CSC 774 Advanced Network Security - Nc State Universitydiscovery.csc.ncsu.edu/Courses/csc774-S07/T06_RandomKPD.ppt.pdf · 1 Dr. Peng Ning CSC 774 Adv. Net. Security 1 Computer Science

1

Dr. Peng Ning CSC 774 Adv. Net. Security 1

Computer Science

CSC 774 Advanced Network Security

Topic 6. Random Key Pre-Distribution inWireless Sensor Networks

Dr. Peng NingCSC 774 Adv. Net. Security 2Computer Science

Wireless Sensor Networks

sensor

Communicationand processing

module

1. Network protocol (e.g., routing)2. Data management (e.g., aggregation)3. Localization and time synchronization4. Energy management, robustness,etc.5. Security

Node to node

Node to sink Group communication

a. Key managementb. Broadcast authentication

Location?

c. Security of fundamental servicesd. Detection of attacks, etc.

2


Wireless Sensor Networks (Cont’d)

• Composed of– Low cost, low power, and multifunctional nodes– Wireless communication in short distances

• Sensor node– Sensing– Data processing– Communication– Unattended


Security in Sensor Networks

• Sensor network security– Key management– Point-to-point authentication– Encryption– Broadcast authentication– Secure localization– Secure clock synchronization– …

3


Challenges in Sensor Network Security

• Resource constraints– Limited storage, computation, and communication

• Expensive mechanisms such as public key cryptographyis not practical

– Depletable resources (e.g. battery power)• Resource consumption attacks

• Threat of node compromises– Sensor nodes are usually deployed in an

unattended fashion– Subject to node captures


Challenges (Cont’d)

• Local computation/communication v.s. globalthreat– Sensor network applications often depend on local

computation and communication due to resourceconstraints

– A determined attacker may• Attack any node in a network, and• Use information gathered from compromised nodes to

attack non-compromised ones

4


Establishing Pairwise Keys in SensorNetworks• Traditional techniques are not practical in

sensor networks– Public cryptography: not practical– Key distribution centers (KDC): not practical


Computer Science

Probabilistic Key Pre-Distribution

5


Probabilistic Key Pre-Distribution

• Basic idea– Assign a random subset of keys of a key pool to

each node– Two nodes can establish secure communication if

they have at least one common key

A set of random keys

i

j


Probabilistic Key Pre-Distribution (Cont’d)

• Key distribution (three phases)– Key pre-distribution– Shared-key discovery– Path-key establishment

6



• Key pre-distribution– Generate a large pool of P keys and their ids– For each sensor, random draw k keys out of P

without replacement• This forms the key ring of the sensor

– Load the key ring into the memory of the sensor– Save the key ids of each key ring and the sensor id

on a trusted controller– For each node, load the i-th controller node with

the key shared with that node.



• Key pre-distribution (Cont’d)– Parameters k and P are critical

• Only a small number of keys need to be placed on eachnode’s key ring

• Any two nodes share at least a key with a chosenprobability

7



• Shared-key discovery– Each node discovers its neighbors in wireless

communication range with which it shares keys– Method 1:

• Each node broadcasts the list of key ids on its key ring• Give an adversary additional knowledge of key

distribution• No direct ways to comprise keys



• Shared-key discovery (Cont’d)– Method 2 (private shared-key discovery)

• For each key on a key ring, each node broadcasts a list– α, EKi(α), i= 1, …, k, where α is a challenge

• If a node receives this list, it tries to decrypt each cipher-text with every key it has

• The node establishes a shared key if it can successfullydecrypt a cipher-text

8



• Path-key establishment– Assign a path-key to selected pairs of nodes that

• Are in wireless communication range• Do not share a common key• But are connected by two or more links at the end of

shared-key discovery– Established through those links



• Revocation– Revoke the entire key ring of a compromised node– A controller node broadcasts a single revocation

message containing a signed list of key ids for therevoked key ring

• The controller generates a signature key Ke, and unicastsit to each node by encrypting it with the key they share.

– Each node verifies the signed list of key ids, andremoves those keys from its key ring

9



• Re-keying– Restart shared-key discovery and path-key

discovery


Analysis

• Model a sensor network as a random graph– All the sensor nodes are the vertices in the graph– There is an edge between two vertices if the corresponding

nodes share a common key• Analysis questions

– What should be the expected degree (d) of a node so that asensor network with n nodes is connected?

– Given d and the size of a neighborhood (n’), what should bethe key ring size (k) and key pool size (P) for a networkwith n nodes?

10


Analysis (Cont’d)

• What should be the expected degree (d) of a node so that asensor network with n nodes is connected?– Answered by random graph theory– G(n, p): a graph of n nodes for which the probability that a link exists

between two nodes is p.– d = p * (n-1): expected degree of a node (i.e. the average number of

edges connecting that node with its neighbors).• Erdös and Rényi’s Equation:

– Given a desired probability Pc for graph connectivity and number ofnodes, n, the threshold function p is defined by:

– where

!

Pc = limn"#

Pr[G(n, p) is connect] = e$e

$ c

!

p =ln(n)

n+c

n and c is any real constant.


