Random Key Predistribution Schemes For Sensor Networks

Download Presentation

Random Key Predistribution Schemes For Sensor Networks

Loading in 2 Seconds...

- 81 Views
- Uploaded on
- Presentation posted in: General

Random Key Predistribution Schemes For Sensor Networks

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Random Key Predistribution Schemes For Sensor Networks

Haowan Chen, Adrian Perigg, Dawn Song

- Introduction
- Basic Scheme
- Q-composite Scheme
- Multi path Key Reinforcement Scheme
- Random Pair wise Scheme
- Conclusion

- What are Sensors ?
- A device that responds to physical stimulus (as heat, light, motion etc) and transmits a resulting measurement impulse

- Revolutionizes information gathering and processing
- Networking sensors: ability to coordinate among themselves on a larger sensing task

- Real time traffic monitoring
- Real time pollution and temperature monitoring
- Building safety monitoring systems
- Wild Life Monitoring and Tracking
- Military sensing and tracking
- Monitoring complex machinery and processes
- Video surveillance

- Impracticality of public key cryptosystems
- Vulnerability of nodes to physical capture
- Nodes not tamper resistant (neighbor distrust)
- Lack of a-priori knowledge of post deployment configuration
- Limited memory resources
- Limited bandwidth and transmission power
- Over-reliance on base stations exposes vulnerabilities

- Deployed nodes must be able to establish secure node to node communication
- Scheme should be functional without involving the base station as arbiter or verifier
- Additional legitimate nodes deployed at a later time can form secure connections with already-deployed nodes
- Unauthorized nodes should not be able to establish communications with network nodes and thus gain entry into the network
- The scheme must work without prior knowledge of which nodes will come into communication range of each other after deployment.
- The computational and storage requirement of the scheme must be low, and the scheme should be robust to DoS attacks from out-of-network sources.

- Resilience against node capture
- Resistance against node replication
- Revocation
- Scale

- Proposed by Eschenauer and Gligor
- 4 phases
- Initialization

- Node Deployment

- Key Setup

- Path Key Generation

- Pick a random set of keys S out of the total possible key space
- “Key Ring” : for each node, randomly select m keys from S and store in node memory
Criteria : two random subsets of size m in S will share at least one key with probability P

- Sensor nodes are deployed
- Key Setup Phase
- key discovery:
- a short identifier is assigned to each key before deployment
- each node broadcasts its set of identifiers

- verification: nodes containing shared keys in their “key rings” verify that neighbor actually holds key by challenge response protocol

- key discovery:

- A connected graph of secure links is formed
- Nodes setup path keys with nodes in their vicinity whose share keys are not present in their key rings
- Path can be found from source node to its neighbor from connected graph
- Source node generates path key and sends it securely via the path to target node

- For high graph connectivity during key-setup phase right parameters need to be picked
- D -> degree for the vertices in graph such that graph is connected with a high probability c =0.999
- D = ((n-1)/n) (ln(n) – ln(-ln(c))) where n is network size
- Probability of successful key setup with some neighbor, p = (d/n’) where n’ is expected no. of neighbors

- Initialization same as Basic Scheme but with different size of selected key pool S
- In Key Setup Phase, key discovery is more secure, using Merkle Puzzles
- In Key Discovery every node identifies every neighbor node with which it shares at least ‘q’ keys
- Link Key K is generated as a hash of all shared q’ keys, where q’ >= q
eg : K = hash( k1 ll k2 ll k3 ll….ll kq’ )

- Key Setup is not performed between nodes that share fewer than q keys

- amount of key overlap required for key setup is q (increased from 1 in Basic)
- Hence exponentially harder for adversary with a given key set to break a link
- But to preserve probability of two nodes sharing sufficient keys to establish a secure link, size of key pool S to be reduced
- Reduced pool size allows attacker to gain larger sample of S by breaking fewer nodes
- Optimum overlap – best security !!

Evaluation: Pool Size Computation

M = 200 keys

P = 0.5

Observation : For Optimal Choice of key overlap, expected no. of nodes to be captured for eavesdropping (0.1 probability) is high

- P(i) -> no. of ways to choose two key ring with i common keys
- Pconnect -> probability of any two nodes sharing sufficient keys to form a secure connection
- Then p(i) is given as :

Pconnect = 1 – (p(0) + p(1) +…..+p(q-1))

For minimum key overlap q and min. connection probability p,

choose largest ISI such that pconnect >= p

Metric : resilience against node capture by calculating the fraction of links in the network that an attacker is able to eavesdrop on indirectly as a result of recovering keys from captured nodes

