key infection: smart trust for smart dust presented by sree p. kollipara by ross anderson, haowen...
TRANSCRIPT
Key Infection: Key Infection: Smart Trust for Smart DustSmart Trust for Smart Dust
Presented by Sree P. KolliparaPresented by Sree P. Kollipara
By Ross Anderson, Haowen Chan, Adrain Perrig
OverviewOverview
IntroductionIntroduction Sensor NetworkSensor Network Previous WorkPrevious Work Real World Attacker ModelReal World Attacker Model Key InfectionKey Infection Secrecy AmplificationSecrecy Amplification ConclusionConclusion
IntroductionIntroduction
Sensor network Sensor network Widely used… i.e., factory instrumentation, climate Widely used… i.e., factory instrumentation, climate
control, building safety control, building safety Large number of sensorsLarge number of sensors
Small and low cost Small and low cost Self-organized network, peer-to-peer Self-organized network, peer-to-peer Limited battery power, resources Limited battery power, resources Not tamper-proof hardware Not tamper-proof hardware
IntroductionIntroduction
SecuritySecurity Opponent [attacker, adversary]Opponent [attacker, adversary]
PassivePassive, just monitoring or, just monitoring or ActiveActive, jamming or network flooding, jamming or network flooding
Key DistributionKey Distribution Problem: Shared keys between sensor nodesProblem: Shared keys between sensor nodes Asymmetric vs. Symmetric CryptographyAsymmetric vs. Symmetric Cryptography Enough computing & electronic power, & memoryEnough computing & electronic power, & memory Limited processor, memory & batteryLimited processor, memory & battery Preloaded keys: memory, infrastructure to load Preloaded keys: memory, infrastructure to load SetupSetup of a key by touch: large scale deploymentof a key by touch: large scale deployment
ContributionsContributions
Identify realistic attacker modelIdentify realistic attacker model Key-infection, an efficient light weight key-distribution Key-infection, an efficient light weight key-distribution
mechanismmechanism Analyze the security of key infection & design Analyze the security of key infection & design Secrecy Secrecy
AmplificationAmplification In real-world applications, the major cost is In real-world applications, the major cost is
maintenance more than initial deploymentmaintenance more than initial deployment
Sensor NetworkSensor Network
A sensor network consists of multiple detection stations called A sensor network consists of multiple detection stations called sensor nodes, each of which is small, lightweight and portable.sensor nodes, each of which is small, lightweight and portable.
Every sensor node is equipped withEvery sensor node is equipped with transducertransducer microcomputermicrocomputer transceivertransceiver power sourcepower source
Sensor NetworkSensor Network
Sensor NetworkSensor Network
The development of wireless sensor networks (WSN) was The development of wireless sensor networks (WSN) was originally done by military applications originally done by military applications
These WSNs are also used These WSNs are also used
by other applications suchby other applications such
as civilian application as civilian application
areas, health care areas, health care
applications, home automation applications, home automation
and traffic controland traffic control
Sensor NetworkSensor Network
The size of single sensor network can vary from shoebox sized The size of single sensor network can vary from shoebox sized nodes to the size of a grain of dust.nodes to the size of a grain of dust.
Here, size & cost constraints result in constraints on resources Here, size & cost constraints result in constraints on resources such as such as energyenergy memorymemory speedspeed bandwidthbandwidth
Sensor NetworkSensor Network
Sensors:Sensors: Sensors are hardware devices which produce responses to a Sensors are hardware devices which produce responses to a
change in a physical condition like temperature and pressurechange in a physical condition like temperature and pressure Sensors are classified into 3 categories:Sensors are classified into 3 categories:
Passive, Omni Directional SensorsPassive, Omni Directional Sensors Passive, Narrow-beam SensorsPassive, Narrow-beam Sensors Active SensorsActive Sensors
Sensor NetworkSensor Network
There are two kinds of sensor nodes that are used in sensor There are two kinds of sensor nodes that are used in sensor network network
One is normal sensor node that is deployed to sense One is normal sensor node that is deployed to sense phenomenaphenomena
Other is gateway node which interfaces sensor network to the Other is gateway node which interfaces sensor network to the external worldexternal world
Some commonly used commercial motes/sensor nodes are Some commonly used commercial motes/sensor nodes are Bean, Btnode, Cots, Dot, Eyes, I Mote, etc.Bean, Btnode, Cots, Dot, Eyes, I Mote, etc.
