resources, limited trust-Limited resources, limited trust A
B
D
EF
G
C
Base Station
SPINS: Building BlocksSPINS: Building Blocks
SNEPSNEP Sensor-Network Encryption ProtocolSensor-Network Encryption Protocol Secures point-to-point communicationSecures point-to-point communication
TESLATESLA Micro Timed Efficient Stream Loss-Micro Timed Efficient Stream Loss-
tolerant Authenticationtolerant Authentication Provides broadcast authenticationProvides broadcast authentication
First Protocol: SNEPFirst Protocol: SNEP
Use simple symmetric Use simple symmetric encryption function (RC5) encryption function (RC5) provides:provides: Encryption & DecryptionEncryption & Decryption Message Authentication Message Authentication
CodeCode Pseudorandom number Pseudorandom number
generationgeneration Hash FunctionHash Function
Secrecy and ConfidentialitySecrecy and Confidentiality Semantic security against Semantic security against
chosen ciphertext attack chosen ciphertext attack (strongest security notion (strongest security notion for encryption)for encryption)
AuthenticationAuthentication Replay protectionReplay protection
Block Cipher: RC5Block Cipher: RC5
Main Feature: Data dependent RotationMain Feature: Data dependent Rotation Parameterized for word size, number of rounds, length of the keyParameterized for word size, number of rounds, length of the key Low memory requirementsLow memory requirements Subset of RC5 with 40% reduction in code sizeSubset of RC5 with 40% reduction in code size Reused to save memoryReused to save memory
Plaintext
RC5 block cipherKey Ciphertext
1100 1100
11010010 10001101
Key Generation/SetupKey Generation/Setup
Nodes and base station share a master key pre-deploymentNodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key:Other keys are bootstrapped from the master key:
Encryption key Encryption key Message Authentication code keyMessage Authentication code key Random number generator keyRandom number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
SNEP Encryption (CTR Mode)SNEP Encryption (CTR Mode)
E = {D}<KeyE = {D}<Keyencryptionencryption, counter>, counter> Counter is shared stateCounter is shared state RC5 generates “random” data to XOR with messageRC5 generates “random” data to XOR with message Weak freshness guaranteedWeak freshness guaranteed Try different counter if messages are lostTry different counter if messages are lost
Last resort: explicit resynchronization of counterLast resort: explicit resynchronization of counter Decryption is identicalDecryption is identical
Counter+1
RC5 Block CipherKeyEncryption
+Pj+1 Cj+1
Counter+1
RC5 Block CipherKeydecryption
+ Pj+1
SNEP MAC (CBC Mode)SNEP MAC (CBC Mode)
Message Authentication Code = MAC(KMessage Authentication Code = MAC(KMACMAC, X), X) MAC uses Cipher Block Chaining (CBC)MAC uses Cipher Block Chaining (CBC) Every block of input affects outputEvery block of input affects output
KMAC RC5
X1
KMAC RC5
X2
KMAC RC5
XN
MAC
+ +
Authentication, ConfidentialityAuthentication, Confidentiality
Without encryption, can have authentication onlyWithout encryption, can have authentication only For encrypted messages, the counter is included in the MACFor encrypted messages, the counter is included in the MAC Base station keeps current counter for every nodeBase station keeps current counter for every node
Node A
Msg, MAC(KMAC, Msg)
{Msg}<Kencryption, Counter), MAC(KMAC, Counter|| {Msg}<Kencryption, Counter>)
Node B
Strong FreshnessStrong Freshness
Nonce generated randomlyNonce generated randomly Sender includes Nonce with requestSender includes Nonce with request Responder include nonce in MAC, but not in replyResponder include nonce in MAC, but not in reply
Node A
Request, Nonce
{Response}<Kencryption, Counter), MAC(KMAC, Nonce || Counter|| {Response}<Kencryption, Counter>)
Node B
TESLA (micro TESLA)TESLA (micro TESLA)
TESLA : efficient source authentication in TESLA : efficient source authentication in multicast for wired networks. multicast for wired networks.
