- 32 Views
- Uploaded on
- Presentation posted in: General

EE 418 Project 2: Key Distribution in Wireless Sensor Networks

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

EE 418 Project 2: Key Distribution in Wireless Sensor Networks

Professor Radha Poovendran

Andrew Clark

- Groups of up to 4 are allowed
- Due December 15during the exam
- Four parts
- Key distribution problems
- Node Capture Attack Simulation
- Analysis of Node Capture Attack
- Route Capture Attack Simulation

- Groups are required to complete three of the four parts

- Sensor networks and their applications
- The key distribution problem
- The Eschenauer-Gligor scheme
- Non-cryptographic attacks:
- Node capture
- Link capture
- Route capture

- Modifications of the EG scheme
- Conclusion

Emerging technology with many potential applications

Inventory Tracking

Fire Detection

Patient Monitoring

Battlefield Surveillance

- Network of N sensor nodes, indexed {1,…,N}
- Two nodes can communicate if they are within radio range
- May lack supporting infrastructure (e.g. base station)
- Computing power, battery lifetime of nodes limit range of protocols used
- In some applications, no public key crypto!

2

2

6

6

1

1

5

5

7

7

3

3

4

4

- In order to communicate, two sensor nodes must share a key
- Moreover, if two nodes communicate via multiple hops, then each pair of nodes along the path must share a key
- How do we guarantee that the network is connected if the network topology is not known in advance?

2

2

6

6

1

1

5

5

7

7

3

3

4

4

- Every node is preloaded with a secret key for every other node
- Problems:
- Storage constraints in individual nodes and the network as a whole
- If you have 1000 nodes, each node needs to store 999 long keys, and the total number of keys is ~1000000

- Updating the network becomes difficult

- Storage constraints in individual nodes and the network as a whole
- Not practical for large networks!

- Eschenauer and Gligor (2002) proposed a novel and straightforward scheme.
- A pool of P keys is generated randomly.
- Each node is preloaded with a random collection of k keys from the pool.
- The number of keys per node is a design parameter.

P = 8

k = 3

{k1, k5, k6}

6

6

1

1

2

{k6, k7, k8}

{k1, k2, k4}

5

5

4

{k3, k6, k8}

{k3, k4, k8}

7

7

3

3

{k2, k5, k8}

{k2, k3, k5}

- How do we choose k and P?
- First, find p according to the equation:

- Pcis the probability that a network of n nodes is connected, assuming that each pair of nodes share a link with probability p.
- E.g. suppose we want a network of size n=10000 to be connected with probability 0.99. Then we have exp{-e-c} = 0.99, so c = -log(-log(0.99)) = 4.6 and p = log(10000)/10000 + 4.6/10000 = 0.0014
- Hence in this example, if two nodes share an edge with probability 0.0014, then the network is connected (assuming each node’s radio range is infinite)

- Using p, we can find d, the expected degree of each node in the network to ensure connectivity:
d = p*(n-1)

- We can use d (rather than p) to characterize the network
- One problem: so far, we have neglected to take radio range into account!

- Suppose that, due to range constraints, each node can only connect to n’ of its neighbors.
- In this case, we want the probability of connectivity to be p’ = d/(n’-1) to ensure that the whole graph is connected.

- Given p’, we can then find values of P and k using the equations on page 5 of [1]:

- In summary, we have the following approach:
- Given n (number of nodes) and Pc (design constraint), find c and p using Erdos’s formula
- Calculate d = p*(n-1)
- If the neighborhood size is n’ (due to radio range), find p’ = d/(n’-1)
- Choose P and k so that Pr(two nodes share a key) = p’

From a security standpoint, can you think of a problem with assigning keys in this way?

- The adversary may have a hard time attacking security through cryptanalysis
- However, recall that the network is unmonitored for extended periods
- We consider “node capture attacks”, in which the adversary steals the key by physically capturing a node
- The EG scheme is especially vulnerable because many different nodes may share the same key

- The first type of attack is the seed cover attack, in which the adversary attempts to recover the entire key pool (or at least a large subset of it).
- This is equivalent to the set-covering problem
- Can use efficient “greedy” heuristic
- At every iteration, capture the node with the most unknown keys

P = 8

k = 3

{k1, k5, k6}

6

6

1

1

2

{k1, k2, k4}

{k6, k7, k8}

5

5

4

{k3, k6, k8}

{k5, k7, k8}

7

7

3

3

{k2, k5, k8}

{k2, k3, k5}

P’ = {k1, k2, k4, k3, k6, k8, k5, k7}

- The second type of attack is the link cover attack.
- Note that it may not be necessary for the adversary to capture all the secret keys; he may only have to capture enough to compromise all the links
- This is another set-covering problem

- In [2], the authors proposed different methods for mitigating the node capture problem
- In the q-composite scheme, q shared keys between nodes to are needed to communicate.
- The shared key between two nodes is then K = hash(k1||…kq)
- The adversary must therefore capture all q keys to break the link

P = 8

k = 3

{k1, k5, k6}

6

6

1

1

2

{k1, k2, k3}

{k6, k7, k8}

5

5

{k6, k8}

{k7, k8}

{k2, k3}

{k5, k8}

4

{k2, k5}

{k5, k6, k8}

{k5, k7, k8}

7

7

3

3

{k2, k5, k8}

{k2, k3, k5}

- Under the q-Composite scheme, the probability that Eve can compromise the link between two nodes by capturing random nodes is the top equation, where:
- |S| is the key pool size, m is the number of keys per node
- p(i) is the probability that two nodes share exactly i keys
- p is the probability that two nodes share at least q keys
- x is the number of nodes Eve will capture

- Suppose A and B have a secure link between them (i.e., they share a key k)
- We can improve the security of the link by updating its key after the initial setup.
- If there are m disjoint routes between A and B, then A can generate random numbers v_1, …, v_m and send each number (encrypted, of course) along a different route
- The shared key will then be k’ = k xor v1 xor … xor vm

- The final kind of attack we will consider is the route capture attack [4].
- Route capture attacks take advantage of the fact that traffic in a WSN has to be routed between nodes that are far apart.
- Thus if we capture certain “bottleneck” nodes, we can observe a lot of the network traffic.

- We want to define a way to quantify how vulnerable a route is after a certain number of keys is captured.
- For a route between source node s and destination d, we define a function Vsd
- Let C be a set of nodes that we can capture. Then we want:
- Vsd(C) = 0 if C is empty
- Vsd(C) between 0 and 1 if there is still some security to the route
- Vsd(C) = 1 if the route has been compromised.

- Suppose we have such a function Vsd. Then, given a set of pairs (s,d) and a set of routes Rsd between them, define the incremental node value by
- Now, we can implement a greedy algorithm not unlike that from the previous section
- At each iteration, we capture the node with the largest incremental node value.

- The adversary can choose Vsd in order to reflect his or her goals.
- An example in [4] is

- By using random key distribution, we can develop secure communication in a sensor network with limited storage
- This distribution scheme is vulnerable to attack:
- Seed cover
- Link cover
- Route cover

- There are techniques for mitigating these vulnerabilities.