LOGO A Public Key Cryptographic Method for Denial of Service Mitigation in Wireless Sensor Networks O. Arazi, H. Qi, D. Rose IEEE SECON 2007 proceedings Myunghan Yoo August 2, 2008
Progress Problem & background Solution Discussion
Public Key Cryptography Use private and public keys Given public key, easy to compute -> anyone can lock Only those who has private key compute its inverse -> only those who has it can unlock, vice versa. P D E()D() Key Attacker P KeKe KdKd C P C=E(P, K e ) P=D(C, K d ) Insecure channel Key
For Privacy - Encrypt M with Bob’s public key : C = e K (B p,M) - Decrypt C with Bob’s private key : D = d K (B s,C) * Anybody can generate C, but only Bob can recover C to M. Usage of PKC (I) e k (, ) M BPBP d k (, ) C M BSBS Public directory Alice : A p Bob : B p Chaum : C p.
Usage of PKC (II) d k (, ) M AsAs e k (, ) C M ApAp Alice : A p Bob : B p Chaum : C p. Public directory - Encrypt M with Alice’s private key : C = d K (A s,M) - Decrypt C with Alice’s public key : D = e K (A p,C) * Only Alice can generate C, but anybody can verify C. For authentication (Digital Signature)
Motivation & Objective Public Key Cryptography (PKC) Denial-of-Service Attack in PKC With repeated & meaningless requests to normal nodes to establish a session key, the adversary causes attacked normal nodes to waste energy resources ProsCons ResilienceHigh computational overhead ScalabilityWeak against DoS attacks Decentralized key management
Objective & Key Idea Objective Mitigating Denial-of-Service (DoS) attacks Key Idea Loading heavy computational burden on the instigator
Progress Problem & background Solution Discussion
Overview of Proposed Scheme Stage A: Alice proving her validity to Bob A relatively energy draining procedure on Alice’s part Stage B: Bob proving her validity to Alice A relatively low energy draining procedure on Bob’s part If successful If successful: both users hold an ephemeral shared secret key
The Instigator Proving Its Validity AliceBob n A ID A CR A (CR A ) e mod n CA = H(n A, ID A ) If so, generates a message, m, such that: t= m e mod n A t t d A mod n A = m x: LSB of message m compares n A : Alice’s public key, ID A : Alice’s public key ID, CR A : Alice’s certificate signed by CA with its private key, e, n CA : CA’s public key CR A = [H(n A, ID A )] d ca mod n CA H(n A, ID A ) = n A ID A 512 bits or 1024 bits
Message m x: Significant bits to identify the instigator y and z: Factors of an ephemeral key z 212bits y 200bits x 100bits Example of message m where the length of m is 512 bits.
Overview of Proposed Scheme Stage A: Alice proving her validity to Bob A relatively energy draining procedure on Alice’s part Stage B: Bob proving her validity to Alice A relatively low energy draining procedure on Bob’s part If successful If successful: both users hold an ephemeral shared secret key
The Approached Node Proving Its Validity Key Transport Elliptic Curve Digital Signature Algorithm (ECDSA) Self-Certified DH Fixed Key-Generation
Key Transport AliceBob Stage A If successful n B, CR B, ID B, S B Validation of the values: (CR B ) e mod n CA = H(n B, ID B ), (S B ) e mod n B = y If successful K AB-final = z Stage B: S B = y d B mod n B
ECDSA AliceBob Stage A If successful (C, L) Calculates h = L-1, q1 = y · h mod ordG, q2 = C · h mod ordG, P = q1 · G + q2 · V, and C’ is scalar of P If C’ = C K AB-final = z Stage B: V = u · G C is scalar of V L = u -1 (y + dB · C) mod ordG
Self-Certified DH Fixed Key-Generation Stage A If successful Self-Certified DH Fixed Key-Generation K AB-temp = K AB (generated by Alice) = n A x [H(ID B, n B ) x n B + n CA ] = K BA (generated by Bob) = n B x [H(ID A, N A ) x n A + n CA ] Stage B: K AB-final = H(K AB-temp, m’) n B, CR B, ID B AliceBob
Implementation Results Time (msec)Energy (J)Total AliceBobAliceBobTimeEnergy Stage A Stage B Key Transport ECDSA Fixed Key Time (msec)Energy (mJ) Total consumptionBoth stages Key Transport ECDSA Fixed Key Using 1024-Bit RSA and 160-bit ECC on the Intel MOTE 2 Platform from 312 MHz core clock
Progress Problem & background Solution Discussion
Contribution This paper may be the first try of DoS attack mitigation for PKC
Discussion Unclear environment of implementation communication distance between Alice and Bob Yet, unsuitable PKC in the WSN Incoherent logic Applying to only a suspicious node is needed DoS attack with incomplete stage A
DoS attack with incomplete stage A AliceBob n A ID A CR A (CR A ) e mod n CA = H(n A, ID A ) If so, generates a message, m, such that: t= m e mod n A t t d A mod n A = m x: LSB of message m compares n A : Alice’s public key, ID A : Alice’s public key ID, CR A : Alice’s certificate signed by CA with its private key, e, n CA : CA’s public key CR A = [H(n A, ID A )] d ca mod n CA H(n A, ID A ) = n A ID A 512 bits or 1024 bits Completed part Incompleted part
THANK YOU Q&A