Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor

Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks

Random Key Predistribution Schemes for Sensor Networks

Presented by: Qin Chen

Outline Efficient Distribution of Key Chain

Commitments Background and Contributions Five proposed schemes Implementation and Experimental results

Random Key Predistribution Schemes Three schemes Scalability

Comparison and discussion

Background µTESLA

Based on symmetric cryptography Divide time period into n intervals, assign

different keys to different intervals, which will be disclosed after some fixed time interval

Messages during a particular interval are authenticated by the corresponding key for that time interval

Authenticate disclosed key: one-way hash key chain

Background

K1 Kn-2

Assign key

Disclose key

(delay = 2)

K2 K3 KnK1

RSender

Receiver

K0

K0

FFFFF

Security Condition: [Tc+Δ-T0 / Tint]<Ii+ d

Bootstrap a new receiver:

Tc : Local time when the packet is receivedT0 : Start time of the interval 0Tint: Duration of each time intervalΔ : Maximum clock difference

Time

Sender Receiver

request

Tc, Ki, Ti, Tint, d

Contributions Using pre-determination and broadcast instead of

unicast-based message transmission.

Introduce a multi-level key chain scheme, the higher-level key chains are used to authenticate the commitments of the lower level one.

Proposed periodic broadcast of commitment distribution message (CDM) and random selection strategies to improve the survivability and defeat some DOS attacks.

Nice properties such as low overhead, tolerance of message loss, scalability , résistance to some DOS,etc





Scheme I Predetermined Key Chain Commitment

Predetermine the following parameters along with the master key distribution during the initialization of the sensor nodes Commitments Start time Other parameters

Shortcomings Long key chain or large time interval? Difficulties in setting up start time

Scheme II Naïve Two-Level Key Chains

To overcome the shortcoming of scheme I, it puts forward Naive Two-level Key chains

One high level key chain and multiple low level key chains

High level key chain: broadcast CDM messages Low level key chain: broadcast actual data messages

K1 K2 Kn…

……

K1,1 K1,2 K1,m…

K2,1 K2,2 K2,m…

Kn,1 Kn,2 Kn,m

K1,0 K2,0 Kn,0

F0 F0

F1 F1 F1 F1 F1 F1

F1 F1 F1


To use the low-level key chain<Ki,0>during the time interval Ii, they must authenticate the commitment Ki,0

Immediate authentication for CDM messages

Ki Ki+1 Ki+2

CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1

Ki+1,0 Ki+2,0

Include hash image of Ki+2 ,0 in CDMi

In the time interval I,Ki+1 ,0 could be authenticated


CDMi-2=i-2|Ki-1,0|H(Ki ,0) |MACK’i-2(i-2|Ki-1 ,0|H(Ki,0 ))|K i-3

CDMi-1=i-1|Ki,0|H(Ki+1 ,0) |MACK’i-1(i-1|Ki-1 ,0|H(Ki+1,0 ))|K i-2

…Ki-2,1 Ki-2,2 Ki-2,m …

Ki-1,1 Ki-1,2 Ki-1,m …Ki,1 Ki,2 Ki,m

Ki-2,0 Ki-1,0 Ki,0

KiKi-2 Ki-1

F0 F0

F1 F1 F1

F1F1F1

Ii-2 Ii-1 Ii

In the time interval i-1,naïve two-level key can disclose the upper level key K i-2

and authentication the lower level key Ki,0


Shortcoming: Does not tolerate message loss as well as TESLA or uTESLA Normal messages loss CDM messages loss

Ki Ki+1 Ki+2

…Ki,1 Ki,2 Ki,m

…Ki+1,1 Ki+1,2 Ki+1,m

…Ki+2,1 Ki+2,2 Ki+2,m

Ki,0 Ki+1,0 Ki+2,0

F01

F01

F1 F1F1

F1 F1 F1

F1 F1 F1

F0F0

missing

Scheme III Fault tolerant Two-Level Key Chains

Tolerate normal message loss: Further connect the low level key chains

and the high level key chain

Tolerate CDM message loss: Rebroadcast CDM messages

Ki Ki+1 Ki+2

…Ki,1 Ki,2 Ki,m

…Ki+1,1 Ki+1,2 Ki+1,m

…Ki+2,1 Ki+2,2 Ki+2,m

Ki,0 Ki+1,0 Ki+2,0

Ki,m=F01(Ki+1), F01: one way hash function, different from F0 and F1

F01

F01

F1 F1F1

F1 F1 F1

F1 F1 F1

F0F0


CDM messages are more attractive to attackers

DOS attacks on CDM messages Jamming Smart attacks: only change hash

image so that the receiver can not discard it until get the corresponding disclosed key

CDMi=i|Ki+1,0|H(K’i+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1

CDMi+1=i+1|Ki+2,0|H(Ki+3 ,0) |MACK’i+1(i+1|Ki+2 ,0|H(Ki+3 ,0 ))|K i

Scheme IV: (Final) Two–Level Key Chains

Randomize CDM distribution to mitigate channel jamming attacks

Randomize CDM buffering to mitigate smart DOS attacks Single buffer random selection Multiple buffer random selection

Scheme V: Multi-Level Key Chain

Multi-level key chain scheme: each higher level key chain is used to distribute the commitments for its immediate low level key chain.

Every adjacent level works the same way as the two level key chain scheme works.





Implementation Network model

Simulate communication channel on IP multicast

One base station and one attacker component

Multiple sensor nodes; one-hop neighbors of base station and attacker

Parameters Channel loss rate Percentage of forged CDM packets Buffer size (data packets and CDM packets)

Implementation

Metrics %authenticated data packets at

sensor node (#authenticated data packets/received data packets)

Average data authentication delay (the average time between the receipt and the authentication of a data packet).

Experimental result Buffer allocation schemes

Experimental result %authenticated data packets

Experimental result Average data packet authentication delay

Conclusion Advantages

Remove uni-cast based key commitments distribution

Resistance to message loss, DOS attacks Communication efficient Low overhead Scalable to large sensor networks

Limitation Long delay after commitments loss failure

Future work

Seeking solutions to reduce the long delay after commitments loss failure

Broadcast authentication with multiple base stations

Implement this scheme in real sensor networks





Random Key Predistribution Schemes

To establish keys in a sensor network

Three new mechanisms for key establishment

Enhance the security of the network and increase the cost of potential attacks

The Task Problem

Distribute symmetric keys in a physically insecure network with a broadcast channel

The solutions q-composite keys Multipath-reinforcement Random-pairwise keys

The metrics Resilience against node capture, resistance

against node replication, revocation capability, and scalability

Basic Scheme n nodes, each having m keys out of the

key pool S A common key ensures secure

communication

K1, k2, k3, …, k100

S has 100 keys

K1, k3

K1, k5

K3, k7

Basic Scheme Problems

Easy to compromise Difficult to authenticate

K1, k3

K1, k3

K3, k7

Compromised

Compromised node

Compromised

communication

q-composite Keys q: the amount of key overlap Requires a least q common keys to

establish a secure communication channel

K1, k3, k5

K1, k3, k9

K3, k5, k7m = 3q = 2

q-composite Keys Performance concerns

Parameters |S|, m, d, p

We want to increase |S| and decrease m to mitigate the effect of compromised nodes

We want to maintain d and p to ensure good connectivity

q-composite keys Performance concerns

To increase |S| and decrease |m| will often decrease p, so there must be a tradeoff

We choose the largest |S| while maintain a suitable p

q-composite Keys Performance concerns

The effect of compromised nodes

The proportion of compromised network links goes up when the number of compromised nodes increases

This adversely affect the reasonable scale of the network

Key Reinforcement How to make the keys stronger?

Increase m? It may make it weaker

What if we make the keys much more difficult to figure out?

Use multiple paths to transmit multiple parts of a key to the communication partner To figure out the real key used, the

attacker needs to compromise all the paths

Key Reinforcement Usually, the paths of length two are

used

v1v1

v2v2

v3v3

Performance The number of connected nodes

depends on the area A(x), which depends on the length of x

Integrating over the distribution of x, the expected number of reinforcing neighbors are

With k paths and the possibility of compromising a link as b, the possibility of an additional compromised link is

The reinforcement can be pretty strong

Key Reinforcement

A(x)

B Cx

Performance The distribution of

links with different reinforcing neighbors and the compromised links

The compromised links can be pretty small fraction in the total number of links

Key Reinforcement

Random-pairwise keys If a pair of nodes share a unique symmetric key, they

can Establish a secure channel Authenticate each other Potentially achieve good performance in security and

scalability

K12, k13

K12, k29

k13, k37m = 2

Random-pairwise Keys Revocation

Since nodes can authenticate each other, a group of nodes can selectively revoke a specific (adverse) node’s privilege in the network

This is done in a distributed way

K12, k13

K12, k23

k13, k23m = 2t = 2

Node 1

Node 2

Node 3

Node 2 and 3 vote to revoke node 1

Random-pairwise Keys Question: How to revoke a node

The revoked node may still jam the part of network after it knows it has been revoked

The revoked node can impersonate another node, given that it has another compromised key ring

K12, k23

K12, k23

k13, k23m = 2t = 2

Node “2”

Node 2

Node 3

Node “2” jams the real node 2 and impersonate node 2 to communicate with node 3

Random-pairwise Keys How to detect a bad node?

Integrity check Some methods are recommended in the paper but there may not be a

perfect solution How to avoid the revocation mechanism’s being misused?

Limit the nodes’ revocation capability to resist revocation attack Limit the nodes’ broadcast capability to resist DoS

K12, k23

K12, k23

k23, k35m = 2t = 2

Node 1

Node 2

Node 3

Node 2 can vote to revoke node 1 but node 3 cannot

Random-pairwise Keys Question: do the security measures affect

other aspects of the network? Does it affect the connectivity?

This paper has a good example of applying restricted broadcast measure without obviously reducing the connectivity

Does it affect other protocols, like routing? Based on the distribution of the keys, the security

topology of the network may differ greatly from the physical topology

Some routing protocols may have difficulty working correctly, or have degraded performance

Geographic forwarding Trajectory based routing Direct diffusion





Scalability Network size

Limited global payoff requirement

After simplifying and approximation

q-composite keys increase the reasonable network size

Scalability Network size

Compare different schemes

Multipath reinforcement greatly enhance the reasonable size of the network

Comparison and discussion Both protocols target sensor networks

Same resource limit: bandwidth, computing capacity, memory, …

Some common assumptions: trustworthy base stations, insecure communication channel, inexpensive hardware that can be compromised

Both take the advantage of existing cryptographic techniques

Comparison and discussion The two papers focus on different

aspects of security E-paper focuses on 1-to-many

broadcast R-paper focuses on key distribution,

which can be used to construct more general semantics and more varied traffic patterns

Comparison and discussion Are the assumptions in the papers

reasonable? Are base stations really secure? Does the network has a density to

maintain a reasonable p in the key predistribution schemes?

Thank you!

Documents

Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor