spins: security protocols for sensor networks
DESCRIPTION
SPINS: Security Protocols for Sensor Networks. Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley. Sensor Networks are Emerging. Many applications Real-time traffic monitoring Seismic safety Energy efficiency Need secure communication protocols. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/1.jpg)
SPINS:Security Protocols for
Sensor Networks
Adrian PerrigRobert SzewczykVictor WenDavid CullerDoug Tygar UC Berkeley
![Page 2: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/2.jpg)
Sensor Networks are Emerging
Many applications• Real-time traffic monitoring• Seismic safety• Energy efficiency
Need secure communication protocols
![Page 3: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/3.jpg)
Sensors in Cory Hall
![Page 4: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/4.jpg)
Sample Sensor DataLightintensity
Temperature
HackerAttack!
![Page 5: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/5.jpg)
Security for Sensor Networks Authentication• Ensures data integrity & origin• Prevents injecting bogus messages
Confidentiality• Ensures secrecy of data• Prevents eavesdropping
![Page 6: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/6.jpg)
Challenge: Resource Constraints Limited energy Limited computation (4 MHz 8-bit) Limited memory (512 bytes) Limited code size (8 Kbytes)• ~3.5 K base code (“TinyOS” + radio encoder)• Only 4.5 K for application & security
Limited communication (30 byte packets) Energy-consuming communication• 1 byte transmission = 11000 instructions
![Page 7: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/7.jpg)
SPINS: Our Solution
SNEP• Sensor-Network Encryption Protocol• Secures point-to-point communication
TESLA• Micro Timed Efficient Stream Loss-
tolerant Authentication• Provides broadcast authentication
![Page 8: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/8.jpg)
System Assumptions Communication patterns• Frequent node-base station exchanges• Frequent network flooding from base• Node-node interactions infrequent
Base station• Sufficient memory, power• Shares secret key with each node
Node• Limited resources, limited trust
![Page 9: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/9.jpg)
SNEP Security Goals
Secure point-to-point communication• Confidentiality, secrecy• Authenticity and integrity • Message freshness to prevent replay
Why not use existing protocols?• E.g. SSL/TLS, IPSEC
![Page 10: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/10.jpg)
Asymmetric Cryptography is Unsuitable
Overhead of digital signatures• High generation cost O(minutes)• High verification cost O(seconds)• High memory requirement • High communication cost ~128 bytes
SNEP only uses symmetric crypto
![Page 11: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/11.jpg)
Basic Crypto Primitives
Code size constraints code reuse Only use block cipher encrypt function• Counter mode encryption• Cipher-block-chaining message
authentication code (MAC)• Pseudo-Random Generator
![Page 12: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/12.jpg)
SNEP Protocol Details A and B share• Encryption keys: KAB KBA
• MAC keys: K'AB K'BA
• Counters: CA CB
To send data D, A sends to B:
A B: {D}<KAB, CA>
MAC( K'AB , [CA || {D}<KAB, CA>] )
![Page 13: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/13.jpg)
SNEP Properties Secrecy & confidentiality• Semantic security against chosen ciphertext
attack (strongest security notion for encryption) Authentication Replay protection Code size: 1.5 Kbytes Strong freshness protocol in paper
![Page 14: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/14.jpg)
Broadcast Authentication Broadcast is basic communication mechanism Sender broadcasts data Each receiver verifies data origin
Sender
Bob
M
Carol
M
DaveAlice MM
![Page 15: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/15.jpg)
Simple MAC Insecure for Broadcast
Sender
Alice
K
K
M, MAC(K,M)
Bob
K
M, MAC(K,M)
M', MAC(K,M')
![Page 16: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/16.jpg)
TESLA: Authenticated Broadcast
Uses purely symmetric primitives
Asymmetry from delayed key disclosure
Self-authenticating keys
Requires loose time synchronization
• Use SNEP with strong freshness
![Page 17: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/17.jpg)
TESLA Quick Overview I Keys disclosed 2 time intervals after use Receiver knows authentic K3
K4 K5 K6 K7
tTime 4 Time 5 Time 6 Time 7
K3
P2
K5
P1
K3
Authentication of P1: MAC(K5, P1 )
FFAuthenticate K5
Verify MAC
FK6FK5
![Page 18: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/18.jpg)
TESLA Quick Overview II Perfect robustness to packet loss
K4 K5 K6 K7
tTime 4 Time 5 Time 6 Time 7
K3
P5
K5
P3
K3
P2
K2
P1
K2
Verify MACs
P4
K4
FFAuthenticate K5
![Page 19: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/19.jpg)
TESLA Properties
Low overhead (1 MAC)• Communication (same as SNEP)• Computation (~ 2 MAC computations)
Perfect robustness to packet loss Independent of number of receivers
![Page 20: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/20.jpg)
Energy Cost for Sending a Message
Security Computation 2%
MAC transmission21%
Datatransmission
77%
Typical packet size: 28 bytes
![Page 21: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/21.jpg)
Related Work in Broadcast Authentication Symmetric schemes• Link-state routing updates [Cheung ’97]• Multi-MAC [Canetti et al. ’99]
Asymmetric schemes• Merkle hash tree [Wong & Lam ’98]
Chained hashes• EMSS [Perrig, Canetti, Tygar, Song ’00]• [Golle & Modadugu ’01]• [Miner & Staddon ’01]
Hybrid schemes• Stream signature [Gennaro & Rohatgi ’97]• K-times signature [Rohatgi ’99]
![Page 22: SPINS: Security Protocols for Sensor Networks](https://reader036.vdocument.in/reader036/viewer/2022062521/56816861550346895ddeb145/html5/thumbnails/22.jpg)
Conclusion Strong security protocols affordable• First broadcast authentication
Low security overhead• Computation, memory, communication
Apply to future sensor networks• Energy limitations persist• Tendency to use minimal hardware
Base protocol for more sophisticated security services