Sensor Network Security through Identity-Based Encryption Nigel Boston Department of Mathematics, University of South Carolina Departments of Mathematics and ECE, University of Wisconsin Overview of Talk • • • • • Challenges faced Existing approaches Identity-based encryption Benefits of IBE for sensor networks Conclusions and future work UW Sensor Networks • UW WiSeNet Consortium (wisenet.engr.wisc.edu) • Eric Bach (Computer Sciences) • Akbar Sayeed (ECE) • Several students (Matt Darnall, Kamal Srinivasan, Harris Nover, …) • Affiliated faculty from ECE, CS, CE, … Challenges of Sensor Networks • Limited memory, storage, and power • Unreliable communication, conflicts, and latency • Exposure to physical attacks, remote, decentralized management Security Requirements • • • • • • • • Data confidentiality Data integrity Data freshness Availability Self-organization Time synchronization Secure localization Authentication Attacks • • • • • • Denial of service attacks Sybil attack Traffic analysis attacks Node replication attacks Attacks against privacy Physical attacks Key Distribution Attacks Want shared secret keys between nodes which may have been pre-initialized without prior contact. Want nodes able to communicate without involving base station. Want additional nodes able to join existing network, unauthorized nodes prevented. Encryption Techniques Symmetric key (stream ciphers or block ciphers) • SPINS • TinySec • Random graph theory (Eschenauer-Gligor) • Impractical for large scale sensor networks TinySec • Message authentication, integrity, confidentiality are provided. • Based on Skipjack, 80-bit symmetric cipher. • Secure, reasonably efficient (time, transmission overhead, memory) • If no rekeying, then compromising one node compromises the whole network. Limitations of Secret Key • Key distribution • Protection of key material - resilience • Rekeying, if possible, incurs additional energy consumption • Public-key cryptography improves on these Public-Key Cryptography • Encryption key public, decryption key private broken by solving a hard math problem. • Originally regarded as too slow and consuming too much power. • RSA with exponent 3 (idea - cheap encryption, more powerful receiver does more expensive decryption). Hard problem - factoring integers. • Rabin-Williams (RSA with exponent 2). RSA-200 Factored May, 2005 - RSA-200 factored, using number field sieve by Jens Franke et al 2799783391 1221327870 8294676387 2260162107 0446786955 4285375600 0992932612 8400107609 3456710529 5536085606 1822351910 9513657886 3710595448 2006576775 0985805576 1357909873 4950144178 8631789462 9518723786 9221823983 equals 3532461934 4027701212 7260497819 8464368671 1974001976 2502364930 3468776121 2536794232 0005854795 6528088349 x 7925869954 4783330333 4708584148 0059687737 9758573642 1996073433 0341455767 8728181521 3538140930 4740185467 Problems with RSA 1. A polynomial-time factoring algorithm would render RSA probably useless. 2. A quantum computer can factor in polynomial-time (record so far - 15). 3. In constrained environments (smart cards, PDAs, …), long keys are impractical. Companies want comparable security with much shorter key lengths. Elliptic Curves • The solutions of in a field naturally form a group (can add pts) Hard problem: given points P, Q, find integer n such that Q = P+…+P (n terms). Elliptic Curve Addition Elliptic Curve Cryptography • ECC ever more popular for mobile devices • 160-bit ECC same security as 80-bit symmetric, as 1024-bit RSA • Hyperelliptic curve cryptography (HCC) apparently offers no advantage • Malan (2004) implemented sensor net ECC • Sun Microsystems (2005) announced Sizzle World’s Smallest Secure Server Authentication As sensor devices improve, ECC ever better. Problem - in public-key crypto, A writes to B using B’s public key. Trusted authority signs B’s public key so A, by checking this signature, can verify B’s identity. Recursive checking expensive if low-power. Identity-Based Encryption 1984 - Shamir asked if arbitrary bit strings (B’s name) can be used as public keys. After B receives A’s message, B computes (with trusted authority) a private key Note - burden of checking is on the receiver in sensor networks weak sends to strong! Identity-Based Encryption II 2001 - Boneh and Franklin give solution using the Weil pairing on elliptic curves. Can also use other pairings (Tate, eta, Ate, …) - Ate is up to 6 times faster than the others. Cocks’s IBE scheme based on quadratic residues suffers from ciphertext expansion. Pairings • E is an elliptic curve defined over GF( ), • The points on E form an abelian group and we consider a bilinear non-degenerate pairing (computed by Miller’s algorithm) IBE Details Identity-based systems allow any party to generate a public key from a known identity value such as an ASCII string. A trusted third party, called the Private Key Generator (PKG), generates the corresponding private keys. To operate, the PKG first publishes a "master" public key, and retains the corresponding master private key. Given the master public key, any party can compute a public key corresponding to the identity i by combining the master public key with the identity value. To obtain a corresponding private key, the party authorized to use identity i contacts the PKG, which uses the master private key to generate the private key for identity i. Other Advantages of IBE Advantages in sensor network (1) Physically secured master device is trusted authority (2) Each node given private key in advance private key generator can then be destroyed Simultaneous Research • Several groups have apparently come up with this idea simultaneously. • The group (Doyle et al.) at DCU, Dublin has gone furthest in implementation - found the energy performance of key negotiation using an IBE scheme based on Tate pairing on the ARM platform was 0.44J (cf. nodes limited to 1000J battery capacity). Some Questions • IBE uses hashing - what features desirable for sensor networks? • Efficient Weil pairing computation uses randomization - possible to eliminate? Conclusions • Sensor networks face novel security problems due to constraints and method of deployment • The key distribution problem can be addressed by using IBE to negotiate a shared secret key • Calculation of pairs of keys demands reasonable power consumption