Forward-secure Key Evolution in Wireless Sensor Networks

Similar documents
Key establishment in sensor networks

Key establishment in sensor networks

Dynamic Key Ring Update Mechanism for Mobile Wireless Sensor Networks

Use of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks

An Energy-Efficient Symmetric Cryptography Based Authentication Scheme for Wireless Sensor Networks

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

Chord-based Key Establishment Schemes for Sensor Networks

A Key-Management Scheme for Distributed Sensor Networks

CSC 774 Advanced Network Security

Enhancing the Security in WSN using Three Tier Security Architecture Chanchal G. Agrawal *

The Best Keying Protocol for Sensor Networks

A Security Infrastructure for Trusted Devices

Key Grids: A Protocol Family for Assigning Symmetric Keys

An Efficient Key Management Scheme for Heterogeneous Sensor Networks

DISTRIBUTED HASH TABLE PROTOCOL DETECTION IN WIRELESS SENSOR NETWORKS

Key Management for Static Wireless Sensor Networks With Node Adding

ESTABLISHMENT OF SECURE COMMUNICATION IN WIRELESS SENSOR NETWORKS

Detection of Node Clone in Wireless Sensor Networks

Location-Based Pairwise Key Establishments for Static Sensor Networks

Re-examining Probabilistic Versus Deterministic Key Management

By: Wenliang Du, Jing Deng, Yunghsiang S. Han, Pramod K. Varshney, Jonathan Katz, and Aram Khalili

A Time-Based Key Management Protocol for Wireless Sensor Networks

Providing Transparent Security Services to Sensor Networks

Kleptographic Attacks on E-Voting Schemes

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Sleep/Wake Aware Local Monitoring (SLAM)

BISS: Building secure routing out of an Incomplete Set of Security associations

Wireless Network Security Spring 2011

WIRELESS sensor networks (WSNs) have been

How to Break and Repair Leighton and Micali s Key Agreement Protocol

A General Probabilistic Model for Improving Key Assignment in Wireless Networks

Weiyi Zhang AT&T Labs - Research, Middletown, NJ

A Set-Covering Approach for Modeling Attacks on Key Predistribution in Wireless Sensor Networks

Distributed ID-based Signature Using Tamper-Resistant Module

Node Clone Detection in Wireless Sensor Networks

Improving Key Pre-Distribution with Deployment Knowledge in Static Sensor Networks

Outline Key Management CS 239 Computer Security February 9, 2004

Energy-Efficient Security Threshold Determination Method for the Enhancement of Interleaved Hop-By-Hop Authentication

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Security of Mobile Ad Hoc and Wireless Sensor Networks

Computer Networks II, advanced networking

Reliable Broadcast Message Authentication in Wireless Sensor Networks

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

Regular Expression Constrained Sequence Alignment

On Secrecy Amplification Protocols Improving security of partially compromised network

Study on Dynamic Key Management of Clustered Sensor Networks

Network Decoupling: A Methodology for Secure

Node Clone Detection in Wireless Sensor Networks

Random Key Pre-distribution Schemes using Multi-Path in Wireless Sensor Networks

An Optimal Symmetric Secret Distribution of Star Networks 1

ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLICATION ATTACKS USING MUTUAL AUTHENTICATION SCHEME

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

An Online Threshold Key Distribution Scheme for Symmetric Key Management

Key Predistribution Scheme for Clustered Hierarchical Wireless Sensor Networks based on Combinatorial Designs

Random Key Predistribution Schemes for Sensor Networks 1

Secure Routing and Transmission Protocols for Ad Hoc Networks

Establishing Pairwise Keys in Distributed Sensor Networks

RSA. Public Key CryptoSystem

A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Security Fusion: A New Security Architecture for Resource-Constrained Environments

Enhancing Energy Efficiency in Wireless Sensor Networks via Improving Elliptic Curve Digital Signature Algorithm

