Key Infection: Smart Trust for Smart Dust

Ross Anderson Haowen Chan Adrian PerrigUniversity of Cambridge Carnegie Mellon Uni.Carnegie Mellon Uni.

Presented by EMRAH ATILGANKey Infection: Smart Trust for Smart DustOutlineIntroductionPrevious WorksContributionAnalysisMultihop and Multipath Key EstablishmentEconomic IssuesQuestionsSensorsA sensor is a device that measures a physical quantity and converts it into a signal which can be read by an observer or by an instrument. Example:Mercury thermometerConverts the measured temperature into expansion and contraction of a liquid which can be read on a calibrated glass tube.Cars, machines, aerospace, medicine, manufacturing and robotics.

Constraints of SensorsShould be small, lightweight, inexpensive and low-powerEnergy efficiency of network communications.Computational energy consumptionCommunications energy consumptionRechargeabilitySleep patternsTransmission rangeMemoryLocation sensingTamper protectionSensor NetworksSensor NetworkIs a wireless network consisting of spatially distributed autonomous devices using sensors to cooperatively monitor physical or environmental conditions.

Sensor NetworksSecurity for sensor networks is importantManaging cryptographic keyLow-cost nodes are neither tamper-proof nor capable of performing public key cryptographic efficiently.

Sensor NetworksTypical sensor networksconsist of a large number of small, low-cost nodes that use peer-to peer communication to form of a self-organized network.use multi-hop routing algorithms based on dynamic network and resource discovery protocols. do not have tamper-proof hardware.PROBLEM!!!Small fraction of nodes in the network may be compromised by an adversary over time.Security Issues of Sensor NetworksPhysical destructionBarrage jammingNetwork floodingByzantine AttackAn arbitrary fault during the execution of an algorithm by a distributed system.When it occurs, the system may response in any unpredictable way.The results of such attacksLoss of personal privacyLoss of service of critical sensor systemsEtcSmart dustSmart dustA network of tiny wireless microelectromechanical systems sensors, robots, or devices, installed with wireless communicationsCan detectLight, temperature, vibration, heat, pressure, sound, etc..The goalMake sensors so small and cheapDistribute them in large numbers over an area by random scattering

Ex.1: scattering a hundred of these sensors around a building or around a hospital to monitor temperature or humidity, track patient movements, or inform of disasters, such as earthquakes. In the military, they can perform as a remote sensor chip to track enemy movements, detect poisonous gas or radioactivity. 9Previous WorkIn a typical sensor network, when a node (i) broadcasts its identity, if j hears it, it replies. Then these two nodes set RF power at just the level needed for communication.To save power: the nodes turn off their communications, only waking up and listening for radio signals intermittently.The routing architectureRely on shared symmetric keyInitial keys are diversified from master keys: Still vulnerableAn opponent can use direction from finding locate them, then either destroy them or subvert them

A source-based routing protocol, based on the periodic broadcast of beacons by base-stations, organizes the nodes into forests, with a base station at the root of each tree.10Possible countermeasuresUse normal nodes as base stations and have other nodes replace them after random periods of time. For the first generation of base stations to possess master keys that are destroyed once a network has been established and link keys have been set up between neighboring nodes. Enough symmetric keys are pre-loaded on each node that any two nodes will probably share a key after deployment. Require pre-computation phaseAnd a lot of memory to store keys2)However, deletion of all master keys effectively closes the network and makes the addition of new nodes impossible. This makes it difficult to expand a sensor network or to add new nodes to replaced failed or battery exhausted nodes.3) Require a significant pre-computation phase based on the total number of nodes in the network and expected density of deployment.11A Real World Attacker ModelPrevious works have assumed highly capable and motivated attackerWorld War IIConsider a tactical deployment of 10,000 smart dust motes air-dropped into enemy territory.

Use KM to generate to a session key: However;Some motes are broken on impactThe enemy can probe out KM

iJKM

1)A global passive adversary, who monitors and stores all communications. It is also commonly assumed that the attacker can subvert a small chosen subset of the sensor nodes, and deploy hostile nodes of her own. can modify inject communications at will at any time. 1.1) both strategic and tactical communications mostly carried by radio and were routinely intercepted; and the world of international telephony in the post-war years where the traffic volumes were such that widespread interception by signals intelligence agencies was feasible and was indeed carried out.2) At initialisation process, a master key KM is generated and transmitted to all motes. 4) The enemy thus access to all initialisation traffic it recorded. If this amount of communication information was too little to be of significant use to her, then we could have got the same result at lower cost by not using a master key at all, but simply exchanging session keys in the clear. 12Non-critical commodity sensor networksRequire pre-deployment step must be minimalLess valuable as targets and little damage if security shell is brokenHouse or bank??

