1 / 109

Security in Wireless Sensor Networks: Key Management Approaches

Security in Wireless Sensor Networks: Key Management Approaches. Vasyl A. Radzevych and Sunu Mathew. Overview. Wireless Sensor Networks (WSN) Security issues in WSN Key management approaches in WSN: Overview Pre-Deployed Keying Key pre-deployment Key derivation information pre-deployment

Jims
Download Presentation

Security in Wireless Sensor Networks: Key Management Approaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Wireless Sensor Networks:Key Management Approaches Vasyl A. Radzevych and Sunu Mathew

  2. Overview • Wireless Sensor Networks (WSN) • Security issues in WSN • Key management approaches in WSN: • Overview • Pre-Deployed Keying • Key pre-deployment • Key derivation information pre-deployment • Location aware pre-deployed keying • Random Key Pre-deployment (P-RKP) • Key derivation information pre-deployment • Autonomous protocols • Pairwise asymmetric (public key) • Arbitrated protocols • Identity based group keying • Conclusions

  3. Sensor Networks • Sensor network is composed of a large number of sensor nodes • Sensor nodes are small, low-cost, low-power devices that have following functionality: • communicate on short distances • sense environmental data • perform limited data processing • Network usually also contains “sink” node which connects it to the outside world

  4. Applications • WSN can be used to monitor the conditions of various objects / processes. Some examples: • Military: friendly forces monitoring, battlefield surveillance, biological attack detection, targeting, battle damage assessment • Ecological: fire detection, flood detection, agricultural uses • Health related: human physiological data monitoring • Miscellaneous: car theft detection, inventory control, habitat monitoring, home applications • Sensors are densely deployed either inside or very close to the monitored object / process

  5. Security issues in WSN • The discussed applications require communication in WSN to be highly secure • Main security threats in WSN are: • Radio links are insecure – eavesdropping / injecting faulty information is possible • Sensor nodes are not temper resistant – if it is compromised attacker obtains all security information • Attacker types: • Mote-class: attacker has access to some number of nodes with similar characteristics / laptop-class: attacker has access to more powerful devices • Outside (discussed above) / inside: attacker compromised some number of nodes in the network

  6. Attacks on WSN • Main types of attacks on WSN are: • spoofed, altered, or replayed routing information • selective forwarding • sinkhole attack • sybil attack • wormholes • HELLO flood attacks • acknowledgment spoofing

  7. B A1 A2 A3 A4 False routing information • Injecting fake routing control packets into the network, examples: attract / repeal traffic, generate false error messages • Consequences: routing loops, increased latency, decreased lifetime of the network, low reliability Example: captured node attracts traffic by advertising shortest path to sink, high battery power, etc

  8. Selective forwarding • Multi hop paradigm is prevalent in WSN • It is assumed that nodes faithfully forward received messages • Compromised node might refuse to forward packets, however neighbors might start using another route • More dangerous: compromised node forwards selected packets

  9. Sinkhole and Sybil attacks • Sinkhole attack: • Idea: attacker creates metaphorical sinkhole by advertising for example high quality route to a base station • Laptop class attacker can actually provide this kind of route connecting all nodes to real sink and then selectively drop packets • Almost all traffic is directed to the fake sinkhole • WSN are highly susceptible to this kind of attack because of the communication pattern: most of the traffic is directed towards sink – single point of failure • Sybil attack: • Idea: a single node pretends to be present in different parts of the network. • Mostly affects geographical routing protocols

  10. Wormholes • Idea: tunnel packets received on one part of the network to another • Well placed wormhole can completely disorder routing • Wormholes may convince distant nodes that they are close to sink. This may lead to sinkhole if node on the other end advertises high-quality route to sink

  11. Wormholes (cont.) • Wormholes can exploit routing race conditions which happens when node takes routing decisions based on the first route advertisement • Attacker may influence network topology by delivering routing information to the nodes before it would really reach them by multi hop routing • Even encryption can not prevent this attack • Wormholes may convince two nodes that they are neighbors when on fact they are far away from each other • Wormholes may be used in conjunction with sybil attack

  12. HELLO flood attack • Many WSN routing protocols require nodes to broadcast HELLO packets after deployment, which is a sort of neighbor discovery based on radio range of the node • Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink

  13. Acknowledgment spoofing • Some routing protocols use link layer acknowledgments • Attacker may spoof acks • Goals: convince that weak link is strong or that dead node is alive. • Consequently weak link may be selected for routing; packets send trough that link may be lost or corrupted

  14. Overview of Countermeasures • Link layer encryption prevents majority of attacks: bogus routing information, Sybil attacks, acknowledgment spoofing, etc. • This makes the development of an appropriate key management architecture a task of a great importance • Wormhole attack, HELLO flood attacks and some others are still possible: attacker can tunnel legitimate packets to the other part of the network or broadcast large number of HELLO packets • Multi path routing, bidirectional link verification can also be used to prevent particular types of attacks like selective forwarding, HELLO flood

  15. Key management: goals • The protocol must establish a key between all sensor nodes that must exchange data securely • Node addition / deletion should be supported • It should work in undefined deployment environment • Unauthorized nodes should not be allowed to establish communication with network nodes

  16. Key management: constraints • Sensor node constraints: • Battery power • Computational energy consumption • Communication energy consumption • Transmission range • Memory • Temper protection • Sleep pattern • Network constraints: • Ad-hoc network nature • Packet size

  17. Key management: evaluation/comparison metrics • Resilience against node capture: how many node are to be compromised in order to affect traffic of not compromised nodes? • Addition: how complicated is dynamic node addition? • Revocation: how complicated is dynamically node revocation? • Supported network size: what is the maximum possible size of the network? • Note: since WSN can be used in a lot of different ways it is not reasonable to look for one key management approach to suite all needs: 20 000 node network deployed from the airplane over a battle field has quite different requirements from 10 node network installed to guard the perimeter of the house

  18. Key management approaches classification

  19. Approaches to be discussed • Pre-deployed keying: • Key pre-deployment • Straightforward approaches • Eschenauer / Gligor random key pre-deployment • Chan / Perrig q-composite approach • Zhu / Xu approach • DiPietro smart attacker model and PRK protocol • Key derivation information pre-deployment • Liu / Ning polynomial pre-deployment • Self-enforcing autonomous approaches • Pairwise asymmetric (public key) • Arbitrated protocols • Identity based hierarchical keying

  20. Straight forward approaches • Single mission key is obviously unacceptable • Pairwise private key sharing between every two nodes is impractical because of the following reasons: • it requires pre-distribution and storage of n-1 keys in each node which is n(n-1)/2 per WSN. • most of the keys would be unusable since direct communication is possible only in the nodes neighborhood • addition / deletion of the node and re-keying are complex

  21. Basic probabilistic approach • Due to Eschenauer and Gligor • Relies on probabilistic key sharing among nodes of WSN • Uses simple shared-key discovery protocol for key distribution, revocation and node re-keying • Three phases are involved: key pre-distribution, shared-key discovery, path-key establishment

  22. Key pre-distribution • Generate a large key pool P (217-220 keys) and corresponding key identifiers • Create n key rings by randomly selecting k keys from P • Load key rings into nodes memory • Save key identifiers of a key ring and associated node identifier on a controller • For each node load a key which it shares with a base station

  23. Shared-key discovery • Takes place during initialization phase after WSN deployment. Each node discovers its neighbor in communication range with which it shares at least one key • Nodes can exchange ids of keys that they poses and in this way discover a common key • A more secure approach would involve broadcasting a challenge for each key in the key ring such that each challenge is encrypted with some particular key. The decryption of a challenge is possible only if a shared key exists

  24. Path-key establishment • During the path-key establishment phase path-keys are assigned to selected pairs of sensor nodes that are within communication range of each other, but do not share a key • Node may broadcast the message with its id, id of intended node and some key that it posses but not currently uses, to all nodes with which it currently has an established link. Those nodes rebroadcast the message to their neighbors • Once this message reaches the intended node (possible through a long path) this node contacts the initiator of path key establishment • Analysis shows that after the shared-key discovery phase a number of keys on a key ring are left unused

  25. Simulation results 1000 nodes, 40 nodes neighborhood, P=10000 number of hops Path length to neighbors

  26. Key revocation • Key revocation is accomplished in the following way: a controller node that has all keys and ids in its memory, broadcasts a message containing a list of k key identifiers for the key ring to be revoked • This message is signed with signature key which is encrypted and unicasted to all nodes prior revocation. This encryption is done using individually shared between node and controller keys • After obtaining a signature key, each node locate received identifiers in its key ring and removes the corresponding keys if they are present • Since some links might disappear they should be reestablished using keys that are left in the key ring