Analysis (Cont’d)

11


Analysis (Cont’d)

• Given d and the size of a neighborhood (n’), what should bethe key ring size (k) and key pool size (P) for a network with nnodes?– p’: probability of sharing a key between any two nodes in a

neighborhood (p’=d/(n’-1))– p’ = 1 − Pr[two nodes do not share any key]

• Simplify with Stirling’s approximation

!

p'=1"((P " k)!)

2

(P " 2k)!P!

!

n!" 2# nn+1

2e$n

!

p'=1"(1" k

P)2(P"k+

1

2)

(1" 2kP)(P"2k+

1

2)


Analysis (Cont’d)

12


Improvements for the Probabilistic KeyPre-Distribution• q-composite key pre-distribution

– Two nodes have to have at least q shared keys toderive a valid pairwise key

– Better resilience when the number of compromisednodes is small

• Multi-path enforcement– Derive each path key through multiple node-

disjoint paths, each of which derives one sub-key– Path key is the XOR of all sub keys– Better resilience to compromised nodes in key

paths


Random Pairwise Keys Scheme

• Approach– Calculate the smallest probability p of two nodes

being connected so that the entire network isconnected with a high probability.

– Consider a network of n nodes– Each node needs to store np pairwise keys

• Limitation– The network size is limited by n=m/p, where m is

the available memory on each node for keys

13


Computer Science

Polynomial Pool Based KeyPre-Distribution


Outline

• Background– Polynomial based key predistribution

• A framework for key predistribution in sensornetworks– Polynomial pool based key predistribution

• Two efficient key predistribution schemes– Random subset assignment– Grid based key predistribution

• Efficient implementation in sensor networks• Conclusion and future work

14


Polynomial Based Key Predistribution

• By Blundo et al. [CRYPTO ‘92]– Developed for group key predistribution– We consider the special case of pairwise key predistribution

• Predistribution:– The setup server randomly generates

where f (x,y) = f (y, x)– Each sensor i is given a polynomial share f(i, y)

• Key establishment:– Node i computes f (i, y = j) = f (i, j)– Node j computes f (j, y =i) = f (j, i) = f (i, j)

!

f (x,y) = aij xiyj

i, j= 0

t

" ,


Polynomial Based Key Predistribution(Cont’d)• Security properties (by Blundo et al.)

– Unconditionally secure for up to t compromised nodes• Performance

– Storage overhead at sensors: (t +1)log q bits– Computational overhead at sensors: t modular

multiplications and t modular additions– No communication overhead

• Limitation – Insecure when more than t sensors are compromised– An invitation for node compromise attacks

15


Polynomial Pool Based Key Predistribution

• A general framework for key predistributionbased on bivariate polynomials– Let us use multiple polynomials

• A pool of randomly generated bivariatepolynomials

• Two special cases– One polynomial in the polynomial pool

• Polynomial based key predistribution– All polynomials are 0-degree ones

• Key pool by Eschenauer and Gligor


f1(x,y), f2(x,y), …, fn(x,y)

Random polynomial poolF

A subset: {fj(i, y), …, fk(i, y)}

i

Polynomial Pool Based Key Predistribution(Cont’d)• Phase 1: Setup

– Randomly generates a set F of bivariate t-degreepolynomials

– Subset assignment: Assign a subset of polynomials in F toeach sensor

16


Polynomial Pool Based Key Predistribution(Cont’d)• Phase 2: Direct Key Establishment

– Polynomial share discovery: Communicating sensorsdiscover if they share a common polynomial

• Pairwise keys can be derived if they share a commonpolynomial.

– Two approaches:• Predistribution:

– Given predistributed information, a sensor candecide if it can establish a direct pairwise key withanother sensor.

• Real-time discovery:– Sensors discover on the fly if they can establish a

direct pairwise key.


Polynomial Pool Based Key Predistribution(Cont’d)• Phase 3: Path Key Establishment

– Establish pairwise keys through other sensors if twosensors cannot establish a common key directly

– Path discovery• Node i finds a sequence of nodes between itself and node j such

that two adjacent nodes can establish a key directly• Key path: the above sequence of nodes between i and j

– Two approaches• Predistribution

– Node i can find a key path to node j based on predistributedinformation

• Real-time discovery– Node i discover a key path to node j on the fly

17


Random Subset Assignment Scheme

• An instantiation of the polynomial pool-basedkey predistribution.

• Subset assignment: random

f1(x,y), f2(x,y), …, fn(x,y)

Random polynomial poolF

A random subset: {fj(i, y), …, fk(i, y)}

i


Random Subset Assignment (Cont’d)

• Polynomial share discovery– Real-time discovery

i

fj, …, fk

Broadcast IDs in clear text. Broadcast a list of challenges.

i

α, Ekv(α), v = 1, …, m.

