1 / 31

Security requirements addressed and solutions proposed in the paper

SPINS: security protocols for sensor networks Adrian Perrig , Robert Szewczyk , Victor Wen, David Culler, J.D. Tygar University of California, Berkeley. Security requirements addressed and solutions proposed in the paper. Data confidentiality

howard-stanley
Download Presentation

Security requirements addressed and solutions proposed in the paper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SPINS: security protocols for sensor networksAdrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. TygarUniversity of California, Berkeley

  2. Security requirements addressed and solutions proposed in the paper • Data confidentiality • Sensor readings should not be leaked to neighboring networks or intruders. • Solution Approach: Set up secure channels. i.e., channels between nodes and base stations (SNEP) that offer data confidentiality, authentication, integrity and freshness. • Data authentication • Verify that the data was in fact sent by the authentic sender in a broadcast setting. • Solution proposed:

  3. Security requirements addressed and solutions proposed in the paper… • Data integrity • Receivers can be ensured that received data has not been changed by an adversary • Approach: achieved through data authentication (SNEP supports it) • Data freshness • Receivers need to know that data received is recent (means no adversary replayed old message) • Weak freshness (partial message ordering, no delay info.) • Strong freshness (total ordering, have delay estimation) (SNEP supports data freshness)

  4. Communication architecture Outside network • Each node can forward a message towards a base station, recognize packets received, handle message broadcasts • Base station accesses individual nodes using source routing • Base station interfaces with outside network, accesses individual nodes. Base station node

  5. Communication patterns within the network • node to base station: for example, sensor reading • base station to node: for example, specific requests • base station to all nodes: for example, queries or reprogramming the entire network

  6. Trust scheme in sensor network • All sensor nodes trust the base station • Each node is given a master key shared with the base station (a severe limitation) • All other keys are derived from the master key • Each node trusts itself, in particular each node trusts its local clock.

  7. Notations used encryption modes such as cipher-block chaining(CBC) or output feedback mode(OFB) Or counter mode (CTR)

  8. SNEP (Secure Network Encryption Protocol) • Objective: Secure two-party communication • Components of SNEP • Symmetric key cryptography is used • Message authentication using MAC • Block cipher in counter mode

  9. SNEP components • Symmetric key cryptography • Relies on a shared counter and secret key (master key) between the sender and receiver • MAC A Key generated from master key D: raw data; E:encrypted data An encryption key obtained from master key C, counter

  10. SNEP components (con’t) • Block cipher in counter mode encryption decryption

  11. SNEP communication • Weak version (sending order of messages from each node is preserved) The complete message that A sends to B is: • Properties of SNEP • Semantic security • Prevents eavesdroppers from inferring message content from encrypted messages (using counter which incremented after each message) • Data authentication using MAC • Replay protection • Counter value prevents replay • Low communication overhead • Weak freshness : • If message is verified correctly, receiver knows that current message has been sent after the previous message

  12. SNEP communication SNEP provides weak data freshness because it only enforces sending order on messages within node B, but no absolute assurance to node A that the message was created in response to A’s request Stronger version of SNEP to address the problem(with Request Reply between two parties) Node A generates and sends it with a request message Then node B returns a reply message with MAC If the MAC verifies correctly, node A knows that the message is the response message from node B.

  13. SNEP implementation Key setup • Initially each node shares its master key with base station • All other keys are bootstrapped from the initial master key a MAC function is used for generating other keys from master key

  14. Purpose: authenticated broadcast • A modified version of TESLA (Time Efficient Stream loss-tolerant Authentication) for sensor networks

  15. Solution to authenticated broadcast • Asymmetric mechanism consisting of delayed key disclosure and generation of key chain using one-way function. • Receivers can only verify the authentication information, but not generate valid authentication information. (introduce asymmetry through a delayed disclosure of symmetric keys)

  16. Basic idea behind • Base station attaches to each packet a MAC computed with a key K known only to itself. • The receiver buffers the received packet until it is able to authenticate it. • A short time later, the base station discloses key K to all receivers and the receivers are able to authenticate the packet at that time. • Clocks of Base station and nodes are loosely synchronized.

  17. Main components of One way key chain Generate the chain by repeatedly applying a one-way function F

  18. Sketch of protocol • sender (base station) setup • broadcasting authenticated packets (sender) • authenticating broadcast packets (receivers) • bootstrapping new receivers • how other nodes can broadcast authenticated data

  19. Sender setup • Sender (Base station) splits up the time into time intervals of uniform duration. • Next, forms a one-way chain of self-authenticating keys, and assigns the keys sequentially to the time intervals (one key per time interval). • Then the base station defines a disclosure time for one-way keys, usually on the order of a few time intervals. • The base station publishes the key after the disclosure time.

  20. Sender setup… • key chain generation • firstly generate a sequence of secret keys, then randomly choose one as the last key, • finally apply one-way function F repeatedly to generate remaining key values. from

  21. Broadcasting authenticated packets • Attach MAC code in packets Base station splits up the time into time intervals and attaches a MAC to each packet. For each packet, the base station determines the time interval and uses the corresponding key from the one-way chain as a cryptographic key to compute the MAC.

  22. Delayed key disclosure after sending packets • Key disclosure • The sender discloses the key after ∂ time intervals after the end of interval t (t is the interval in which the sender sends the packet). example

  23. Authenticating packets at receiver side 1. Upon receiving a packet, check “security condition” • A receiver checks that the key used to compute the incoming MAC is still secret by determining that the sender has not reached the time of disclosure. • If x < i + ∂ (∂ is the key disclosure delay, x is local time, ipacket sending time of sender node) then sender node has not disclosed the key, • put the packet into the buffer • Else discard the packet

  24. Authenticating packetsat receiver side … 2. After succeeding in security check, when the node receives a key and verifies the key by checking if , where is the last authentic key it knows. If true, the receiver can authenticate packets sent within intervals i to j and replace the stored with .

  25. Bootstrapping new receivers: • Purpose: Tell receiver its current authentic key of one-way key chain, synchronize clock of the receiver with sender’s clock and let the receiver know the key disclosure schedule. • Once the receiver has an authenticated key of the chain, subsequent keys of the chain are self authenticating. i.e., the receiver can easily and efficiently authenticate subsequent keys of the key chain using the one authenticated key. • For example, if a receiver has authenticated Kithen it can authenticate Ki+1 by verifying Ki= F(Ki+1).

  26. Bootstrapping new receivers by request and response Newly joined node M initiates the process by transmitting nonce to the base station S; Then base station S replies with message containing Ts(current time), revealing Ki, key of the one-way key chain in a past interval i with starting time Ti and Tint(duration of time interval), and the disclosure delay ∂ time intervals.

  27. How Nodes broadcast authenticated data • Because of limited memory and energy, nodes cannot store one-way key chain; moreover computing each key from the initial key Knis computationally expensive. • Two viable approaches to solve the problem: • nodes broadcast data through base station. Use SNEP to send the data to BS in an authenticated way. BS then subsequently broadcasts the data. • nodes broadcast data, but base station keeps one-way key chain and sends to broadcasting node as needed. To conserve energy for nodes, base station can broadcast the disclosed keys and/or perform the initial bootstrapping procedure for new receivers.

  28. Node-to-node key agreement • Purpose: design a symmetric protocol that uses base station as trusted agent for key setup • Assume A and B want to bootstrap secure connection through the third party, namely, the base station • As we know each of the nodes A and B share a secret key with base station

  29. Node-to-node key agreement A wants to establish a secure channel between itself and B and sends a request to B. Node B then sends a request to base station with information about node A. Base station sends responses to both A and B by returning a session key SKAB.

  30. Performance Energy costs of adding security protocols to sensor network

  31. Conclusion • SNEP • Establishes secure channel between nodes and base station • Supports data confidentiality, authentication, integrity and freshness • μTESLA • Used for efficient Authenticated broadcast by base station (can be used for broadcast by nodes as well with the help of base station and using SNEP)

More Related