LAEP: Efficient Security
Mechanisms for Large-Scale
Distributed Sensor Networks
Sencun Zhu
Sanjeev Setia
Sushil Jajodia
Presented by: Harel Carmit
1
Outline
•
•
•
•
•
•
Motivation
Overview
Key Establishment
Inter-node Traffic
Performance Evaluation
Security Analysis
2
Motivation
• BackgroundDeployment of a sensor systems in unattended
and adversarial environments, requires
confidentiality and authentication.
Providing security is hard due to resource
limitations: each node consists of 4MHz
processor and 8 kb memory (hence asymmetric
cryptosystems are not practical).
Establishing a shared key is the main issue.
3
Motivation continue…
• Solution:
Pre deployed keying.
One approach – All the nodes share the same
key.
Low storage cost, but also low security.
Second approach – Every two nodes share a
different key.
Ideal security, however, how many keys will we
need? What about dynamic networks?
Moreover, effectiveness of in-network reduced
or prevented.
4
Solution – LEAP
Localized Encryption and Authentication
Protocol
• A key management protocol for sensor
networks.
• Supports in ‘in-network’ processing.
• Provide security properties similar to the
second approach.
• Support multiple keying mechanism.
Motivation- Different types of massages
require different security levels.
5
Assumptions
• Sensor networks are static.
• The base station acting as a controller and
supplied with long-lasting power.
• The sensors are similar in capabilities.
• Every node has space for storing hundreds of
bytes.
• The immediate neighboring are not known in
advance.
• Adversary can eavesdrop all traffic, inject
packets or replay older massages.
• The base station can not be compromised.
6
Design Goals
• LEAP design efficient security mechanism for
supporting communication in sensor networks.
• The sensor should be robust against security
attacks. The attacks impact should be minimal.
• The protocol support optimization mechanisms
such as in network.
• Key establish process should minimize
the computation.
7
Overview
1.
Establishments of four types of keys:
Individual key – Every node shares a unique key with
the base station for secure communication such as
reporting of a unexpected neighboring behavior.
2.
Group key – A globally shared key that is used the
base station to broadcast to the whole group, for
example to issue missions, query or instructions.
3.
Cluster key – A key shared by a node and all its
neighbors for securing locally broadcast massages in
order to save transmitions.
4.
Pairwise key - A shared key by a node and each of
its neighbors for secure communication such as for
distribution cluster key.
8
Key Establishment
Establishing Individual Node Keys:
m
• The controller has a master key
.s
• For each node u, its key generated and preloaded prior to the node deployment.
m
• Generating the key is as follows:
m (u )
k
k fk
u
Pseudo random function
s
Node unique ID
• When the controller needs to communicate with
an individual node u, it computes it on the fly.
• The storage and the computational overhead are
negligible.
9
Pseudo random function
• A function from {0,1}n to {0,1}m.
• A good PRF is acting as “almost”
random function. Meaning, given
two strings from {0,1}m , one is
completely random, and the other
is an output of a PRF, the
probability that an adversary will
be able to tell the different
between them is negligible.
10
Key Establishment
continue…
Establishing Pairwise Shared Keys:
• Assume a lower bound interval Tmin
necessary for an adversary to take
control of a sensor node.
• Assume also Ttest is the time for a newly
deployed node needs to discover its
immediate neighbors, and Ttest < Tmin (a
reasonable assumption for most sensor
networks and adversaries).
11
Key Establishment
continue…
1.
Four steps for adding a new node-
The controller generates an initial key kI and loads each
node with it.

(u )
Each node v derives a master key
u
k
2.
I
When u is deployed it broadcasts a “HELLO” massage.
u  * : u, Nonceu
Each neighbor v reply
3.
fk
A random number
Massage authenticated code
v  u : v, MAC (kv, Nonceu | v)
Each side compute k uv  f k v (u )
4. Erasing all the master keys and kI.
Special case – u and v added at the same time. Key is kvu if v < u.
12
Massage authenticated
code
• An efficient function
MACk(m): {0,1}l × {0,1}*
{0,1}l.
• To authenticate m, send
<m,MACk(m)>
• Upon receiving <m,a>, verify that
a= MACk(m).
13
Key Establishment
continue…
Establishing Cluster Keys:
k
c
• Node u generates a random key u and encrypts
it with the pairwise key of each neighbor vi.
u  v : (k ) k
c
i
u
uvi
Encryption
• Node vi decrypts the massage and keeps the key.
• If one of the neighbors is revoked, node u
generates a new cluster key.
14
Key Establishment
continue…
•
•
Establishing Multi-hops Pairwise Shared
Keys:
Extend the circle of neighbors. Not just for
immediate neighbors but also multiple hops
away nodes.
Works well only if:
1. Multiple hops pairwise shared key can be
established within Tmin.
2. A node has enough memory space.
What if not?
15
Key Establishment
continue…
Establishing Two-hops Pairwise Shared Keys:
Secure against m-1 nodes corruption.
• Node u has to find by a QUERY massage, all the
neighbors v1,…,vi that are common to it and the
target node c.
• To establish a pairwise key S with node c, node u
split S into i shares such that
• S  sk 1  sk 2,..., sk,i it then forwards each
ski to c through vi:
u  vi : {ski}kuvi, fski (0).
vi  c : {ski}kvic, fski (0).
Authentication
key of ski
16
Key Establishment
continue…
Establishing Group Keys:
• A key that is shared by all the nodes in the network.
Necessary when the controller distributing a massage
to all the nodes.
• Instead of using the hop-by-hop method, which is
too wasteful (each node has to decrypt and encrypt
the massage), the group key will be pre-load into
every node.
• An important question arises: How do we securely
update the key?