CPSC 467: Cryptography and Computer Security

Abstract. 1. Introduction

Trust-Propagation Based Authentication Protocol in Multihop Wireless Home Networks

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

LIGHTWEIGHT KEY MANAGEMENT SCHEME FOR HIERARCHICAL WIRELESS SENSOR NETWORKS

CS 161 Computer Security

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Duplicate Node Detection Using Distributed Protocols (3D-NUP) in WSN

Simulation on Agent-based Onion Routing Network *

Security Issues In Mobile Ad hoc Network Routing Protocols

Specification-based Intrusion Detection. Michael May CIS-700 Fall 2004

Armor-LEACH for Wireless Sensor Network

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

A Joint Performance-Vulnerability Metric Framework for Designing Ad Hoc Routing Protocols

Key Predistribution Schemes Using Block Designs in Wireless Sensor Networks

A Smart Card Based Authentication Protocol for Strong Passwords

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Cryptanalysis. Ed Crowley

Wireless Security Security problems in Wireless Networks

A Review on Various Routing Attacks on Wireless. Sensor Network

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Computer Based Image Algorithm For Wireless Sensor Networks To Prevent Hotspot Locating Attack

An Analytical study on Key Pre-distribution in Wireless Sensor Networks.

Ultra-Lightweight Key Predistribution in Wireless Sensor Networks for Monitoring Linear Infrastructure

Kun Sun, Peng Ning Cliff Wang An Liu, Yuzheng Zhou

Cryptography ThreeB. Ed Crowley. Fall 08

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Wireless Sensor Networks: Security Issues, Challenges and Solutions

Efficient RFID Authentication protocol for Ubiquitous Computing Environment

Code Verification Work of Sybil Attack in Wireless Sensor Network

A Performance Comparison of Multi-Hop Wireless Ad Hoc Network Routing Protocols. Broch et al Presented by Brian Card

Wireless KRACK attack client side workaround and detection

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Detecting Denial of Service Attacks in Tor

Information Security

Security in ECE Systems

Ranking Clustered Data with Pairwise Comparisons

Transcription:

Forward-secure Key Evolution in Wireless Sensor Networks Marek Klonowski 1 Mirosław Kutyłowski 1 Michał Ren 2 Katarzyna Rybarczyk 2 1 Wrocław University of Technology Wrocław, Poland 2 Adam Mickiewicz University Poznań, Poland CANS 2007, Singapore

Outline Introduction Motivation Existing solutions KEP without forward security Forward-secure KEP Problem statement Strong connectivity Diameter Key probability

Motivation Existing solutions What are sensor networks? Node capabilities: sensing equipment RF communication processor battery Network topology: distances usually up to 30m apart neighbors unknown in advance 100 10000 nodes in a network

Motivation Existing solutions Dangers in sensor networks Nodes are not tamperproof, nor even tamper-resistant. Easy to steal node s keys with physical access. Vital to ensure that a single node compromise does not compromise the network by eavesdropping by inserting forged messages, including control messages by making copies of a compromised node etc.

Motivation Existing solutions Node capabilities Target price in cents per unit. Limited memory too little to remember every key in the network. Limited CPU power 8-bit processors, too slow for most public-key schemes. Symmetric encryption/decryption coprocessor. Limited energy. How to distribute keys to the nodes?

Motivation Existing solutions Random key predistribution A key-management scheme for distributed sensor networks (2002), L. Eschenauer, V. D. Gligor[1] A large pool of keys is generated, and a random subset is loaded into each node. After deployment, nodes discover which keys they share with every neighbor. This establishes network topology a link means that nodes share a common key. Nodes that are within RF range but do not share a key, must establish a path-key in order to communicate. Node compromise affects only a part of the network.

Motivation Existing solutions Key infection protocol Key Infection: Smart Trust for Smart Dust (2004), R. Anderson, H. Chan, A. Perrig[2] Every node creates its symmetric key randomly. Every node broadcasts its key in the clear. Assumption: the attacker is not omnipresent. Reasonable security if the attacker does not have his own sensor network already in place.

