Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley

How to think about security Security goals:  Confidentiality  Integrity  Availability Threats:  Outsiders? Insiders?  Ordinary motes? Motes with superpowers?

Part I: Security against outsiders

The security risk: RF leakage

The outsider threat Lesson: build in security from the start

Keeping the outsider at bay networ k base station k k k k k k A simple approach: global shared keys

Global shared keys  Advantages –Simple; reasonable performance  Limitations –No security against insider attacks –What if a mote is compromised or stolen?

Part II: Security against insiders Tolerating compromised motes

Defending against insider attacks networ k base station k4k4 k5k5 k1k1 k3k3 k2k2 k 1, …, k 5 per-mote keying

Per-mote keying  Advantages –Simple; reasonable performance –Lost motes don’t reveal rest of network’s keys  Disadvantages –Motes can’t talk to each other without the help of the base station

Per-mote keying  Advantages –Simple; reasonable performance –Lost motes don’t reveal rest of network’s keys  Disadvantages –Motes can’t talk to each other without the help of the base station –Insiders can still falsify sensor readings

An example networ k base station Computing the average temperature 67° 64° 69° 71° 68° f( 67°, …, 68°) where f(x 1, …, x n ) = (x 1 + … + x n ) / n

An example + an attack networ k base station Computing the average temperature 67° 64° 69° 71° 68° f( 67°, …, 1,000°) where f(x 1, …, x n ) = (x 1 + … + x n ) / n 1,000° result is drastically affected

Resilient aggregation  Some theory: –For f :  n → , a random variable X on  n, and σ = StdDev[f(X)], define Pow(A) = E[(f(A(X)) – f(X)) 2 ] 1/2 ⁄ σ –Say f is (m, α)-resilient if Pow(A) ≤ α for all adversaries A :  n →  n modifying only m of their inputs –Example: the “average” is not (m, α)-resilient for any constant α

Relevance of resilience  Intuition –The (m, α)-resilient functions are the ones that can be meaningfully and securely computed in the presence of m malicious insiders.  Formalism –Theorem. If f isn’t (m, α)-resilient, m insiders can bias f(...) by at least ± α σ, on average. If f is (m, α)-resilient, it can be computed centrally with bias at most ± α σ, for m insiders.

Examples f… is (m, α)-resilient, where averageα = ∞ average, discarding 5% outliers α ≈ 1.65 m/n 1/2 for m 0.05 n medianα ≈ m/n 1/2 for m < 0.5 n maxα = ∞ 95 th percentile “max”α ≈ O(m/n 1/2 ) for m < 0.05 n countα ≈ m/(p(1–p)n) 1/2 (assuming n independent Gaussian/Bernoulli distributions)

Primitives for aggregation (1)  Computing with histograms –Theorem. If f is a (m, α)-resilient, symmetric function with ∑ i |∂f/∂x i | ≤ β, f can be computed securely using a histogram with buckets of width w. With m insiders, the bias will be at most about α σ + 0.5wβ.

Primitives for aggregation (2)  Computing with random sampling –Idea in progress. If f is a (m, α)-resilient, symmetric function with ∑ i |∂f/∂x i | ≤ β, perhaps f can be computed securely by sampling the values at k randomly selected motes.

But: An important caveat! networ k Aggregation in the network introduces new challenges

Summary  Crypto helps, but isn’t a total solution –Be aware of the systems tradeoffs  Seek robustness against insider attack –Resilience gives a way to think about insiders –The law of large numbers is your friend  Feedback?