Sensor NetworkSensor Network
Various routing protocols used in sensor network areVarious routing protocols used in sensor network are Classic floodingClassic flooding GossipingGossiping Ideal disseminationIdeal dissemination SPIN (Sensor Protocols for Information Negotiation)SPIN (Sensor Protocols for Information Negotiation)
Previous WorkPrevious Work
Sensor network with a source based routing protocolSensor network with a source based routing protocol Routing architecture executes the software with which they Routing architecture executes the software with which they
were loaded before deploymentwere loaded before deployment Security architecture:Security architecture: Authenticated broadcast with initial keys diversified from Authenticated broadcast with initial keys diversified from
master keysmaster keys Using normal nodes as base stationsUsing normal nodes as base stations Generation of base stations to possess master keysGeneration of base stations to possess master keys
Previous WorkPrevious Work
Alternative methodAlternative method Symmetric keys are pre-loaded on each nodeSymmetric keys are pre-loaded on each node Shared keys are generated based on total # of nodes and Shared keys are generated based on total # of nodes and
expected density of deploymentexpected density of deployment Cost issuesCost issues Uses lot of memory to store keysUses lot of memory to store keys
Related WorkRelated Work
Non-Public Key Distribution, Rolf BlomNon-Public Key Distribution, Rolf Blom Investigation schemes which have Greater Theoretical Investigation schemes which have Greater Theoretical
Security with small demands on storage spaceSecurity with small demands on storage space The straight-forward approach of distributing each user N-1 The straight-forward approach of distributing each user N-1
different keys is the strongest possibility of security but has different keys is the strongest possibility of security but has largest requirement on user storagelargest requirement on user storage
There are 2 different key generation schemes that require same There are 2 different key generation schemes that require same secret storage with simple functions for calculation of legal secret storage with simple functions for calculation of legal keyskeys
Related WorkRelated Work
The first scheme, based on MDS codes is good when there The first scheme, based on MDS codes is good when there is no need to protect the key scheme against large groups of is no need to protect the key scheme against large groups of cooperating users trying to generate extra keys.cooperating users trying to generate extra keys.
The second scheme, can handle when enough users The second scheme, can handle when enough users cooperate and succeed to generate one extra key in the cooperate and succeed to generate one extra key in the polynomial based system, they can generate all keys in the polynomial based system, they can generate all keys in the system.system.
It would be nice to have systems that degrade more It would be nice to have systems that degrade more gracefully but here more research is needed.gracefully but here more research is needed.
Real World Attacker ModelReal World Attacker Model
By experience of World War 2, & World of international By experience of World War 2, & World of international telephony post war years researchers assumedtelephony post war years researchers assumed highly capable & motivated attackerhighly capable & motivated attacker
Global passive adversary, that can monitor & store all Global passive adversary, that can monitor & store all communicationscommunications
Global active adversary, that can modify and inject Global active adversary, that can modify and inject communicationscommunications
Real World Attacker ModelReal World Attacker Model
More realistic attacker modelMore realistic attacker model Non-critical commodity sensor networkNon-critical commodity sensor network
extreme limitations on sensor hardwareextreme limitations on sensor hardware requires minimal pre-deployment setuprequires minimal pre-deployment setup less valuable as targets less valuable as targets little damage is done to userlittle damage is done to user
So, dubious to apply stronger attack modelSo, dubious to apply stronger attack model
Real World Attacker ModelReal World Attacker Model
Slightly relaxed attacker, attacker should use realistic Slightly relaxed attacker, attacker should use realistic protection requirementsprotection requirements Low cost commodity sensor network, Low cost commodity sensor network, Extremely expensive to deploy surveillance devicesExtremely expensive to deploy surveillance devices Main obstacle is availability of powerMain obstacle is availability of power
So, it is unlikely to be economical to attack comm. sensor n/wSo, it is unlikely to be economical to attack comm. sensor n/w
Real World Attacker ModelReal World Attacker Model
During the deployment phaseDuring the deployment phase attacker doesn’t have physical access to deployment siteattacker doesn’t have physical access to deployment site monitor only a small proportion of networkmonitor only a small proportion of network cannot execute active attackscannot execute active attacks
After key exchange, both is possibleAfter key exchange, both is possible
Real World Attacker ModelReal World Attacker Model
Contravening the attacker model:Contravening the attacker model: An Adversary,An Adversary,
has to have foresight to deploy surveillance equipmenthas to have foresight to deploy surveillance equipment its eavesdropping devices must be operational & its eavesdropping devices must be operational &
undetectedundetected must be able to identify, retrieve & process the must be able to identify, retrieve & process the
eavesdropped product to extract key exchange messageseavesdropped product to extract key exchange messages
Key InfectionKey Infection
Each node chooses a key & broadcasts it in plain text to its Each node chooses a key & broadcasts it in plain text to its neighborneighbor
Short range transmission will have about half a dozen nodes Short range transmission will have about half a dozen nodes within a range of 10 meterswithin a range of 10 meters
Detect each others presence & organize themselves into a Detect each others presence & organize themselves into a networknetwork
Packets are transmitted with minimum powerPackets are transmitted with minimum power Gives significant protection when opponents are presentGives significant protection when opponents are present Improvement with a slight change in the protocol, key Improvement with a slight change in the protocol, key
whisperingwhispering
Key WhisperingKey Whispering
A node transmits a key very quietly & steadily increases the A node transmits a key very quietly & steadily increases the power until the response is heardpower until the response is heard
A link is established with responder & broadcasted with a new A link is established with responder & broadcasted with a new initial keyinitial key
Two nodes within a range will exchange a secure key Two nodes within a range will exchange a secure key The no of links an opponent can eavesdrop falls to 0.8% as The no of links an opponent can eavesdrop falls to 0.8% as
opposed to 2.4% in key infectionopposed to 2.4% in key infection
AnalysisAnalysis
Key infection is secure if the attacker arrives after key Key infection is secure if the attacker arrives after key infection phaseinfection phase
Considering the case when black dust nodes are installed Considering the case when black dust nodes are installed before white dust nodes, then if black nodes collude, before white dust nodes, then if black nodes collude, probability that a black node can eavesdrop is probability that a black node can eavesdrop is RR22NNbb / S / S where R is max range of radiowhere R is max range of radio NNbb is number of black dust nodes is number of black dust nodes s is size of distribution of smart nodes over an areas is size of distribution of smart nodes over an area
AnalysisAnalysis
Using Key Whispering, the probability that a black node can Using Key Whispering, the probability that a black node can eavesdrop is 1.2reavesdrop is 1.2r22NNbb /s /s where 1.2rwhere 1.2r2 2 is the effective eavesdropping areais the effective eavesdropping area r, length of a linkr, length of a link NNbb, no of black dust nodes, no of black dust nodes s, size of distribution of smart nodes over an areas, size of distribution of smart nodes over an area
Whisper mode extension results in approximately fewer Whisper mode extension results in approximately fewer compromised linkscompromised links
AnalysisAnalysis
We assume that black modes have the same receiver We assume that black modes have the same receiver sensitivity as white nodes, which appears reasonable of the sensitivity as white nodes, which appears reasonable of the single-chip receiver technology.single-chip receiver technology.
This would have This would have larger batteries, orlarger batteries, or wired networkwired network
so as to transmit further more.so as to transmit further more.
Secrecy AmplificationSecrecy Amplification
Uses multipath key establishment to make job harderUses multipath key establishment to make job harder Simulate different strategies for key establishmentSimulate different strategies for key establishment Here, we combine keys along different pathsHere, we combine keys along different paths We suppose the nodes W1, W2 & W3 are neighborsWe suppose the nodes W1, W2 & W3 are neighbors W1, W2 set up the key k12W1, W2 set up the key k12 W1, W3 set up the key k13W1, W3 set up the key k13 W2, W3 set up the key k23W2, W3 set up the key k23 To amplify the secrecy of key k12, W1 asks W3 to exchange To amplify the secrecy of key k12, W1 asks W3 to exchange
an additional key with W2.an additional key with W2.
Secrecy AmplificationSecrecy Amplification
W1W2
W3
W1W2
W1 W3 : {W1,W2,N1}k13W3 W2 : {W1,W2,N1}k23W2 computes : k′12 = H(k12 || N1)W2 W1 : {N1,N2}k′12W1 W2 : {N2}k′12
Key EstablishmentKey Establishment
Uniformly distributed, 1000 white dust equals transmission Uniformly distributed, 1000 white dust equals transmission rangerange
Key infection vs. Key whisperingKey infection vs. Key whispering
d, average no of neighbors of a noded, average no of neighbors of a node other columns shows the ratio of the linksother columns shows the ratio of the links
Key EstablishmentKey Establishment
Key infection vs. Secrecy AmplificationKey infection vs. Secrecy Amplification
d, average no of neighbors of a noded, average no of neighbors of a node other columns shows the ratio of the linksother columns shows the ratio of the links Here, the secrecy amplification is improvedHere, the secrecy amplification is improved
Secrecy AmplificationSecrecy Amplification
The tables list the ratio of links for a density The tables list the ratio of links for a density αα of black dust of black dust nodes: nodes:
1%, 2% & 3%1%, 2% & 3% SA is not limited to two path hopsSA is not limited to two path hops Source routing algo in sensor n/ws give limited informationSource routing algo in sensor n/ws give limited information SA is significantly better because of its complexity. SA is significantly better because of its complexity.
Multihop KeysMultihop Keys
When we link W1 & W2 with W3, then we can invoke W2 to When we link W1 & W2 with W3, then we can invoke W2 to set up a key with the help of W1 & W3set up a key with the help of W1 & W3
This has 2 purposesThis has 2 purposes Supports end-t-end cryptographySupports end-t-end cryptography Energy efficient for base-to-node communicationsEnergy efficient for base-to-node communications
When memory is not restricted, multihop keying may seem When memory is not restricted, multihop keying may seem like a natural mechanism for using.like a natural mechanism for using.
Multihop KeysMultihop Keys
In Smart Dust, memory size & cost of messages are limited & In Smart Dust, memory size & cost of messages are limited & have limited types of traffic,have limited types of traffic, Messages between base stations & nodesMessages between base stations & nodes local routing messageslocal routing messages time beacons, i.e., broadcast of signalstime beacons, i.e., broadcast of signals
Here, Base-to-node traffic should be end-to-end encryptedHere, Base-to-node traffic should be end-to-end encrypted
Interaction with Routing AlgorithmsInteraction with Routing Algorithms
Existing prototypes use strategies that are based on dynamic Existing prototypes use strategies that are based on dynamic source routing mechanisms.source routing mechanisms.
Multipath key infection automatically discovers multipaths Multipath key infection automatically discovers multipaths that are usedthat are used
Here, the analogy with biological infection is coming to a Here, the analogy with biological infection is coming to a break downbreak down
Multihop keying enables keying to try different logical paths Multihop keying enables keying to try different logical paths along the same physical pathalong the same physical path
Interaction with Routing AlgorithmsInteraction with Routing Algorithms
Identify & isolate faulty or subverted nodeIdentify & isolate faulty or subverted node If pairs of motes can no longer route to each other, then a If pairs of motes can no longer route to each other, then a
recovery phase may be initiated.recovery phase may be initiated. This involves back-up nodes, re-run of n/w discovery algo, This involves back-up nodes, re-run of n/w discovery algo,
sticky random routing.sticky random routing. Most sensor networks do not need to do mobile routingMost sensor networks do not need to do mobile routing
Interaction with Routing AlgorithmsInteraction with Routing Algorithms
Topology can be changedTopology can be changed when the battery is exhausted, andwhen the battery is exhausted, and a node is destroyeda node is destroyed
In future, we need routing strategies that work for mobile In future, we need routing strategies that work for mobile principals.principals.
Key EstablishmentKey Establishment
Key whispering vs. Secrecy Amplification Key whispering vs. Secrecy Amplification
Here, the basic key infection uses key whisperingHere, the basic key infection uses key whispering d, average no of neighbors in a noded, average no of neighbors in a node Other columns shows the ratio of the linksOther columns shows the ratio of the links
Table shows the improvement of secrecy amplification over key Table shows the improvement of secrecy amplification over key infectioninfection
Key EstablishmentKey Establishment
Basic two-hop key infection, with multipath extensionBasic two-hop key infection, with multipath extension
d, average no of neighbors in a noded, average no of neighbors in a node basic column, return path of the key infection is the same as basic column, return path of the key infection is the same as
the forward paththe forward path m-path column, return path of the key infection is different m-path column, return path of the key infection is different
from forward pathfrom forward path
Experiment ResultsExperiment Results
KI KW SA over KWKI KW SA over KW
<table1> <table2> <table3><table1> <table2> <table3>
Other ApplicationsOther Applications
Peer-to-peer systems typically start out optimistically with a Peer-to-peer systems typically start out optimistically with a large number of hopefully trustworthy nodeslarge number of hopefully trustworthy nodes
‘‘Black’ nodes join once the network starts to operate, and Black’ nodes join once the network starts to operate, and ‘white’ nodes may be subverted (e.g., by court order)‘white’ nodes may be subverted (e.g., by court order)
Here too the issue isn’t the initial key bootstrapping, but Here too the issue isn’t the initial key bootstrapping, but resilience in the face of what happens laterresilience in the face of what happens later
Other ApplicationsOther Applications
