Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Secure Aggregation for Wireless Networks

advertisement 
Secure
Aggregation for
Wireless
Networks
Lingxuan Hu
David Evans
[lingxuan, evans]@cs.virginia.edu
http://swarm.cs.virginia.edu
Department of Computer Science
University of Virginia
Charlottesville, VA
Scenario
High-power base station
Thousands of small, low-powered devices with
sensors and actuators, communicating wirelessly
WSAAN 28 Jan 2003
Hu & Evans
2
Scenario
High-power base station
Transmitting each message all the way to the
base station wastes resources.
WSAAN 28 Jan 2003
Hu & Evans
3
Data Aggregation
If you only care about average, max, etc., aggregate data
inside the network instead of sending it to the base station.
WSAAN 28 Jan 2003
Hu & Evans
4
Integrity of Data
Compromised Node
With data aggregation, authentication becomes harder.
WSAAN 28 Jan 2003
Hu & Evans
5
Problem
Can we provide the power-saving
benefits of in-network data aggregation
but limit the amount of damage a
single compromised node can do?
Rest of Talk:
1. Background: Inexpensive Authentication
without Aggregation
2. Secure Aggregation
3. Security and Cost Analysis
4. Scalable Solution
WSAAN 28 Jan 2003
Hu & Evans
6
Cryptographic Hash Chains
f
f (f (f (x)))
f
f
f (x)
f (f (x))
time
Initially store: K0 = f4(x)
K1 = f3(x)
verify f (K1) = K0
K2 = f2(x)
verify f (K1) = K0
WSAAN 28 Jan 2003
Hu & Evans
x
f is a one-way
function: easy
to calculate f(x),
but difficult to
invert f.
7
µTesla [Perrig, et. al., 2002]
• Initially: sensor nodes know K0 = fn(x)
base station knows x
• Base station messages encrypted using K1 = fn-1(x)
• Nodes store and time stamp messages, but cannot
decrypt them (yet)
• At time t1, base station broadcasts K1
• Nodes verify f (K1) = K0
• Nodes use K1 decrypt earlier messages
• Nodes and base station must have loosely
synchronized clocks: cannot accept messages
encrypted with K1 after K1 was revealed
WSAAN 28 Jan 2003
Hu & Evans
8
Node Authentication
• Before deployment, establish a shared
symmetric secret key between each
node and base station: KNS
• Send readings with a MAC:
RA | MAC (KAS, RA)
Assumes confidentiality of transmitted
readings is not important. We are only
concerned with integrity.
WSAAN 28 Jan 2003
Hu & Evans
9
Authenticated Sensor Net
Each node transmits: N | RN | MAC (KNS, RN)
Base station verifies MAC before accepting RN.
WSAAN 28 Jan 2003
Hu & Evans
10
Authenticated Data Aggregation
A | RA | MAC (KAS, RA)
C
A
B
C | Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB))
WSAAN 28 Jan 2003
Hu & Evans
B | RB | MAC (KBS, RB)
11
Secure Aggregation
• Delayed Aggregation: Only aggregate
messages after they have traveled one
hop
• Delayed Authentication: Use µTesla
variation to reveal children’s keys to
parents to provide delayed
authentication
WSAAN 28 Jan 2003
Hu & Evans
12
Protocol Example
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)
| MAC (KGi, Aggr (RA, RB, RC, RD))
IDA | RA | MAC (KAi, RA)
| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
G
F
E
IDA | RA | MAC (KAi, RA)
IDC | RC | MAC (KCi, RC)
| IDD | RD | MAC (KDi, RD)
| MAC (KFi, Aggr (RC, RD))
D
IDB | RB | MAC (KBi, RB)
C
KAi is the ith key in a
µTesla key chain
A
starting from KAS
WSAAN 28 Jan 2003
B
Hu & Evans
13
IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD))
| MAC (KGi, Aggr (RA, RB, RC, RD)
| … (same from right side)
| MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side))
H
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)
| MAC (KGi, Aggr (RA, RB, RC, RD))
IDA | RA | MAC (KAi, RA)
| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
G
F
E
IDA | RA | MAC (KAi, RA)
IDC | RC | MAC (KCi, RC)
| IDD | RD | MAC (KDi, RD)
| MAC (KFi, Aggr (RC, RD))
D
IDB | RB | MAC (KBi, RB)
C
A
WSAAN 28 Jan 2003
B
Hu & Evans
14
Data Transmission Summary
• Children send their data reading and
MAC (using KNi) to their parents.
• Parents forward the data and MACs
they receive to grandparents, along with
a calculated MAC of the aggregation
• Grandparents forward MACs and
aggregate values from parents and a
calculated MAC of aggregation
WSAAN 28 Jan 2003
Hu & Evans
15
Data Validation
• At some later time, the Base Station
reveals KNi for each node N that
transmitted data, along with MAC (Ki, KNi)
• The parent of N uses KNi to verify MAC
(KNi, RN)
• Nodes increment i to use the next µTesla
key
• The Base Station broadcasts Ki (which
nodes verify) and advances to the new
µTesla key
WSAAN 28 Jan 2003
Hu & Evans
16
Abridged Attack Analysis
• Intruder Node (no key material)
– Cannot forge sensor readings: they will be detected
when the base station reveals the node MAC keys
– Replay attacks ineffective: keys change, can only
replay readings within this time period
– Denial-of-service attack can succeed (but alerts
operator)
• Compromised Node (all keys on one node)
– Can lie about its own reading
– But, cannot alter other nodes readings without getting
caught: aggregate will not match calculated aggregate
at next level
WSAAN 28 Jan 2003
Hu & Evans
17
Successful Attacks
• Compromised node selectively drops
child readings
– Nothing to prevent this (but unlikely to
change much without base station noticing)
– Can use child snooping to catch it earlier
• Compromise two consecutive (parent
and grandparent) nodes
– Can forge readings for entire subtree
WSAAN 28 Jan 2003
Hu & Evans
18
Communication Cost
No Aggregation
Total Kilobytes Transmitted
800
700
Insecure
Aggregation
Secure
Aggregation
600
500
400
300
Sensor reading: 22 bytes
MAC of message: 8 bytes
Ideal binary network
200
100
0
340
1364
5460
Sensor Nodes
Secure Aggregation requires about 3 times the amount
of data transmission as Insecure Aggregation, but provides
integrity with < ½ the cost of no aggregation.
WSAAN 28 Jan 2003
Hu & Evans
19
Scalability
• Base station must broadcast next node key
for every node
• To scale to larger sensor networks, use local
µTesla between parent-child
– Need base station to validate start of hash chain
• Two µTESLA keys are used each time, one
for immediate authentication, and another for
Authenticate reading later
later authentication:
A  Parent
IDA | RA | KA1 | MAC (KA2, RA)
Authenticate the origin of
message (node A) immediately
WSAAN 28 Jan 2003
Hu & Evans
20
Summary / Moral (?)
• With our protocol, you can get
authenticated results without trusting your
children at all, and trusting your parents
and grandparents not to conspire together
against you.
• Not trusting your children is reasonable
(inexpensive)
• Not trusting your parents is expensive:
requires over twice the resources of the
insecure aggregation protocol
http://swarm.cs.virginia.edu
WSAAN 28 Jan 2003
Hu & Evans
21
Related documents
Part IV
Part IV
Technology Planning Committee November 8, 2007 Meeting Summary Agenda
Technology Planning Committee November 8, 2007 Meeting Summary Agenda
Chapter 3 Homework: Name:__________________________________________________
Chapter 3 Homework: Name:__________________________________________________
Download
advertisement