Distribution and Revocation of Cryptographic Keys in Sensor Networks

Amrinder SinghDept. of Computer Science

Virginia Tech

Agenda

Introduction Contributions Key Distribution Schemes Proposed Protocol Properties of Key Revocation Proof of Properties Conclusions

Introduction Complexity of secure

communication Large number of nodes No knowledge of topology before hand Limited resources Exposure of nodes to adversary

Possible key revocation schemes Centralized Distributed

Contributions

Rigorous definition of distributed revocation properties

A general active adversary model Protocol for distributed Key

revocation

Key Distribution Schemes Fully Pairwise-Shared Keys

Every node shares key with every other node

Large number of keys Use of Trusted KDC

KDC distributes keys Small number of keys Centralized point of attack

λ-Secure n x n Keys Property of λ-Security

Key Distribution Schemes

Random Key Distribution Scheme Key Ring of size m Key pool of size |Q| 2 random subsets of size m will share

at least 1 key with probability p Use of q-composite keys Tradeoff between initial resistance to

subsequent weakness

Key Distribution Schemes

Random Pairwise Keys Proposed by Chan et al Preload just m keys, where m<<n Node share a key with neighbor with

probability p Can provide node authentication

Key Distribution Schemes MultiSpace Keys

Select pools of keyspaces Common keyspace provide λ-security

Deterministic Key Predistribution Allocation to ensure key sharing Memory is O(√n) Same keys could be shared between

many nodes

Node Revocation Problem Takes place in presence of active

adversaries Adversaries can modify and monitor

messages Limited resources available Distributed Scheme is more useful

Decisions made by neighbors Decision can be made faster More complex

Attacker & Communications Model

Adversary has universal communication presence

Adversary can perform chosen node compromise

Compromised nodes collaborate Adversary cannot block or

significantly delay communications

Assumptions Deployment Atomicity

Do not occur while there are active revocation sessions in the network

Locality Restriction of Compromised Nodes Nodes cannot replicate and move to other

places in the network Node Degrees

Number of local participants, di>>t Adversary can attempt to reduce degree of

legitimate nodes

Assumptions Node Revocation Events are visible to the

neighborhood Malicious nodes providing spurious revocations

Revocation Sessions are always available Revocation attempts by legitimate nodes are

infrequent Malicious node tries to exhaust revocation

sessions against target, known by neighborhood Do not assume time synchronization

Cryptographic Primitives

Random polynomial q(x) = a0 + a1x + a2x2 +… + at-1xt-1

Cryptographic Hash 1 way function, hash of coefficients

Authenticated Encryption Detect ciphertext forgeries Detect false decryption keys

Merkle Tree

Secret Share

How to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D.

Offline Node Initialization

Stages of Revocation A is initially in pending state for session s When 1st vote is cast or received, it moves

to active state It records votes of other participants After Δs time, it moves to completed state For full dissemination of messages,

Δs>2Δc, where Δc is the time to propagate a message in the neighborhood

Voting in Revocation Session

When node A detects compromise, it votes in this session and the next

It transmits (qBs(XABs), XABs)

Also transmits (log m) Merkle tree authentication hash values

Completing Revocation Session

If A receives t votes Able to compute qBs

Transmits Hash of the polynomial Other nodes verify this hash and delete the

shared keys with the target Otherwise

Session number is updated All nodes privately notify base station of

failed revocation

Properties of Distributed Revocation

Completeness If a compromised node is detected by t or

more uncompromised neighboring nodes, then it is revoked from the entire network permanently.

Soundness If a node is revoked from the network using

this scheme, then at least t nodes must have agreed on its revocation.

Properties of Distributed Revocation Bounded Time Revocation

Completion Revocation decision and execution occur

within a bounded time period from the time of sending of the first revocation vote.

Unitary Revocation Revocations of nodes are unitary (all-or-

nothing) in the network. Specifically, if a node is revoked in one part of the network, then it will be revoked in the whole network.

Properties of Distributed Revocation

Revocation attack resistance If c nodes are compromised, then they can

only revoke at most αc other nodes where α is a constant and α<<m/t .

Comes from definition of Revocation AttackAn attack where an adversary uses the distributed node revocation protocol to selectively revoke uncompromised nodes from the network.

Session Agreement Two nodes are in session agreement with

respect to a target node at some instant in time if, for some session s, either session s is pending for both nodes, session s is active for both nodes, session s is active for one node B and session

s is completed for another node A, but session s is completing within time Δc for node B, or

session s is active for one node A and pending for the other node B, but node B is activating session s within Δc time.

Lemmas

Every node is deployed with the correct current revocation session for its participants.

At any given point in time, any two uncompromised local participants are in session agreement for any target node.

Proof of Lemma

Case1 Session s is pending for both nodes at

time T, and at time T+ε, node A activated session s.

Case2 Session s is active for both nodes at

time T. At time T+ε, node A completed session s, but node B still has the session active.

Proof of Lemma

Case3 Session s is active for node B and

session s is complete for node A at time T. At time T+ε, session s has completed for node B.

Case4 At time t, session s is active for A and

pending for B. At time T+ε, session s has completed for node A.

Proof for Completeness Node B has lowest session number Arbitrary Node A Case1

Session s is pending for B Node A has either session s pending or active

Case2 Session s-1 is active for B

Node A has session s-1 pending or s-1 active or s pending or s active

Proof for Soundness

If Node C is revoked, H(qcs) is broadcast

For this qcs must be obtained By secret share, only possible from

t shares

Proof for Bounded Time Revocation

First vote cast at time T All nodes activate session within

T+Δc Decision taken within time Δs Time to propagate decision is Δd Total time is bounded

Proof for Unitary Revocation Case 1

Node is revoked in 1 part of the network Correct value of qcs is received and

transmitted and revoked in time Δd Case 2

If a node is not revoked in some part of the network, then it was not revoked in any part of the network in the time prior to the last Δd

Proof for Attack Resistance Each compromised node can form

connections with di nodes Thus, each compromised node can

unmask at most di votes each. The total number of unmasked votes is thus

Conclusions

Overview of key distribution techniques Precise formulation of distributed

revocation problem Protocol for distributed revocation Distributed algorithms are more

complex but are faster than centralized Avoidance of single point of failure

Questions?