  27. Resiliency to node capture • More robust then approaches that use single mission key • In case node is captured k<<n keys are obtained • This means that the attacker has a probability of k/P to attack successfully any other WSN link

  28. WSN connectivity • Two nodes are connected if they share a key • Full connectivity of WSN is not required because of the limited communication capabilities of the sensor nodes • Two important questions: • What should be the expected degree of a node so that WSN is connected? • Given expected degree of a node what values should the key ring size, k, and pool, P, have for a network of size n so that WSN is connected? • Random-graph theory helps in answering the first question

  29. Random graphs • A random graph G(n,p) is a graph of n nodes for which the probability that a link between any two nodes exists is p • Question: what value should p have so that it is “almost certainly true” that graph G(p,n) is connected? • Pc is a desired probability for the graph connectivity • Based on the formulas above p and d=p(n-1) can be found (d-expected degree of a node) Erdos-Renyi formula: (1) (2)

  30. Random-graphs (cont.) Expected degree of node vs. number of nodes, where Pc=Pr[G(n,p) is connected]

  31. Key ring and key pool sizes • Due to the limited communication capabilities a number of nodes with which a particular node can communicate is n’<<n • This means that the probability of two nodes sharing at least one key in their key rings of size k is p’=d/(n’-1)>>p • Key pool size P can be derived as a function of k:

  32. Key ring and key pool size (cont.) Probability of sharing at least one key when two nodes choose k keys from a pool of size P

  33. Key ring and key pool size: example • WSN contains n=10000 nodes, desired probability of network connectivity is Pc=0.99999, communication range supports 40 nodes neighborhoods • According to the formula (1) c=11.5, therefore p=2*10-3 d=2*10-3*9999=20 • This means that if each node can communicate with on average 20 other nodes the network will be connected • p’=20/(40-1)=0.5 • According to formula (3) k can be set to 250 and P can be set to 100000

  34. q-composite approach • Enhancement of the basic probabilistic approach • Idea: nodes should share q keys instead of only one • Approach: • Key pool P is an ordered set • During initialization phase nodes broadcast ids of keys that they have • After discovery each nodes identifies the neighbor with which it share at least q keys • Communication key is computed as a hash of all shared keys • Keys appear in hash in the same order as in key pool

  35. Benefits of q-composite approach • q-composite approach has greater resiliency to node capture than the basic approach if small number of nodes were captured • Simulations show that for q=2, the amount of additional communications compromised when 50 nodes (out of 10000) have been compromised is 4.74%, as opposed to 9.52% in the basic scheme • However if large number of nodes have been compromised q-composite scheme exposes larger portion of network than the basic approach • The larger q is the harder it is to obtain initial information • Parameter q can be customized to achieve required balance for a particular network

  36. Zhu / Xu approach • Another modification of the basic probabilistic approach • Major enhancement: • Pseudorandom number generator is used to improve security of key discovery algorithm • Also uses secret sharing which jointly with logical paths allows nodes toestablish a pairwise key that is exclusively known to the two nodes (in contrast to basic probabilistic approach, where other nodes might also know some particular key)

  37. Zhu / Xu approach: key pre-distribution • Background: a pseudo-random number generator, or PRNG, is a random number generator that produces a sequence of values based on a seed and a current state. Given the same seed, a PRNG will always output the same sequence of values. • Key pool P of size l is generated • For each node u, pseudorandom number generator is used to generate the set of m distinct integers between 1 and l (key ids). Nodes unique id u is used as a seed for the generator • Each node is loaded with key ring of size m • Keys for the key rings are selected from key pool P in correspondence with integers (key ids) generated for a particular node by pseudorandom number generator • This allows any node u that knows another nodes v id to determine the set of ids of keys that v poses

  38. Zhu / Xu approach: Logical path establishment • The established on previous step keys are not exclusive and consequently not secure enough, however they can be used to establish exclusive key • During the network initialization phase, nodes discover so called logical paths • Nodes can establish a direct path in case they share a common key on their key rings • This can easily be accomplished as was described in the previous slide by discovering common key id • In case nodes do not share a key authors propose a path-key establishment algorithm similar to one in basic probabilistic approach, the difference is that nodes try to establish several logical paths, which later should help in establishing a pairwise key