KEP without forward security Forward-secure KEP Key divergence scheme in a nutshell Diverging Keys in Wireless Sensor Networks (2006), M. Ren, K. D. Tanmoy, J. Zhou[3]: Let s assume that nodes already share pairwise keys. When a node wants to communicate with another node, it transmits a message encrypted with a key that differs by one bit from the pairwise key. The other node has to crack the new key by brute-force only a few tries are needed. When the other node succeeds and replies using the new key, the pairwise key is permanently changed. The procedure is repeated for as long as nodes communicate.

KEP without forward security Forward-secure KEP Energy savings One change of a bit in the divergence scheme adds 0.5µJ on average (for 128-bit keys). Transmitting 128 bits costs about 2500µJ. Assuming that message structure does not make it necessary to make any extra transmissions (ECC, node identifiers and message counters are included in messages, and in replies), it is cheaper to change a key by divergence than by transmitting a new one. The energy gap between transmission and encryption will only widen in the future.

KEP without forward security Forward-secure KEP Attack scenario against KEP An adversary records wireless communication of a node. At a later time, the adversary captures the node, and extracts the key. Recorded communication together with the key allow the adversary to reverse KEP reversing transitions requires finding only one flipped bit every time! All past communication becomes decrypted.

KEP without forward security Forward-secure KEP Forward-secure KEP This paper: Forward security is desirable subverting a node would not help in decrypting its past communication. Simple modification instead of bit-flipping, let s use a one-way function. AES coprocessor can be used.

KEP without forward security Forward-secure KEP Forward-secure KEP in detail Nodes A and B share a pairwise key: k AB. Node A sends a message to B. A encrypts the message with k := F (k AB, i), i (1,..., l), l is a small constant, l 2. From then on, A sends messages to B using k until it receives a message from B.

KEP without forward security Forward-secure KEP Forward-secure KEP in detail cont. Node B receives a message from A. Message is encrypted with k := F(k AB, i), i (1,..., l), i is not known to B. B discovers k by trying all possible i (1,..., l). Next message sent by B to A will be encrypted with k.

KEP without forward security Forward-secure KEP Forward-secure KEP in detail cont. Node A receives the message from B. Message is encrypted with k which A chose, and B discovered. If the message is not fresh, indicating a replay attack, or if it is encrypted to a different key than k, then: A rejects the message A reverts to previous key k AB A remembers k in case there was a communication error. Otherwise, A accepts k as the new key.

KEP without forward security Forward-secure KEP Forward-secure KEP in detail cont. From B s point of view, the exchange is as follows: B receives a message from A encrypted with an unknown key k. B checks if k = k AB. If not, B checks every key of the form F (k AB, i), i (1,..., l). In no key works, and B has unsuccessfully tried to change the key to k earlier, it also checks all keys of the form F (k, i), i (1,..., l). If B succeeded in decrypting the message, and the message was fresh, B accepts k as the new key. If the message could not be decrypted or was not fresh, it is rejected.

Problem statement Strong connectivity Diameter Key probability Potential problem Are all the keys reachable in the forward-secure KEP? Are the keys reachable quickly? Are all keys equally likely in the forward-secure KEP? Perhaps some keys are attractors, and the adversary could confine keyspace search to them? The previous case where keys changed by one bit was easy to analyze, the case with a one-way function is more difficult

Problem statement Strong connectivity Diameter Key probability Keyspace in Forward-secure Key Evolution K set of possible keys K = {0, 1} n, N = K = 2 n E set of directed edges, such that for k, k K, kk E it is possible to change k into k in one step of the protocol G = (K, E) graph representing the keyspace with transitions, in the key evolution protocol

Problem statement Strong connectivity Diameter Key probability Keyspace in Forward-secure Key Evolution cont. One-way function F changes a key into one of l keys, picked independently, uniformly at random Due to probability of a collision, the actual number of keys is in every step is a random variable X concentrated around l We consider the random digraph G(X) = (K, E), constructed by having each vertex v independently: choose its out-degree l v according to the distribution of X v = X choose the set of l v out neighbors uniformly from all l v -element subsets of K.