Subversive networks are similar. Law enforcement can only Subversive networks are similar. Law enforcement can only monitor so many people, and so many phones…monitor so many people, and so many phones…
Once subversive activity manifests, the task is to penetrate a Once subversive activity manifests, the task is to penetrate a network that may have been fairly open at the start, but has network that may have been fairly open at the start, but has now closed upnow closed up
Again, the important aspect is not the initial bootstrapping, but Again, the important aspect is not the initial bootstrapping, but the subsequent lockdown, and any associated resiliencethe subsequent lockdown, and any associated resilience
Security Economic IssuesSecurity Economic Issues
Economics provide the big showstopper for security in generalEconomics provide the big showstopper for security in general
Here, the game depends on both initial and marginal costs of Here, the game depends on both initial and marginal costs of attack and defenseattack and defense
Initial keying increases initial cost to bothInitial keying increases initial cost to both
Equilibrium depends on marginal costs - defender efforts vs. Equilibrium depends on marginal costs - defender efforts vs. attacker resilienceattacker resilience
Security Economy IssuesSecurity Economy Issues
Logically, defender will give up, or attacker have to go all out Logically, defender will give up, or attacker have to go all out to maintain networkto maintain network
Attacker will logically make marginal investment in resilience, Attacker will logically make marginal investment in resilience, not bootstrappingnot bootstrapping
Research ProblemsResearch Problems
What are the relative costs of key establishment vs. What are the relative costs of key establishment vs. maintenance in different types of network?maintenance in different types of network?
What are the best attack and defense strategies at equilibrium?What are the best attack and defense strategies at equilibrium?
What’s the interaction with routing algorithms?What’s the interaction with routing algorithms?
Can you deal with new motes joining?Can you deal with new motes joining?
Research ProblemsResearch Problems
Can you have multiple virtual networks (‘United Nations Can you have multiple virtual networks (‘United Nations Dust’)?Dust’)?
Can multiple users interact locally (‘Neighborhood Watch Can multiple users interact locally (‘Neighborhood Watch Dust’)?Dust’)?
ConclusionConclusion
Sensor networks present interesting and novel protection Sensor networks present interesting and novel protection problemsproblems
They provide a tractable model for bigger problems, from P2P They provide a tractable model for bigger problems, from P2P network design to some real-world policing problemsnetwork design to some real-world policing problems
Challenge the conventional wisdom that authentication is Challenge the conventional wisdom that authentication is about trust bootstrappingabout trust bootstrapping
ConclusionConclusion
In many real social networks, trust is more about group In many real social networks, trust is more about group reinforcement / bondingreinforcement / bonding
Will future pervasive computing systems be command-and-Will future pervasive computing systems be command-and-control, or societal?control, or societal?
Questions???
ReferencesReferences
R. Blom. Non-public key R. Blom. Non-public key distribution. In distribution. In Advances in Advances in Cryptology: Proceedings of Cryptology: Proceedings of Crypto ’82Crypto ’82, pages 231–236, 1982., pages 231–236, 1982.
C. Blundo, A. D. Santis, A. C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Herzberg, S. Kutten, U. Vaccaro,and M. Yung. Perfectly-Vaccaro,and M. Yung. Perfectly-secure key distribution for secure key distribution for dynamic conferences. In dynamic conferences. In Advances in Cryptology - Crypto Advances in Cryptology - Crypto ’92’92, pages 471–486, 1992., pages 471–486, 1992.
D. Liu and P. Ning. Location-D. Liu and P. Ning. Location-based pairwise key establishments based pairwise key establishments for static sensor networks. In for static sensor networks. In ACMWorkshop on Security in Ad ACMWorkshop on Security in Ad Hoc and Sensor Networks (SASN Hoc and Sensor Networks (SASN ’03)’03), Oct. 2003., Oct. 2003.
K. Sirois and S. Kent. Securing K. Sirois and S. Kent. Securing the nimrod routing architecture. the nimrod routing architecture. In In Proceedings of the Symposium Proceedings of the Symposium on Network and Distributed on Network and Distributed Systems Security (NDSS ’97)Systems Security (NDSS ’97). . Internet Society, Feb1997.Internet Society, Feb1997.