µTESLA: authentication in broadcast for µTESLA: authentication in broadcast for WSNs.WSNs. µTESLA removes or adapts the expensive µTESLA removes or adapts the expensive
features of TESLAfeatures of TESLA Asymmetric digital signature is replaced by Asymmetric digital signature is replaced by
symmetric keysymmetric key Frequency of key disclosure is greatly lessened.Frequency of key disclosure is greatly lessened. Only the Base Station stores the key chain. Only the Base Station stores the key chain. Inter-node communication is made possible by Inter-node communication is made possible by
the Base Stationthe Base Station
Simple MAC Insecure for Simple MAC Insecure for BroadcastBroadcast
Sender
R1
M, MAC(K,M)
R4
M, MAC(K,M)
M’, MAC(K,M’)
K
K K
TESLA: Authenticated TESLA: Authenticated BroadcastBroadcast
Uses purely symmetric primitivesUses purely symmetric primitives
Asymmetry from delayed key disclosureAsymmetry from delayed key disclosure
Self-authenticating keysSelf-authenticating keys
Requires loose time synchronizationRequires loose time synchronization
Use SNEP with strong freshnessUse SNEP with strong freshness
Key SetupKey Setup
Main idea: One-way key chainsMain idea: One-way key chains KK00 is initial commitment to chain is initial commitment to chain Base station gives KBase station gives K00 to all nodes to all nodes
Kn Kn-1 K1 K0
X
…….F(Kn) F(K1)F(K2)
BroadcastBroadcast
Divide time into intervalsDivide time into intervals Associate KAssociate Kii with interval with interval ii Messages sent in interval Messages sent in interval ii use K use Kii in MAC in MAC KKii is revealed at time is revealed at time i + i + Nodes authenticate KNodes authenticate Kii and messages using K and messages using Kii
K0 K1 K2 K3 …
0 1 2 3 4 time
TESLA IssuesTESLA Issues
Important parameters: time interval, disclosure delayImportant parameters: time interval, disclosure delay Delay must be greater than RTT to ensure integrityDelay must be greater than RTT to ensure integrity Parameters define maximum delay until messages Parameters define maximum delay until messages
can be processedcan be processed Nodes must buffer broadcasts until key is disclosedNodes must buffer broadcasts until key is disclosed Requires loose time synchronization in networkRequires loose time synchronization in network Base station commits to maximum number of Base station commits to maximum number of
broadcasts when forming chainbroadcasts when forming chain When current chain is exhausted, all nodes must be When current chain is exhausted, all nodes must be
bootstrapped with a new onebootstrapped with a new one
Node to Node Key AgreementNode to Node Key Agreement
Node A Base Station
NA, NB, A, B, MAC(KmacB, NA | NB | A | B)
A,NA
Node B
{KAB}KencryB, MAC(KmacB, {KAB}KencryB)
{KAB}KencryA, MAC(KmacA, {KAB}KencryA)
Make random KAB
{Msg}Kab, MAC(KAB, {Msg}Kab)
Secure “channel”
Random Nonce
Lots of Communication
Applications of Sensor NetworksApplications of Sensor Networks
Military applications (battlefield surveillance, Military applications (battlefield surveillance, NBC attack detection and reconnaissance)NBC attack detection and reconnaissance)
Environmental applications (forest fire Environmental applications (forest fire detection, flood detection, tracking movement detection, flood detection, tracking movement of birds)of birds)
Health applications (telemonitoring of Health applications (telemonitoring of physiological data, hospital drug administration)physiological data, hospital drug administration)
Home applications (home automation such as Home applications (home automation such as vacuum cleaners, microwave, fridge, DVRs)vacuum cleaners, microwave, fridge, DVRs)
Commercial applications (fault detection in Commercial applications (fault detection in bridges, automatic meter reading, traffic bridges, automatic meter reading, traffic analysis)analysis)
Discussion: DrawbacksDiscussion: Drawbacks
The The TESLA protocol lacks scalabilityTESLA protocol lacks scalability
- - require initial key commitment with each nodes, require initial key commitment with each nodes, which is very communication intensivewhich is very communication intensive
SPINS uses source routing, so vulnerable to SPINS uses source routing, so vulnerable to traffic analysistraffic analysis
ConclusionConclusion
Strong security protocols affordableStrong security protocols affordable- First broadcast authentication- First broadcast authentication
Low security overheadLow security overhead- Computation, memory, communication- Computation, memory, communication
Apply to future sensor networksApply to future sensor networks-Energy limitations persist-Energy limitations persist
-Tendency to use minimal hardware-Tendency to use minimal hardware
Base protocol for more sophisticated security servicesBase protocol for more sophisticated security services
THANK YOU..THANK YOU..
Questions ???Questions ???