Sensor Network Security through Identity-Based Encryption

advertisement
Sensor Network Security through
Identity-Based Encryption
Nigel Boston
Department of Mathematics,
University of South Carolina
Departments of Mathematics and
ECE, University of Wisconsin
Overview of Talk
•
•
•
•
•
Challenges faced
Existing approaches
Identity-based encryption
Benefits of IBE for sensor networks
Conclusions and future work
UW Sensor Networks
• UW WiSeNet Consortium
(wisenet.engr.wisc.edu)
• Eric Bach (Computer Sciences)
• Akbar Sayeed (ECE)
• Several students (Matt Darnall, Kamal
Srinivasan, Harris Nover, …)
• Affiliated faculty from ECE, CS, CE, …
Challenges of Sensor Networks
• Limited memory, storage, and power
• Unreliable communication, conflicts, and
latency
• Exposure to physical attacks, remote,
decentralized management
Security Requirements
•
•
•
•
•
•
•
•
Data confidentiality
Data integrity
Data freshness
Availability
Self-organization
Time synchronization
Secure localization
Authentication
Attacks
•
•
•
•
•
•
Denial of service attacks
Sybil attack
Traffic analysis attacks
Node replication attacks
Attacks against privacy
Physical attacks
Key Distribution Attacks
Want shared secret keys between nodes which
may have been pre-initialized without prior
contact.
Want nodes able to communicate without
involving base station.
Want additional nodes able to join existing
network, unauthorized nodes prevented.
Encryption Techniques
Symmetric key (stream ciphers or block
ciphers)
• SPINS
• TinySec
• Random graph theory (Eschenauer-Gligor)
• Impractical for large scale sensor networks
TinySec
• Message authentication, integrity,
confidentiality are provided.
• Based on Skipjack, 80-bit symmetric cipher.
• Secure, reasonably efficient (time,
transmission overhead, memory)
• If no rekeying, then compromising one node
compromises the whole network.
Limitations of Secret Key
• Key distribution
• Protection of key material - resilience
• Rekeying, if possible, incurs additional
energy consumption
• Public-key cryptography improves on these
Public-Key Cryptography
• Encryption key public, decryption key private broken by solving a hard math problem.
• Originally regarded as too slow and consuming
too much power.
• RSA with exponent 3 (idea - cheap encryption,
more powerful receiver does more expensive
decryption). Hard problem - factoring integers.
• Rabin-Williams (RSA with exponent 2).
RSA-200 Factored
May, 2005 - RSA-200 factored, using number
field sieve by Jens Franke et al
2799783391 1221327870 8294676387 2260162107 0446786955 4285375600 0992932612
8400107609 3456710529 5536085606 1822351910 9513657886 3710595448 2006576775
0985805576 1357909873 4950144178 8631789462 9518723786 9221823983
equals
3532461934 4027701212 7260497819 8464368671 1974001976 2502364930 3468776121
2536794232 0005854795 6528088349
x
7925869954 4783330333 4708584148 0059687737 9758573642 1996073433 0341455767
8728181521 3538140930 4740185467
Problems with RSA
1. A polynomial-time factoring algorithm
would render RSA probably useless.
2. A quantum computer can factor in
polynomial-time (record so far - 15).
3. In constrained environments (smart cards,
PDAs, …), long keys are impractical.
Companies want comparable security with
much shorter key lengths.
Elliptic Curves
• The solutions of
in a field naturally form a group (can add pts)
Hard problem: given points P, Q, find integer
n such that Q = P+…+P (n terms).
Elliptic Curve Addition
Elliptic Curve Cryptography
• ECC ever more popular for mobile devices
• 160-bit ECC same security as 80-bit
symmetric, as 1024-bit RSA
• Hyperelliptic curve cryptography (HCC)
apparently offers no advantage
• Malan (2004) implemented sensor net ECC
• Sun Microsystems (2005) announced Sizzle
World’s Smallest Secure Server
Authentication
As sensor devices improve, ECC ever better.
Problem - in public-key crypto, A writes to B
using B’s public key. Trusted authority signs
B’s public key so A, by checking this
signature, can verify B’s identity.
Recursive checking expensive if low-power.
Identity-Based Encryption
1984 - Shamir asked if arbitrary bit strings
(B’s name) can be used as public keys. After
B receives A’s message, B computes (with
trusted authority) a private key
Note - burden of checking is on the receiver in sensor networks weak sends to strong!
Identity-Based Encryption II
2001 - Boneh and Franklin give solution using
the Weil pairing on elliptic curves.
Can also use other pairings (Tate, eta, Ate, …)
- Ate is up to 6 times faster than the others.
Cocks’s IBE scheme based on quadratic
residues suffers from ciphertext expansion.
Pairings
• E is an elliptic curve defined over GF(
),
• The points on E form an abelian group and
we consider a bilinear non-degenerate
pairing (computed by Miller’s algorithm)
IBE Details
Identity-based systems allow any party to generate a public key
from a known identity value such as an ASCII string.
A trusted third party, called the Private Key Generator (PKG),
generates the corresponding private keys.
To operate, the PKG first publishes a "master" public key, and
retains the corresponding master private key.
Given the master public key, any party can compute a public key
corresponding to the identity i by combining the master public
key with the identity value.
To obtain a corresponding private key, the party authorized to use
identity i contacts the PKG, which uses the master private key to
generate the private key for identity i.
Other Advantages of IBE
Advantages in sensor network (1) Physically secured master device is trusted
authority
(2) Each node given private key in advance private key generator can then be destroyed
Simultaneous Research
• Several groups have apparently come up
with this idea simultaneously.
• The group (Doyle et al.) at DCU, Dublin
has gone furthest in implementation - found
the energy performance of key negotiation
using an IBE scheme based on Tate pairing
on the ARM platform was 0.44J (cf. nodes
limited to 1000J battery capacity).
Some Questions
• IBE uses hashing - what features desirable
for sensor networks?
• Efficient Weil pairing computation uses
randomization - possible to eliminate?
Conclusions
• Sensor networks face novel security
problems due to constraints and method of
deployment
• The key distribution problem can be
addressed by using IBE to negotiate a
shared secret key
• Calculation of pairs of keys demands
reasonable power consumption
Download