ContributionsDesign a lightweight security protocol suitable for non-critical commodity sensor networks.Key InfectionThe attacker can monitor only a fixed percentage of communication channel. Relaxed attacker modelLow computation overheadNo memory overheadNo prior key setupIt is suitable for implementation in low-cost commodity sensor nodes.Relaxed attacker model means, it is possible to perform sufficiently secure distribution with low computation overhead(a few symmetric cryptographic operations), no memory overhead(only storage for the actual keys used in node-to-node communications, 14ContributionsIdentify a more realistic attacker model that is applicable to non-critical commodity sensor networks.Key InfectionA light-weight key-distribution mechanism that is so efficient that is applicable even to smart dust sensor nodes. Analyze the security of key infection, and design Secrecy AmplificationAn additional mechanism to strengthen the security of key infection in the presence of an active attacker.COST and USABILITY Assume the attacker.Does not have physical access to the deployment site during the deployment phaseIs able to monitor only a small proportion of the communications of the sensor network during the deployment phase. After key exchange is complete, attacker is able to monitor all communications at willIs unable to execute active attacks (such as jumming or flooding) during the deployment phase. After key exchange is complete, attacker is free to launch any kind of attack.The attacker is assumed to be fully capable at all times except during the deployment phase, where the attacker is assumed to have at most a partial, passive presence. This is realistic because deployment represents a very small window opportunity for an adversary. This is acceptable risk since the window is extremely small (several seconds) compared to the overall lifetime of the network (up to several years). 16Requirements for adversaryHe has to have the foresight to deploy surveillance equipment or adversarial nodes at the target site before the sensor network is deployed there.His eavesdropping devices must remain in place, operational an undetected, until the sensor perform key exchangeHe needs to be able to identify, retrieve and process the relevant eavesdropped product in order to extract the key exchange messages. Too expensive to maintain anticipatory.17Key InfectionEach node simply chooses a key and broadcasts it in plaintext to its neighbors.

Short-range transmissionMaximum range is 10 metersHalf a dozen within range

Key Infection (cont.)Assume that is signal heard by node j.

J generate a pairwise key and send it to i.Use minimum power necessary for the link.The key can be used to protect traffic between i and j.

ij

Key Infection (cont.)Even if there are opponents already present at the time of deployment, it will still give significant protectionFor example;There is 1 black (hostile) dust sensor node for every 100 white nodes, Each node has an average 4 neighbors within range,Only 2.4% of link will be compromised. Key whispering protocolThe probability falls to 0.8% Instead of each white node broadcasting a single initial key as loudly as it can, it starts off transmitting very quietly and steadily increases the power until a response is heard. A link key is established with the responder, and then the broadcast resumes with a new initial key. The KEY WHISPERING protocol ensures that two white nodes W1 and W2 within range of each other and of a black node is further away from either W1 or W2 than distance between W1 and W2.20AnalysisWe are OK, if the attacker arrives after the key infection phaseLets see, what happens if attacker has already some black dust nodes installed, before we install the white nodes.We compute the upper bound on the ratio communication links that the black dust nodes may compromise. Assume the maximum range of the radio is RSmart dust nodes distributed in the area of size s is the number of black nodes is the number of white nodes

Compute upper boundThe effective eavesdropping area is at most: If the link is bad, i.e. can be eavesdropped by at least a black node, the area at most:

In the non colluding case, we do not consider the sharing of information among black nodes, so the outcome is always more favorable for white.22Whispering caseIf a link has length r, then both nodes will transmit their signals at strength that exactly reaches distance r.The effective eavesdropping area is thus at most the area of this intersection which is: The link is compromised is at most:

A black node has to lie in the intersection of the two circles of radius r where the distance between the two centers of the circles is r. 23EvaluationThis table compares the standard key infection with the whisper-mode key infectiond, the average number of neighbors of a node.

Remaining columns list the ratio of compromised links

Multihop and Multipath Key EstablishmentSecrecy AmplificationA technique that utilizes multipath key establishment to make her job significantly harder. Combine keys propagated along different paths.

Secrecy Amplification(cont.)To amplify the secrecy of key , can ask to change additional key with .Here, is a unpredictable nonce generated by is a unique nonce generated by (used for confirmation of key ).

After this protocol terminates, W1 and W2 update their key k12, by hashing it with received k12 = H(k12||N1). If k12 was secure before the protocol, the k12 will also be secure afterwards. But if the initial link key k12 was compromised, the new one k12 will not be, so long as neither k13 nor k23 is. The last two messages of the protocol are needed for key confirmation, to ensure to w1, and w2 that the other party correctly received the key. 26SA over the basic key infectionThe table list the ratio of compromised links for a varying density of black dust.

So, three party secrecy amplification gives an improvement of about 20%.

SA over the basic key infectionIn this case, the basic key infection uses whispering

with the multipath extensionSecrecy amplification undertaken using a multihop return path.

This is significantly better where complexity and other constraints permit it.

We simulate nodes that perform key infection, with neighbors that are two hop away. In the columns marked basic, we assume that the return path of the key infection is the same as the forward path. 29Multihop keysIt supports end-to-end cryptographyMultihop keying also protects multihop secrecy amplification against node compromise.

Interaction with routing algorithmsSome works on secure ad-hoc routing assumes a particular routing strategy. This work does notThis key infection protocol can also support other mechanisms.Automatically discovers paths that may be used for this as neededExample: In biology, the immune response normally stops you catching the same disease twiceIf you are a smart dust mote, the more keys you catch from a colleague, the better.These other mechanisms may have to be used to recover from attacks. For example, if sufficient nodes are subverted for the network to be partitioned that is, there are pairs of motes can no longer route to each other despite being physically connected by multihop path- then a recovery phase may be initialized. 31ConclusionThe authors proposed a novel and quite counterintuitive way of managing key sensor networks.Each nodes bootstraps itself by broadcasting an initial key in the clear.Exchange keys and build up trust structures as they do network and resource discovery. This is almost as secure as using pre-loaded initial keys. This paper shows how the benefits of initial keying can be analyzed separately from the benefits of later stage key management activities,key updating, the use of alternative trust routes, and the invocation of backupsQuestions