dr. kemal akkaya e-mail: kemal@cs.siu
Post on 05-Jan-2016
40 Views
Preview:
DESCRIPTION
TRANSCRIPT
Wireless & Network Security 1 Kemal Akkaya
Department of Computer ScienceSouthern Illinois University Carbondale
CS 591 – Wireless & Network Security
Lecture 14: Key Management in WSNs Dr. Kemal Akkaya
E-mail: kemal@cs.siu.edu
Wireless & Network Security 2 Kemal Akkaya
Key management: Constraints in WSNs Sensor node constraints:
Battery power Computational energy consumption Communication energy consumption
Transmission range Memory Temper protection Sleep pattern
Network constraints: Ad-hoc network nature Packet size
Nodes can easily be captured and compromised Key Management include the processes of key setup, the initial
distribution of keys and key revocation (removal of the compromised key).
Many Security-critical application that depend on key management processes demand a high level of fault tolerance when a node is compromised.
Wireless & Network Security 3 Kemal Akkaya
Key management approaches classification
Wireless & Network Security 4 Kemal Akkaya
Approaches Trusted-Server Schemes
Finding trusted servers is difficult.
Public-Key Schemes Expensive and infeasible for sensors.
Key Pre-distribution Schemes Simplest solution is a network-wide shared key.
Problem: if even a single node were compromised, the secret key would be revealed, and decryption of all network traffic would be possible.
Slightly better solution: Pairwise keys: Impractical because of storage Use a single shared key to establish a set of link keys, one per pair of
communicating nodes, then erase the network-wide key Problem: does not allow addition of new nodes after initial deployment.
Others: Random pre-key distribution Quorum-based
Wireless & Network Security 5 Kemal Akkaya
Basic probabilistic approach Due to Eschenauer and Gligor Relies on probabilistic key sharing among nodes of WSN Uses simple shared-key discovery protocol for key distribution,
revocation and node re-keying Three phases are involved:
key pre-distribution, shared-key discovery, path-key establishment
Key pre-distribution Generate a large key pool P (217-220 keys) and corresponding key identifiers Create n key rings by randomly selecting k keys from P Load key rings into nodes memory Save key identifiers of a key ring and associated node identifier on a controller For each node load a key which it shares with a base station
Shared-key Discovery Takes place during initialization phase after WSN deployment. Each node
discovers its neighbor in communication range with which it shares at least one key
Nodes can exchange ids of keys that they poses and in this way discover a common key
Wireless & Network Security 6 Kemal Akkaya
Path-key establishment During the path-key establishment phase path-keys are assigned to
selected pairs of sensor nodes that are within communication range of each other, but do not share a key
Node may broadcast the message with its id, id of intended node and some key that it posses but not currently uses, to all nodes with which it currently has an established link. Those nodes rebroadcast the message to their neighbors
Once this message reaches the intended node (possible through a long path) this node contacts the initiator of path key establishment
Analysis shows that after the shared-key discovery phase a number of keys on a key ring are left unused
Wireless & Network Security 7 Kemal Akkaya
Node Capture & Connectivity
Node CaptureMore robust then approaches that use single mission key In case node is captured k<<n keys are obtainedThis means that the attacker has a probability of k/P to
attack successfully any other WSN linkConnectivity
Two nodes are connected if they share a keyFull connectivity of WSN is not required because of the
limited communication capabilities of the sensor nodesTwo important questions:What should be the expected degree of a node so that
WSN is connected?Given expected degree of a node what values should the
key ring size, k, and pool, P, have for a network of size n so that WSN is connected?
Wireless & Network Security 8 Kemal Akkaya
q-composite approach Enhancement of the basic probabilistic approach Idea: nodes should share q keys instead of only one Approach:
Key pool P is an ordered set During initialization phase nodes broadcast ids of keys that they have After discovery each nodes identifies the neighbor with which it share at least q
keys Communication key is computed as a hash of all shared keys Keys appear in hash in the same order as in key pool
Benefits q-composite approach has greater resiliency to node capture than the basic
approach if small number of nodes were captured Simulations show that for q=2, the amount of additional communications
compromised when 50 nodes (out of 10000) have been compromised is 4.74%, as opposed to 9.52% in the basic scheme
However if large number of nodes have been compromised q-composite scheme exposes larger portion of network than the basic approach
The larger q is the harder it is to obtain initial information Parameter q can be customized to achieve required balance for a particular
network
Wireless & Network Security 9 Kemal Akkaya
Zhu / Xu approach Another modification of the basic probabilistic approach Major enhancement:
Pseudorandom number generator is used to improve security of key discovery algorithm
Also uses secret sharing which jointly with logical paths allows nodes to establish a pairwise key that is exclusively known to the two nodes (in contrast to basic probabilistic approach, where other nodes might also know some particular key)
Wireless & Network Security 10 Kemal Akkaya
Zhu / Xu approach: key pre-distribution
Background: a pseudo-random number generator, or PRNG, is a random number generator that produces a sequence of values based on a seed and a current state. Given the same seed, a PRNG will always output the same sequence of values.
Key pool P of size l is generated For each node u, pseudorandom number generator is used to generate
the set of m distinct integers between 1 and l (key ids). Nodes unique id u is used as a seed for the generator
Each node is loaded with key ring of size m Keys for the key rings are selected from key pool P in correspondence
with integers (key ids) generated for a particular node by pseudorandom number generator
This allows any node u that knows another nodes v id to determine the set of ids of keys that v poses
Wireless & Network Security 11 Kemal Akkaya
Further enhancements So far all the discussed approaches have used one of the following
algorithms for shared-key discovery: Key id notification Challenge response Pseudorandom key id generation
Those algorithms work well against so called “oblivious” attacker, the one that randomly selects next sensor to compromise
What if attacker selects nodes that will allow him to compromise the network faster, based on already obtained information (key ids)?