Metric : estimation of max. supported size of network given certain security properties hold

- Initial Key Setup using Basic Scheme
- Now, consider the secure link between nodes A and B after key-setup
- This link is secured using a single key k from pool S

- Problem - k may be present in key ring memory of some other nodes
- If any of these nodes are captured, security of A->B is in jeopardy
- Solution : update communication key to a random value after key – setup
- Coordinate key update over multiple independent paths

- Assumption : j be the no. of disjoint paths between A and B created during key setup
- Node A generates j random values v1,v2…vj of same length as shared key
- Each value is routed along a different path to B and when B receives all j keys, new link key is computed as:
k’ = k + v1 + v2 + ….+ vj

- Long paths are not suitable
- 2-hop multipath key reinforcement is optimal
- Discovery overhead is minimized

Metric : Resistance against node capture

Observation : reinforced basic scheme works best

Metric : Maximum Supportable Network Sizes

Observation : Multipath Key Reinforcement gives boost when implemented with basic scheme

Random-pairwise keys scheme

- In all schemes so far, no node can authenticate the identity of a neighbor it is communicating with
- Ex. A shares some set of keys with B
- It is possible that C could also posses this key
- Hence, A does not know if is communicating with B for sure

- Possible if a node can ascertain the identity of the nodes that it is communicating with
- Useful in many cases:
- Detecting node misbehavior
- Resisting node replication attack
- Shift security functions away from the base station

- Perfect resilience against node capture
- Node to node identity authentication
- Distributed node revocation
- Resistance to node replication
- Comparable scalability

- To achieve the probability p described by ER formula, in a network of n nodes:
- Each node need only store a random set of nppairwise keys (instead of n-1)
- Thus, if node can store m keys, network size n=m/p
- “n should increase with increasing m and decreasing p”

- n=m/punique node identities generated
- Each node identity matched with m other randomly selected distinct node IDs
- Pairwise key generated for each pair of nodes
- Along with ID of other node that also knows the key, key is stored at both nodes

- Each node broadcasts node ID to immediate neighbors
- By searching in each others key rings, neighboring nodes can tell if they share a common pairwise key
- Cryptographic handshake performed between neighbors to accept the fact that they both have knowledge of key

- Key discovery involves much less traffic than random key predistribution
- Hence can have nodes rebroadcast node ID for certain number of hops

- Has impact on maximum supportable network size n
- n=mn’/d (as seen earlier,p=d/n’, n=m/p)
- Since n’ increases, maximum network size n also increases

- Should be used with caution: since message rebroadcast is performed without authentication/verification: can lead to potential DoS attacks
- To prevent, can remove multihop range extension, as is not required for random pairwise scheme

- Node revocation in random pairwise possible via base stations (but is slow)
- Assumption: mechanism present in each sensor to detect if neighboring nodes have been compromised
- Nodes broadcast public votes against a detected misbehaving node.
- If any B observes more than threshold number t of public votes against A, then B breaks off all communication with A
- Voting scheme, voting members

- Scheme 1: Consider any node A in the network; there are m nodes matched with it
- These are voting members for A
- Each assigned a random voting key Ki
- Each also knows hashes of other nodes’ keys
- Nodes compute hash of Ki to verify vote
- Increases memory requirement to O(m2)

- Scheme 2: Merkle tree mechanism: O(log m) computation per output (fractal traversal)
- Only a single verifying hash value (root) needs to be stored
- Drawback: necessary to remember which nodes already traversed, to avoid replay votes

- t should be
- Low enough that unlikely that any node has degree < t
- High enough that compromised nodes cannot revoke legitimate nodes

- Voting scheme uses naïve broadcast, vulnerable to DoS attack
- Network of voting members form random graph with almost same (high) probability of being connected as original network (mn’/n)

- To prevent widespread release of revocation keys by compromised nodes, only nodes that have established direct communication with a node B have ability to revoke B
- Done by distributing revocation keys to voting members in deactivated form, source node knows secret SBi, which voting members request during key discovery and setup

- To be resistant to addition of infiltrator nodes derived form captured nodes, in case of capture being undetected by the network
- Degree of a node limited to counter replication
- Method for degree counting implemented with public vote counting, thus a node able to track nodes which share pairwise keys with it

- Efficient bootstrapping of secure keys important for secure sensor networks
- Tradeoffs exist in each scheme, choice depends on which tradeoff is most appealing (scenario dependent)
- q-composite scheme: good security for small scale attacks/vulnerable to large scale
- 2-hop multipath: improved security/network traffic overhead
- Random pairwise: resilient, good security/does not support as large networks as other schemes