Problem statement Strong connectivity Diameter Key probability Strong connectivity Our earlier question, rephrased: is G(X) strongly connected? If E(X) = l ln N, Pr( l 2 X) = 1, N 2 32 and ln N l N/90 1, then Theorem (Strong connectivity) With probability at least 1 p (N, l) G(X) is strongly connected, where: p (N, l) = l N N l 1 Ne ( l N ) + 0.1(ln N) 6 N + N l (N 2l) e 2l(2l+1) N + 0.0017(ln N)15 N 1.99 + 1 N 0.59 + 1 N 0.16l 1 + 1 N 0.5

Problem statement Strong connectivity Diameter Key probability Diameter Our earlier question, rephrased: what is the diameter of G(X)? If E(X) = l ln N, Pr( l 2 X) = 1, N 2 32 and ln N l N/90 1, then Theorem (Diameter) With probability at least 1 p(n): ln N ln N ln N diamg(x) ln 2l 2 ln l 2 + 2 ln( l 2 4) +4, where: p(n) = 0.1(ln N)6 0.0017(ln N)15 N + + 1 1 + N 1.99 N 0.59 N 0.16l 1 + 1 N 0.5

Problem statement Strong connectivity Diameter Key probability Results for typical keyspace sizes N l diameter probability 2 32 32 5 13 0, 98 2 64 64 9 19 1 10 8 2 128 128 16 26 1 10 17 2 256 256 28 42 1 10 34

Problem statement Strong connectivity Diameter Key probability Let s denote the state of the keys after t steps as P t = (P1 t, Pt 2... Pt N ), and assume that the transition function in every step of the KEP is randomly chosen. Our earlier question, rephrased: does any Pi t deviate significantly from 1/N? Theorem (Deviation) For step t, with parameters N > l 2, for ε > 0, and δ = 1 l 1 N we have: Pr ( max i P t i 1 N ε ) ( δ t + δ(1 δt 1 ) N(1 δ) ) ε 2.

Problem statement Strong connectivity Diameter Key probability Results for typical keyspace sizes N l t probability ε 2 32 32 32 0.001 10 4 2 64 64 64 0.001 10 9 2 128 128 128 0.001 10 19 2 256 256 256 0.001 10 39

Conclusion Forward security in the is feasible for keyspace sizes typical in sensor networks The KEP is able to provide several advantages for sensor network key distribution and management: Compatibility with other key distribution schemes can be added on top. Scalability every node needs to remember only keys of neighbors. Automatic increase in security (keys change faster) in high-traffic areas of the network. Resistance to key compromise pairwise keys are unique and change, so if a key is ever compromised, the attacker is forced to keep monitoring the connection, or lose the advantage.

Further reading L. Eschenauer and V. D. Gligor, A key-management scheme for distributed sensor networks, in CCS 02: Proceedings of the 9th ACM conference on Computer and communications security, (New York, NY, USA), pp. 41 47, ACM Press, 2002. R. Anderson, H. Chan, and A. Perrig, Key infection: Smart trust for smart dust, in Proceedings of IEEE International Conference on Network Protocols (ICNP 2004), Oct. 2004. M. Ren, K. D. Tanmoy, and J. Zhou, Diverging keys in wireless sensor networks, in Information Security (S. K. Katsikas, J. Lopez, M. Backes, S. Gritzalis, and B. Preenel, eds.), vol. 4176 of LNCS, pp. 257 269, Springer Verlag, 2006. M. Klonowski, M. Kutyłowski, M. Ren, and K. Rybarczyk, Forward-secure key evolution protocol in wireless sensor networks, CANS 2007, 2007.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback