Key Infection
(smart trust for smart dust)
Ross Anderson (Cambridge)
Haowen Chan (CMU)
Adrian Perrig (CMU)
Sensor Networks
 100s to 1000s of cheap
sensor nodes
 Communicate peer-to-peer
and route information to
base stations
 Example: Sensors could be
scattered by air to monitor
pollution - or track people
Typical Sensor Node
Characteristics
 Wireless communication
 Battery powered
 Immobile
 Not tamper-resistant
 Limited processing hardware and memory
 Communicate peer-to-peer and route data to one
or more base stations
Platform Technologies: UCB Mote
 UCB Mote Evolution
Approaches to Key Distribution
 Attempt #1: Use a PKI
• Problem: Too computationally intensive
 Attempt #2: Use a single symmetric master key
• Problem: Single node capture exposes entire network
 Attempt #3: Load each node with key for each
neighbour
• Problem: Don’t know neighbours a priori
 Attempt #4: Load each node with many keys (n-1
keys/node, or fancier randomised scheme)
• Problem: Memory cost too high
Threat Model
 Attacker deploys white dust to monitor an area
 Defender has a few black dust motes already,



rapidly deploys more, and sends in ‘insects’ that
reverse-engineer some white motes
Passive defense: see what movements yield
sensor traffic
Active defense: transmit jamming / deceptive
messages
Example: corrupt routing to partition network
Defender Model
 During the deployment phase, we have a
partial, passive defender - some links
monitored but no jamming / flooding /
physical attack
 After deployment, the gloves come off!
The defender is pervasive and active
 Often reasonable because of economics:
white can deploy dust anywhere while
black must defend everywhere
Basic Idea
 Suppose all nodes share an initial master
key, and use this to bootstrap link keys
 Once the reverse-engineering insect
arrives, the enemy gets the master key
 The enemy can now eavesdrop all the
links it monitored
 But it could only monitor a small fraction
of them! We may still be OK
 This is equivalent to broadcasting initial
keys locally, and in the clear
Key Infection
 Assume that mote i, when it comes to rest,

transmits a key ki
When mote j hears it, it responds with a pairwise
key, using only just enough power for the link:
j -> i : { j, kji } ki
The key is compromised
if a hostile mote lies in
the intersection of the
i j
two circles
E.g, 1 black mote for 100 white - 97.62% of links secure
Key Whispering
 First improvement - instead of
broadcasting ki at full power, whisper it increase volume until response heard
d
1% basic
1% whisper
3% basic
3% whisper
2
1.13%
0.40%
3.48%
1.19%
3
1.75%
0.61%
5.06%
1.81%
4
2.38%
0.83%
6.75%
2.44%
5
2.92%
1.01%
8.40%
3.02%
 In other words, whispering already
reduces compromised links by 2/3
Key Capture
Enemy / subverted nodes
Keys of node A
Keys of node B
 Neither node A or node B was captured,
but their shared key has been exposed
Multipath Privacy Amplification
 If i talks via j to k, and link jk compromised, find any

other paths, e.g., i -> l -> k, set up keys kik along all
available paths, and hash them together
This gets a further significant reduction in compromised
links:
d
1% basic
1%
multipath
3% basic
3%
multipath
2
0.61%
0.38%
2.23%
1.11%
3
0.55%
0.26%
1.76%
0.91%
4
0.40%
0.16%
1.57%
0.80%
5
0.35%
0.04%
1.29%
0.40%
Interaction with Routing
 Even with no mobility, the network
topology will change as a result of battery
exhaustion / attacks
 White may invest in preparing for failover multipath key establishment helps
 Many interesting questions, e.g. energy
efficiency, clubbing, different logical paths
on same physical path…
Other Applications (1)
 Peer-to-peer systems typically start out
optimistically with a large number of
hopefully trustworthy nodes
 ‘Black’ nodes join once the network starts
to operate, and ‘white’ nodes may be
subverted (e.g., by court order)
 Here too the issue isn’t the initial key
bootstrapping, but resilience in the face of
what happens later
Other Applications (2)
 Subversive networks are similar. Law
enforcement can only monitor so many
people, and so many phones…
 Once subversive activity manifests, the
task is to penetrate a network that may
have been fairly open at the start, but has
now closed up
 Again, the important aspect is not the
initial bootstrapping, but the subsequent
lockdown, and any associated resilience
Security Economics
 Economics provide the big showstopper
for security in general
 Here, the game depends on both initial and
marginal costs of attack and defence
 Initial keying increases initial cost to both
 Equilibrium depends on marginal costs defender efforts vs attacker resilience
 Logically, defender will give up, or attacker
have to go all out to maintain network
 Attacker will logically make marginal
investment in resilience, not bootstrapping
Research Problems
 What are the relative costs of key establishment





vs. maintenance in different types of network?
What are the best attack and defence strategies
at equilibrium?
What’s the interaction with routing algorithms?
Can you deal with new motes joining?
Can you have multiple virtual networks (‘United
Nations Dust’)?
Can multiple users interact locally
(‘Neighbourhood Watch Dust’)?
Conclusions
 Sensor networks present interesting and
novel protection problems
 They provide a tractable model for bigger
problems, from P2P network design to
some real-world policing problems
 Challenge the conventional wisdom that
authentication is about trust bootstrapping
 In many real social networks, trust is more
about group reinforcement / bonding
 Will future pervasive computing systems
be command-and-control, or societal?