1 / 21

Secure Aggregation for Wireless Networks

Secure Aggregation for Wireless Networks. Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu http://swarm.cs.virginia.edu Department of Computer Science University of Virginia Charlottesville, VA. Scenario. High-power base station.

nami
Download Presentation

Secure Aggregation for Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu http://swarm.cs.virginia.edu Department of Computer Science University of Virginia Charlottesville, VA

  2. Scenario High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly Hu & Evans

  3. Scenario High-power base station Transmitting each message all the way to the base station wastes resources. Hu & Evans

  4. Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station. Hu & Evans

  5. Integrity of Data Compromised Node With data aggregation, authentication becomes harder. Hu & Evans

  6. Problem Can we provide the power-saving benefits of in-network data aggregation but limit the amount of damage a single compromised node can do? Rest of Talk: • Background: Inexpensive Authentication without Aggregation • Secure Aggregation • Security and Cost Analysis • Scalable Solution Hu & Evans

  7. Cryptographic Hash Chains f f f x f (x) f (f (f (x))) f (f (x)) f is a one-way function: easy to calculate f(x), but difficult to invert f. time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = K0 K2 = f2(x) verify f (K1) = K0 Hu & Evans

  8. µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed Hu & Evans

  9. Node Authentication • Before deployment, establish a shared symmetric secret key between each node and base station: KNS • Send readings with a MAC: RA | MAC (KAS, RA) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity. Hu & Evans

  10. Authenticated Sensor Net Each node transmits: N |RN | MAC (KNS, RN) Base station verifies MAC before accepting RN. Hu & Evans

  11. Authenticated Data Aggregation A |RA | MAC (KAS, RA) C A B C |Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB)) B |RB | MAC (KBS, RB) Hu & Evans

  12. Secure Aggregation • Delayed Aggregation: Only aggregate messages after they have traveled one hop • Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication Hu & Evans

  13. Protocol Example IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) F E D IDB | RB | MAC (KBi, RB) IDA | RA | MAC (KAi, RA) C KAi is the ith key in a µTesla key chain starting from KAS A B Hu & Evans

  14. IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD) | … (same from right side) | MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side)) H IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB) | IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD) | MAC (KGi, Aggr (RA, RB, RC, RD)) IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD)) G IDA | RA | MAC (KAi, RA) | IDB | RB | MAC (KBi, RB) | MAC (KEi, Aggr (RA, RB)) F E D IDA | RA | MAC (KAi, RA) IDB | RB | MAC (KBi, RB) C A B Hu & Evans

  15. Data Transmission Summary • Children send their data reading and MAC (using KNi) to their parents. • Parents forward the data and MACs they receive to grandparents, along with a calculated MAC of the aggregation • Grandparents forward MACs and aggregate values from parents and a calculated MAC of aggregation Hu & Evans

  16. Data Validation • At some later time, the Base Station reveals KNi for each node N that transmitted data, along with MAC (Ki, KNi) • The parent of N uses KNi to verify MAC (KNi, RN) • Nodes increment i to use the next µTesla key • The Base Station broadcasts Ki (which nodes verify) and advances to the new µTesla key Hu & Evans

  17. Abridged Attack Analysis • Intruder Node (no key material) • Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys • Replay attacks ineffective: keys change, can only replay readings within this time period • Denial-of-service attack can succeed (but alerts operator) • Compromised Node (all keys on one node) • Can lie about its own reading • But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level Hu & Evans

  18. Successful Attacks • Compromised node selectively drops child readings • Nothing to prevent this (but unlikely to change much without base station noticing) • Can use child snooping to catch it earlier • Compromise two consecutive (parent and grandparent) nodes • Can forge readings for entire subtree Hu & Evans

  19. Communication Cost • Total Kilobytes Transmitted Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network • Sensor Nodes Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation. Hu & Evans

  20. Scalability • Base station must broadcast next node key for every node • To scale to larger sensor networks, use local µTesla between parent-child • Need base station to validate start of hash chain • Two µTESLA keys are used each time, one for immediate authentication, and another for later authentication: AParentIDA | RA | KA1| MAC (KA2, RA) Authenticate reading later Authenticate the origin of message (node A) immediately Hu & Evans

  21. Summary / Moral (?) • With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. • Not trusting your children is reasonable (inexpensive) • Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol http://swarm.cs.virginia.edu Hu & Evans

More Related