18


Random Subset Assignment (Cont’d)

• Path discovery– i and j use k as a KDC– Alternatively, i contacts nodes with which it shares a key;

any node that also shares a key with j replies.– Each key path has 2 hops

i j

k


0

0.2

0.4

0.6

0.8

1

1.2

0 10 20 30 40 50 60 70 80 90

s

p

s'=2 s'=3 s'=4 s'=5

Probability of Sharing Direct Keys betweenSensors

• s: polynomial pool size• s’: number of polynomial shares for each sensor• p: probability of sharing a polynomial between two sensors

19


Probability of Sharing Keys betweenSensors

0

0.2

0.4

0.6

0.8

1

1.2

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

p

Ps

d=20 d=40 d=60 d=80 d=100

• d: number of neighbors• p: probability that two sensors share a polynomial• ps: probability of sharing a common keyNote: each key path is at most two hops


Dealing with Compromised Sensors

0

0.2

0.4

0.6

0.8

1

1.2

0 100 200 300 400 500 600 700 800 900 1000

Number of compromised nodes

Fra

cti

on

of

co

mp

rom

ised

lin

ks b

etw

een

no

n-

co

mp

rom

ised

sen

so

rs

RS(s'=2,s=11,t=99) RS(s'=3,s=25,t=66) RS(s'=4,s=43,t=49)

q-composite(q=1) q composite(q=2) q composite(q=3)

Basic probabilistic

• Comparison with basic probability and q-composite schemes– Probability to establish direct keys p = 0.33– Each sensor has storage equivalent to 200 keys

20


Dealing with Compromised Sensors(Cont’d)

0

0.2

0.4

0.6

0.8

1

1.2

0 500 1000 1500 2000 2500 3000 3500 4000

Maximum supported network size

Pro

bab

ilit

y o

f sh

ari

ng

a c

om

mo

n

key

RS(s'=2,t=99) RS(s'=6,t=32) RS(s'=10,t=19) Random pairwise keys

• Comparison with random pairwise keys scheme– Assume perfect security against node compromises

• Each polynomial is used at most t times in our scheme– Each sensor has storage equivalent to 200 keys


Grid Based Key Predistribution• Create a m×m grid• Each row or column is

assigned a polynomial• Assign each sensor to an

interaction• Assign each sensor the

polynomials for the rowand the column of itsintersection– Sensor ID: coordinate

• There are multiple waysfor any two sensors toestablish a pairwise key

21


Grid Based Key Predistribution (Cont’d)

• Order of node assignment


Grid Based Key Predistribution (Cont’d)

• Polynomial share discovery– No communication overhead

Same row

Same column

22


Grid Key Predistribution (Cont’d)

• Path discovery– Real-time discovery– Paths with one

intermediate node– Paths with two

intermediate nodes– They know who to

contact!


Properties

1. Any two sensors can establish a pairwise key whenthere is no compromised node;

2. Even if some sensors are compromised, there is stilla high probability to establish a pairwise keybetween non-compromised sensors;

3. A sensor can directly determine whether it canestablish a pairwise key with another node.

23


Dealing with Compromised Sensors

0

0.2

0.4

0.6

0.8

1

1.2

0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000

Number of compromised nodes

Fra

cti

on

of

co

mp

rom

ise

d l

ink

s

be

twe

en

no

n-c

om

pro

mis

ed

se

ns

ors

Basic probabilistic(p=0.014) Basic probabilistic(p=0.33)

q-composite(q=1,p=0.014) q-composite(q=1,p=0.33)

RS(s'=2,s=287,t=99,p=0.014) RS(s'=2,s=11,t=99,p=0.33)

Grid-based(N=20000,p=0.014)

• Comparison with basic probabilistic scheme, q-compositescheme, and random subset assignment scheme– Assume each sensor has storage equivalent to 200 keys


Dealing with Compromised Sensors (Cont’d)

0

0.2

0.4

0.6

0.8

1

1.2

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Fraction of compromised nodes

Pro

bab

ilit

y t

o e

sta

blish

pair

wis

e

keys

d=1 d=3 d=5

d=7 d=9

• Probability to establish pairwise keys when there arecompromised sensors– d: number of non-compromised sensors to contact– Assume each sensor has storage equivalent to 200 keys

24


Implementation

• Observations– Sensor IDs are chosen from a field much smaller than cryptographic

keys• Field for cryptographic keys: Fq• Field for sensor IDs: Fq’

– Special fields: q’=216+1, q’ = 28+1• No division operation is needed for modular multiplications

l bits each

f1(i,y) f2(i,y) fr(i,y)

Sensor ID j

Key: n bits

Polynomials over Fq’ Same storage as 1 polynomial over Fq


Implementation (Cont’d)

• Lemma 1. In this implementation, the entropy of thekey for a coalition of no more than t other sensors is

where and .• Examples

– 64 bit keys– When q’=216+1, the above entropy is 63.9997 bits– When q’ = 28+1, the above entropy is 63.983 bits

!

r " [log2 q'#(2 #2l+1

q')]

!

l = log2 q'" #

!

r =n

l

"

# # $

% %

25


TinyKeyMan

• Polynomial pool based key pre-distribution onTinyOS– http://discovery.csc.ncsu.edu/software/TinyKeyMan/

Documents

CSC 774 Advanced Network Security - Nc State Universitydiscovery.csc.ncsu.edu/Courses/csc774-S07/T06_RandomKPD.ppt.pdf · 1 Dr. Peng Ning CSC 774 Adv. Net. Security 1 Computer Science