• Naïve approach – Use individual key. Not scalable.
• Solution – Secure Key Distribution using TESLA.
17
Key Establishment
continue…
Authentic Node Revocation:
• TESLA - broadcast authentication
protocol. Based on the use of a one-way
key chain and delayed key discloser.
The node to be revoked
M : Controller  * : u,
To be disclosed TESLA key
f k ' (0), MAC (k
g
New group key
T
i
,u |
f k ' (0))
g
Verification key
18
Key Establishment
continue…
Secure Key Distribution:
• Organize the nodes in BFS. Each node keep
tracks with its immediate neighbors.
• The new group key is distributed via recursive
process.
• Each node transmit it down the tree using its
own cluster key. Hop-by-hop is not too
wasteful due to the small massage – key, and
the event infrequency.
• The key should update even if no revocation
event occurs.
19
Inter-node Traffic
Authentication:
• A mandatory requirement is that every massage
must be authenticated before it is forwarded
or processed.
• Authenticated scheme must be easy to
compute.
• TESLA is not suitable – due to latency and
storage.
• Pairwise key authentication preclude passive
participation.
• Hop-by-hop authentication is possible,
overhead is small because a MAC is easy to
compute, but does not protect against inner
adversaries which compromise a node.
20
Inter-node Traffic
Authentication:
One–way Key Chain Based Authentication:
protects against impersonation attack.
• Every key generates a one way hash key chain, then
transmit the first key to each neighbor encrypted with
the pairwise key. Each massage authenticate with the
next key chain. The keys are disclosed reversely.
Triangular inequality:
|uv|<|ux|+|xv|.
Adversary x can not
reuse node’s u auth’
keys to impersonate u.
u  vi : (hn ( x))kuvi
u  vi : MAC(hn 1( x), M ), hn 1( x)
v
x
u
21
Inter-node Traffic
Authentication:
Probabilistic Challenge Scheme:
• The following attack can not be prevented still: an
insider adversary can shield node v by letting two node
transmit at the same time, and then using the key
which was not received to authenticate its own
message.
• Solution: challenge the authenticity of a received
packet with a certain probability.
Challenge probability
pc=pr/d
Pc
v  u : C,Nv,MAC(Kuv,C|Nv)
pr, probabilityu  v : Nu,MAC(Kuv,C|Nv|Nu)
that a node get
challenged.
The adversary does no know it
22
Performance Evaluation
(key establishment, key updating)
Computational cost:
• Only consider the cost of group and cluster
keys.
• Updating cluster key require to encrypt the
new one with the pairwise keys,
computational depends on the neighbors
number.
Se  i 1 di
d0
Number of nodes being revoked.
Number of legitimate
neighbors of each d0.
23
Performance Evaluation
(key establishment, key updating)
Computational cost:
For an network size N, the average number of
symmetric key operations is 2se/N.
Distributing group key require 2N operations.
The average cost is two operations per node.
The average number of symmetric key
operations for each node is where each node’s
degree is 2(d-1)2/(N-1)+2.
24
Performance Evaluation
(key establishment, key updating)
Communication Cost:
• Same as computational. Group rekeying based on
logical key tree requires O(logN) communication
cost.
Storage Requirement:
• Each node has to keep four types of keys. For d
neighbors, it has one individual key, d pairwise
keys, d cluster keys and one group key.
• In addition, it keeps each neighbor commitment
and its own chain key.
25
Performance Evaluation
(key establishment, key updating)
• To avoid storing the entire key chain,
deploy the optimization algorithm of
Coppersmith and Jakobsson to trade
storage and computation cost which
performs O(log 2 n) hashes per output
element using O (log 2 n) memory cells.
• Total number of stored keys is:
3d+2+L.
The number of keys a node stores for its key
chain.
L=20, d=20, a node stores 82 keys, totally 656 bytes when a
key size is 8 bytes.
26
Security Analysis
(keying mechanisms)
• Upon compromise detection, an efficient
revocation takes place: update the group and
cluster keys, and delete its pairwise keys from
each node.
Survivability• Obtaining Individual key does not help the
adversary to launch attacks.
• Spoofing and altering massages are difficult.
27
Security Analysis
(keying mechanisms)
• Possessing the pairwise and cluster keys, allows
the adversary establish false massages. The
possible damage can be localized, since a node
can establish trust relationships only with its
neighbors.
• Possessing the group key allows the adversary
reading the massages from the base station,
but not to impersonating to it because of the
authentication mechanism.
28
Security Analysis
Defending against various attacks on
secure routing-
• Adversary tries to convince all or part of the
nodes that it is their neighbor.
• Adversary replicates the compromised node and
add multiple replicates into the network and try
to establish pairwise keys with his so called
neighbors.
• Adversary convince other nodes that they are
localized in a different
distance from the base station.
29
Related Work
•
•
•
•
•
Stajano and Anderson proposed that bootstrap trust
relationship through physical contact.
Perrig et al present security protocols for sensor networks like
SNEP for data confidentiality and two parties data
authentication and TESLA. There scheme uses base station to
establish individual key.
Zhu et al propose bootstrapping trust among mobile nodes
based on TESLA and one-way hash.
Eschenauer and Gilgor present a key management scheme for
sensor networks based on probabilistic key predyployment,
which was extended by Chan et al to three mechanisms for key
establishment.
Basagni et al discuss rekeying scheme for periodicity updating
encryption key in a sensor network. Nodes temper free and
trust each other.
30
Summery
• LEAP, key management protocol for
sensor networks, provides authentication
and confidentiality.
• Support in ‘in network’ processing and
passive participation.
• Different types of massages require
different security levels, hence four
types of keys are established.
31