Wireless Network Security 14-814 Spring 2011 Patrick Tague Jan 20, 2011 Class #4 Broadcast information security
Agenda Broadcast information security Broadcast authentication and encryption Key management Key establishment A few attacks
Broadcast Communication Broadcast comm takes advantage of the shared medium for one-to-many transmissions Can be much more efficient than one-toone unicast communication
Topology and Scale Gains from broadcast advantage depend on network topology and scale In a star topology, O(1) transmissions cover N nodes (compared to O(N) in unicast) In general, O(N/d) transmissions cover N nodes with density d (compared to O(N 2 ) in unicast) Ex: d ~ log N Additional considerations with network scale: Key management overhead for broadcast authentication and encryption
Broadcast Authentication Allows nodes to verify the source of packet transmissions First idea: use symmetric key cryptography and MACs Any group member with the authentication key can forge packets on behalf of any other group member Second idea: use public-key signatures Provably correct, but very expensive (signature per packet, public key overhead [time + BW], etc.) Third idea: packet-block signatures sign a collection of packets, partition signature over packet block Packet loss packet-block can't be validated, denial-ofservice opportunity, still expensive
TESLA / µtesla [Perrig et al., 2002] TESLA (Timed Efficient Stream Loss-tolerant Authentication), µtesla for WSN Uses time-released symmetric keys to get efficiency of symmetric approaches without forgery problems One-way hash-chains are used to release/update keys periodically, introduces small delay and buffering Requires that all nodes are loosely time synchronized Paper posted on class website
Broadcast Encryption Encryption has similar challenges in symmetric and public-key approaches No symmetric key solutions are secure against malicious/curious group members, and timing solutions like TESLA don't work for secrecy Must rely on public-key approaches For large broadcast groups (n-k of n, k<<n), O(k) ciphertexts per message with O(log n) private key length [Goodrich et al., 2004] For small broadcast groups (k of n, k<<n), k ciphertexts with O(1) private key length [unicast] Inefficient!
Efficient Broadcast Encryption [Boneh et al., 2005] Approach uses Bilinear Maps for collusionresistant encryption Secure against any number of colluding nodes Two constructions First has O(1) length ciphertexts and private keys, O(k) length public keys Second has tunable tradeoffs between ciphertext size and public key length e.g. O(k 1/2 ) each Still too expensive for many systems, may have to rely on attack detection and revocation instead Paper posted on class website
(Group) Key Management Group formation, joining, and leaving can be controlled entirely by distribution and revocation of symmetric keys A session encryption key (SEK) is given to all group members (used to distribute/collect data) A unique key encryption key (KEK) is given to each group member and used to periodically update SEKs Revocation = not getting an SEK update Updating SEKs must be very efficient so it can occur with sufficient frequency to minimize effects of misbehavior
Key Trees [Sherman & McGrew, 2003] m-ary key trees can be used for efficient SEK rekeying (m=2 below) Group leader assigns 4 quantities to each node so everyone can compute SEK X 0, e.g. M 1 stores X 3,1, f(x 3,2 ), f(x 2,2 ), and f(x 1,2 )
Key Tree Update Dis-enrollment as re-keying: If e.g. M 1 leaves the group X 3,1, f(x 3,2 ), f(x 2,2 ), and f(x 1,2 ) must be revoked Leader broadcasts E K3,2 (f(x' 3,1 )), E K2,2 (f(x' 2,1 )), E K1,2 (f(x' 1,1 ))
Power-Efficient Key Trees [Lazos & Poovendran, 2005] Re-keying trees in large distributed networks (WSNs, MANETs, etc.) requires numerous transmissions over multi-hop routes Tree can be constructed to group nodes according to power proximity (network and physical layer info)
Group-Less Key Establishment In fully distributed systems with no support for group key management (WSN), keying has other challenges Public-key not possible, Diffie-Hellman establishment is too costly, so it has to be symmetric key An authority/owner of the system can load keys onto nodes before deployment (see e.g. [Eschenauer & Gligor, 2002]) Re-keying is an issue, so the keys must be long-term But, if the system is unattended, an attacker can physically compromise nodes and extract keys So...
Key Predistribution -or- Pre-deployment Keying Authority assigns symmetric keys prior to deployment, used long term Single key per network single attacked node compromises everything Single key per node pair O(N 2 ) storage overhead, most of which is wasted Meet somewhere in the middle - single key per group What is known about topology before deployment? If nothing, groups can be random Approach: assign a set of keys from a large pool to each node [Eschenauer & Gligor, 2002] or use a randomized matching algorithm [Tague & Poovendran, 2007]
WSN Node Capture Attacks Physically attacking nodes leads to key recovery Depending on the attacker's goal, can capture nodes randomly until sufficient keys are recovered or can target nodes with specific keys If the goal is getting all the keys, try to find a key covering set of nodes If the goal is getting all keys that are actually used, find a link covering set of nodes If the goal is compromising traffic secrecy, also need to know some network layer topology information, then need a path membership link covering set Goals are many, but everything fits into an attack framework [Tague & Poovendran, 2007]
Node Capture Defenses Can't prevent attacks on unattended devices Tamper-proof hardware would help, but it's very expensive So, the answer isn't defense, it's mitigation Make the attacker's job more expensive Make the attacks less effective Make the attacks detectable This is a mostly-open problem
Next time... Physical layer & communication security Physical layer vulnerabilities and threats Communication availability Multi-channel diversity Leveraging physical layer properties for secrecy and authentication Key establishment from channel randomness Authentication using wireless signatures