Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech

Agenda Introduction Contributions Key Distribution Schemes Proposed Protocol Properties of Key Revocation Proof of Properties Conclusions

Introduction Complexity of secure communication Large number of nodes No knowledge of topology before hand Limited resources Exposure of nodes to adversary Possible key revocation schemes Centralized Distributed

Contributions Rigorous definition of distributed revocation properties A general active adversary model Protocol for distributed Key revocation

Key Distribution Schemes Fully Pairwise-Shared Keys Every node shares key with every other node Large number of keys Use of Trusted KDC KDC distributes keys Small number of keys Centralized point of attack λ-Secure n x n Keys Property of λ-Security

Key Distribution Schemes Random Key Distribution Scheme Key Ring of size m Key pool of size |Q| 2 random subsets of size m will share at least 1 key with probability p Use of q-composite keys Tradeoff between initial resistance to subsequent weakness

Key Distribution Schemes Random Pairwise Keys Proposed by Chan et al Preload just m keys, where m<<n Node share a key with neighbor with probability p Can provide node authentication

Key Distribution Schemes MultiSpace Keys Select pools of keyspaces Common keyspace provide λ-security Deterministic Key Predistribution Allocation to ensure key sharing Memory is O(√n) Same keys could be shared between many nodes

Node Revocation Problem Takes place in presence of active adversaries Adversaries can modify and monitor messages Limited resources available Distributed Scheme is more useful Decisions made by neighbors Decision can be made faster More complex

Attacker & Communications Model Adversary has universal communication presence Adversary can perform chosen node compromise Compromised nodes collaborate Adversary cannot block or significantly delay communications

Assumptions Deployment Atomicity Do not occur while there are active revocation sessions in the network Locality Restriction of Compromised Nodes Nodes cannot replicate and move to other places in the network Node Degrees Number of local participants, d i >>t Adversary can attempt to reduce degree of legitimate nodes

Assumptions Node Revocation Events are visible to the neighborhood Malicious nodes providing spurious revocations Revocation Sessions are always available Revocation attempts by legitimate nodes are infrequent Malicious node tries to exhaust revocation sessions against target, known by neighborhood Do not assume time synchronization

Cryptographic Primitives Random polynomial q(x) = a 0 + a 1 x + a 2 x 2 +… + a t-1 x t-1 Cryptographic Hash 1 way function, hash of coefficients Authenticated Encryption Detect ciphertext forgeries Detect false decryption keys

Merkle Tree

Secret Share How to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D.

Offline Node Initialization

Stages of Revocation A is initially in pending state for session s When 1 st vote is cast or received, it moves to active state It records votes of other participants After Δs time, it moves to completed state For full dissemination of messages, Δs>2Δc, where Δc is the time to propagate a message in the neighborhood

Voting in Revocation Session When node A detects compromise, it votes in this session and the next It transmits (q Bs (X ABs ), X ABs ) Also transmits (log m) Merkle tree authentication hash values

Completing Revocation Session If A receives t votes Able to compute q Bs Transmits Hash of the polynomial Other nodes verify this hash and delete the shared keys with the target Otherwise Session number is updated All nodes privately notify base station of failed revocation

Properties of Distributed Revocation Completeness If a compromised node is detected by t or more uncompromised neighboring nodes, then it is revoked from the entire network permanently. Soundness If a node is revoked from the network using this scheme, then at least t nodes must have agreed on its revocation.

Properties of Distributed Revocation Bounded Time Revocation Completion Revocation decision and execution occur within a bounded time period from the time of sending of the first revocation vote. Unitary Revocation Revocations of nodes are unitary (all-or-nothing) in the network. Specifically, if a node is revoked in one part of the network, then it will be revoked in the whole network.

Properties of Distributed Revocation Revocation attack resistance If c nodes are compromised, then they can only revoke at most αc other nodes where α is a constant and α<<m/t. Comes from definition of Revocation Attack An attack where an adversary uses the distributed node revocation protocol to selectively revoke uncompromised nodes from the network.

Session Agreement Two nodes are in session agreement with respect to a target node at some instant in time if, for some session s, either session s is pending for both nodes, session s is active for both nodes, session s is active for one node B and session s is completed for another node A, but session s is completing within time Δc for node B, or session s is active for one node A and pending for the other node B, but node B is activating session s within Δc time.

Lemmas Every node is deployed with the correct current revocation session for its participants. At any given point in time, any two uncompromised local participants are in session agreement for any target node.

Proof of Lemma Case1 Session s is pending for both nodes at time T, and at time T+ε, node A activated session s. Case2 Session s is active for both nodes at time T. At time T+ε, node A completed session s, but node B still has the session active.

Proof of Lemma Case3 Session s is active for node B and session s is complete for node A at time T. At time T+ε, session s has completed for node B. Case4 At time t, session s is active for A and pending for B. At time T+ε, session s has completed for node A.

Proof for Completeness Node B has lowest session number Arbitrary Node A Case1 Session s is pending for B Node A has either session s pending or active Case2 Session s-1 is active for B Node A has session s-1 pending or s-1 active or s pending or s active

Proof for Soundness If Node C is revoked, H(q cs ) is broadcast For this q cs must be obtained By secret share, only possible from t shares

Proof for Bounded Time Revocation First vote cast at time T All nodes activate session within T+Δc Decision taken within time Δs Time to propagate decision is Δd Total time is bounded

Proof for Unitary Revocation Case 1 Node is revoked in 1 part of the network Correct value of q cs is received and transmitted and revoked in time Δd Case 2 If a node is not revoked in some part of the network, then it was not revoked in any part of the network in the time prior to the last Δd

Proof for Attack Resistance Each compromised node can form connections with d i nodes Thus, each compromised node can unmask at most d i votes each. The total number of unmasked votes is thus

Conclusions Overview of key distribution techniques Precise formulation of distributed revocation problem Protocol for distributed revocation Distributed algorithms are more complex but are faster than centralized Avoidance of single point of failure

Questions?