This is the case of so called “smart” attacker
Wireless & Network Security 12 Kemal Akkaya
Smart attacker More precisely smart attacker can be defined as follows:
at each step of the attack sequence, the next sensor to tamper is sensor s, where s maximizes E[G(s)| I(s)], the expectation of the key information gain G(s) given the information I(s) the attacker knows on sensor s key-ring
Simulations show that Key id notification and pseudorandom key id generation can be easily beaten by the smart attacker
Challenge response performs better
Wireless & Network Security 13 Kemal Akkaya
Simulation results
Experimental results on id notification and pseudorandom key id generation: Number of sensors to corrupt in order to compromise an arbitrary channel.
Wireless & Network Security 14 Kemal Akkaya
Simulation results
Experimental results on challenge response:Number of sensors to corrupt in order to compromise an arbitrary channel.
Wireless & Network Security 15 Kemal Akkaya
Background: polynomial based key pre-distribution
Polynomial based key pre-distribution scheme reduces the amount of pre-distributed information still allowing each pair of nodes to compute a shared key
Polynomial based key pre-distribution is λ-collusion resistant, meaning that as long as λ or less nodes are compromised the rest of the network is secure
Utilizes polynomial shares
Wireless & Network Security 16 Kemal Akkaya
Polynomial based key pre-distribution : initialization
Special case: λ=1 Each node has an id rU which is unique and is a member of finite field Zp
Three elements a, b, c are chosen from Zp
Polynomial f(x,y) = (a + b(x + y) + cxy) mod p is generated For each node polynomial share gu(x) = (an+ bnx) mod p
where an= (a + brU) mod p and bn= (b + crU) mod p is formed and pre-distributed
Wireless & Network Security 17 Kemal Akkaya
Polynomial based key pre-distribution : key discovery
In order for node U to be able to communicate with node V the following computations have to be performed: Ku,v= Kv,u= f(ru,rv) = (a + b(ru+rv) + crurv )mod p
U computes Ku,v= gu(rv)
V computes Kv,u= gv(ru)
Wireless & Network Security 18 Kemal Akkaya
Polynomial based key pre-distribution : example
Example: 3 nodes: U, V, W, with the following id’s 12, 7, 1 respectively p=17 (chosen parameter) a=8, b=7, c=2 (chosen parameters) Polynomial f(x,y) = 8+7(x+y)+2xy g polynomials are gu(x) = 7 + 14x, gv(x) = 6 + 4x,
gw(x) = 15+9x Keys are Ku,v=3, Ku,v=4, Ku,v=10 U computes Ku,v= gu(rv) = 7+14*7mod17 = 3 V computes Kv,u= gv(ru) = 6+4*12mod17 = 3
Wireless & Network Security 19 Kemal Akkaya
Liu-Ning approach
Combination of polynomial-based key pre-distribution and the key pool idea discussed above
Increases network resilience to node capture Can tolerate no more than λ compromised nodes,
where λ is constrained by the size of memory of a node Idea: use a pool of randomly generated polynomials When pool contains only one polynomial the approach
degenerates to basic polynomial based key pre-distribution scheme
When all polynomials are of degree 0 the approach degenerates to key pool approach
Three phases are involved: setup, direct key establishment, path key establishment
Wireless & Network Security 20 Kemal Akkaya
Phases Setup Phase
Set F of bivariate λ-degree polynomials over finite field Fq is generated Each polynomial is assigned a unique id For each sensor node a subset of s’ polynomial is randomly chosen from F For each polynomial in the chosen subset a polynomial share is loaded into nodes
memory Direct Key Establishment Phase
During this phase all possible direct links are established A node can establish a direct link with another node if they both share a polynomial
share of a particular polynomial How to find common polynomial? Use above discussed approaches
Path Key Establishment Phase If direct connection establishment fails nodes have to start path key establishment phase Nodes need to find a path such that each intermediate nodes share a common key Node may broadcast the message with polynomials ids that it posses to all nodes with
which it currently has an established link Once this message reaches the intended node (possible through a long path) this node
computes a key and contacts the initiator of path key establishment Drawback: may introduce considerable communication overhead
Wireless & Network Security 21 Kemal Akkaya
Grid-based key pre-distribution Instance of general framework discussed above Benefits:
Guarantees that any two nodes can establish a pairwise key, if no nodes were compromised
Allows sensors to directly determine whether it can establish a pairwise key with another node and which polynomial to use in case of positive answer
Wireless & Network Security 22 Kemal Akkaya
Location Aware Purely Random Key Predistribution (P-RKP)
Du et. al (IEEE Infocom 2004) Improves Random Key Predistribution (Eschenauer and Gligor) by exploiting Location
Information. Studies a Gaussian distribution for deployment of Sensor nodes to improve security and
memory usage.
Groups select from key group S (i,j) Probability node is in a certain group is (1 / tn).
njtiSS ji ..1,,...1,,
Wireless & Network Security 23 Kemal Akkaya
Location Aware Purely Random Key Predistribution (P-RKP)
Key sharing graphs used to enable connectivity
Use flooding to find secure path (Limit to 3 hops)
Setting up the key pools Two horizontally or vertically neighboring
pools share a|Sc| keys where 0<= a <= 0.25 Two diagonally neighboring key pools share
b|Sc| keys, where 0<=b<=0.25 Two non-neighboring key pools share no
keys. Overlapping factors - a,b
top related