  39. Zhu / Xu: pairwise key establishment • The next step of network initialization is pairwise key establishment • A sender node randomly generates a secret key ks • Then derives n-1 random strings sk1, sk2,…, skn-1 • skn is computed as follows: skn = ks XOR sk1XOR sk2 XOR,…, XOR skn-1 • This way a recipient has to receive all n shares in order to derive a secret key ks • After secret shares are computed, each of them is send to the recipient using different logical path • Once all shares are received the recipient can confirm the establishment of pairwise key by sending a HELLO message encoded with a new key • Authors provide a framework according to which number of shares and the way they are send is decided

  40. Further enhancements • So far all the discussed approaches have used one of the following algorithms for shared-key discovery: • Key id notification • Challenge response • Pseudorandom key id generation • Those algorithms work well against so called “oblivious” attacker, the one that randomly selects next sensor to compromise • What if attacker selects nodes that will allow him to compromise the network faster, based on already obtained information (key ids)? • This is the case of so called “smart” attacker

  41. Smart attacker • More precisely smart attacker can be defined as follows: • at each step of the attack sequence, the next sensor to tamper is sensor s, where s maximizes E[G(s)| I(s)], the expectation of the key information gain G(s) given the information I(s) the attacker knows on sensor s key-ring • Simulations show that Key id notification and pseudorandom key id generationcan be easily beaten by the smart attacker • Challenge response performs better

  42. Simulation results Experimental results on id notification and pseudorandom key id generation: Number of sensors to corrupt in order to compromise an arbitrary channel.

  43. Simulation results Experimental results on challenge response: Number of sensors to corrupt in order to compromise an arbitrary channel.

  44. PRK algorithm • Why not using challenge response? Inefficient • The goal is to define a key pre-deployment scheme that supports an efficient and secure key discovery phase, as efficient as pseudorandom key id generation (no message exchange) and as secure as challenge response • DiPietro et al. suggested a new algorithm that achieves the above described requirements

  45. PRK algorithm • Key pre-distribution • For each sensor sa • For all keys vPi of the pool P, compute z=fy(a || vPi) • Iff z≡0 mod (P/K), then put vPi into the key ring Va of sensor sa • Assumption P/K divides by 2h, where h is the size of the input • Key discovery • In case sensor sb wants to establish a secure channel with sensor sa it has to perform the following calculations: • For each key vbj in its key ring sensor sb computes z=fy(a||vbj) • If z≡0 mod (P/K), sensor sa also has key sb

  46. PRK algorithm analysis • Benefits: • Complexity is comparable to pseudo-random index transformation: no message exchange and K applications of the pseudo-random function. • Only who already knows key vPi can know whether sensor sa has that key or not by computing z=fy(a||vbj) and checking out if z≡0 mod( P/K ). All other entities gets no information from z. This is exactly the same information revealed by challenge response • Drawbacks: • Not enough control of key ring size: it is possible that applying the formula to sensor id and key in a key pool will yield key ring that is • too large - larger than sensor memory • too small – not enough for the network to be connected • In either case node id a should be regenerated • Authors prove that it is feasible to regenerate sensor ids to achieve required properties

  47. PRK algorithm: simulations Experimental results on PRK algorithm: number of sensors to corrupt in order to compromise an arbitrary channel. The PRK algorithm is as secure as challenge response and in the same time as efficient as pseudorandom key id generation

  48. Background: polynomial based key pre-distribution • Polynomial based key pre-distribution scheme reduces the amount of pre-distributed information still allowing each pair of nodes to compute a shared key • Polynomial based key pre-distribution is λ-collusion resistant, meaning that as long as λ or less nodes are compromised the rest of the network is secure • Utilizes polynomial shares

  49. Polynomial based key pre-distribution : initialization • Special case: λ=1 • Each node has an id rU which is unique and is a member of finite field Zp • Three elements a, b, c are chosen from Zp • Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated • For each node polynomial share gu(x) = (an+ bnx) mod p where an= (a + brU) mod p and bn= (b + crU) mod p is formed and pre-distributed

  50. Polynomial based key pre-distribution : key discovery • In order for node U to be able to communicate with node V the following computations have to be performed: • Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv )mod p • U computes Ku,v= gu(rv) • V computes Kv,u= gv(ru)

More Related