Upload
stacy-trew
View
223
Download
0
Embed Size (px)
Citation preview
Distribution and Revocation of Cryptographic Keys in Sensor Networks
Amrinder SinghDept. of Computer Science
Virginia Tech
Agenda
Introduction Contributions Key Distribution Schemes Proposed Protocol Properties of Key Revocation Proof of Properties Conclusions
Introduction Complexity of secure
communication Large number of nodes No knowledge of topology before hand Limited resources Exposure of nodes to adversary
Possible key revocation schemes Centralized Distributed
Contributions
Rigorous definition of distributed revocation properties
A general active adversary model Protocol for distributed Key
revocation
Key Distribution Schemes Fully Pairwise-Shared Keys
Every node shares key with every other node
Large number of keys Use of Trusted KDC
KDC distributes keys Small number of keys Centralized point of attack
λ-Secure n x n Keys Property of λ-Security
Key Distribution Schemes
Random Key Distribution Scheme Key Ring of size m Key pool of size |Q| 2 random subsets of size m will share
at least 1 key with probability p Use of q-composite keys Tradeoff between initial resistance to
subsequent weakness
Key Distribution Schemes
Random Pairwise Keys Proposed by Chan et al Preload just m keys, where m<<n Node share a key with neighbor with
probability p Can provide node authentication
Key Distribution Schemes MultiSpace Keys
Select pools of keyspaces Common keyspace provide λ-security
Deterministic Key Predistribution Allocation to ensure key sharing Memory is O(√n) Same keys could be shared between
many nodes
Node Revocation Problem Takes place in presence of active
adversaries Adversaries can modify and monitor
messages Limited resources available Distributed Scheme is more useful
Decisions made by neighbors Decision can be made faster More complex
Attacker & Communications Model
Adversary has universal communication presence
Adversary can perform chosen node compromise
Compromised nodes collaborate Adversary cannot block or
significantly delay communications
Assumptions Deployment Atomicity
Do not occur while there are active revocation sessions in the network
Locality Restriction of Compromised Nodes Nodes cannot replicate and move to other
places in the network Node Degrees
Number of local participants, di>>t Adversary can attempt to reduce degree of
legitimate nodes
Assumptions Node Revocation Events are visible to the
neighborhood Malicious nodes providing spurious revocations
Revocation Sessions are always available Revocation attempts by legitimate nodes are
infrequent Malicious node tries to exhaust revocation
sessions against target, known by neighborhood Do not assume time synchronization
Cryptographic Primitives
Random polynomial q(x) = a0 + a1x + a2x2 +… + at-1xt-1
Cryptographic Hash 1 way function, hash of coefficients
Authenticated Encryption Detect ciphertext forgeries Detect false decryption keys
Merkle Tree
Secret Share
How to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D.
Offline Node Initialization
Stages of Revocation A is initially in pending state for session s When 1st vote is cast or received, it moves
to active state It records votes of other participants After Δs time, it moves to completed state For full dissemination of messages,
Δs>2Δc, where Δc is the time to propagate a message in the neighborhood
Voting in Revocation Session
When node A detects compromise, it votes in this session and the next
It transmits (qBs(XABs), XABs)
Also transmits (log m) Merkle tree authentication hash values
Completing Revocation Session
If A receives t votes Able to compute qBs
Transmits Hash of the polynomial Other nodes verify this hash and delete the
shared keys with the target Otherwise
Session number is updated All nodes privately notify base station of
failed revocation
Properties of Distributed Revocation
Completeness If a compromised node is detected by t or
more uncompromised neighboring nodes, then it is revoked from the entire network permanently.
Soundness If a node is revoked from the network using
this scheme, then at least t nodes must have agreed on its revocation.
Properties of Distributed Revocation Bounded Time Revocation
Completion Revocation decision and execution occur
within a bounded time period from the time of sending of the first revocation vote.
Unitary Revocation Revocations of nodes are unitary (all-or-
nothing) in the network. Specifically, if a node is revoked in one part of the network, then it will be revoked in the whole network.
Properties of Distributed Revocation
Revocation attack resistance If c nodes are compromised, then they can
only revoke at most αc other nodes where α is a constant and α<<m/t .
Comes from definition of Revocation AttackAn attack where an adversary uses the distributed node revocation protocol to selectively revoke uncompromised nodes from the network.
Session Agreement Two nodes are in session agreement with
respect to a target node at some instant in time if, for some session s, either session s is pending for both nodes, session s is active for both nodes, session s is active for one node B and session
s is completed for another node A, but session s is completing within time Δc for node B, or
session s is active for one node A and pending for the other node B, but node B is activating session s within Δc time.
Lemmas
Every node is deployed with the correct current revocation session for its participants.
At any given point in time, any two uncompromised local participants are in session agreement for any target node.
Proof of Lemma
Case1 Session s is pending for both nodes at
time T, and at time T+ε, node A activated session s.
Case2 Session s is active for both nodes at
time T. At time T+ε, node A completed session s, but node B still has the session active.
Proof of Lemma
Case3 Session s is active for node B and
session s is complete for node A at time T. At time T+ε, session s has completed for node B.
Case4 At time t, session s is active for A and
pending for B. At time T+ε, session s has completed for node A.
Proof for Completeness Node B has lowest session number Arbitrary Node A Case1
Session s is pending for B Node A has either session s pending or active
Case2 Session s-1 is active for B
Node A has session s-1 pending or s-1 active or s pending or s active
Proof for Soundness
If Node C is revoked, H(qcs) is broadcast
For this qcs must be obtained By secret share, only possible from
t shares
Proof for Bounded Time Revocation
First vote cast at time T All nodes activate session within
T+Δc Decision taken within time Δs Time to propagate decision is Δd Total time is bounded
Proof for Unitary Revocation Case 1
Node is revoked in 1 part of the network Correct value of qcs is received and
transmitted and revoked in time Δd Case 2
If a node is not revoked in some part of the network, then it was not revoked in any part of the network in the time prior to the last Δd
Proof for Attack Resistance Each compromised node can form
connections with di nodes Thus, each compromised node can
unmask at most di votes each. The total number of unmasked votes is thus
Conclusions
Overview of key distribution techniques Precise formulation of distributed
revocation problem Protocol for distributed revocation Distributed algorithms are more
complex but are faster than centralized Avoidance of single point of failure
Questions?