Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit LAEP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit

Outline Motivation Overview Key Establishment Inter-node Traffic Performance Evaluation Security Analysis

Motivation Background- Deployment of a sensor systems in unattended and adversarial environments, requires confidentiality and authentication. Providing security is hard due to resource limitations: each node consists of 4MHz processor and 8 kb memory (hence asymmetric cryptosystems are not practical). Establishing a shared key is the main issue.

Motivation continue… Solution: Pre deployed keying. One approach – All the nodes share the same key. Low storage cost, but also low security. Second approach – Every two nodes share a different key. Ideal security, however, how many keys will we need? What about dynamic networks? Moreover, effectiveness of in-network reduced or prevented.

Solution – LEAP Localized Encryption and Authentication Protocol A key management protocol for sensor networks. Supports in ‘in-network’ processing. Provide security properties similar to the second approach. Support multiple keying mechanism. Motivation- Different types of massages require different security levels.

Assumptions Sensor networks are static. The base station acting as a controller and supplied with long-lasting power. The sensors are similar in capabilities. Every node has space for storing hundreds of bytes. The immediate neighboring are not known in advance. Adversary can eavesdrop all traffic, inject packets or replay older massages. The base station can not be compromised.

Design Goals LEAP design efficient security mechanism for supporting communication in sensor networks. The sensor should be robust against security attacks. The attacks impact should be minimal. The protocol support optimization mechanisms such as in network. Key establish process should minimize the computation.

Overview Establishments of four types of keys: Individual key – Every node shares a unique key with the base station for secure communication such as reporting of a unexpected neighboring behavior. Group key – A globally shared key that is used the base station to broadcast to the whole group, for example to issue missions, query or instructions. Cluster key – A key shared by a node and all its neighbors for securing locally broadcast massages in order to save transmitions. Pairwise key - A shared key by a node and each of its neighbors for secure communication such as for distribution cluster key.

Key Establishment Establishing Individual Node Keys: The controller has a master key . For each node u, its key generated and pre-loaded prior to the node deployment. Generating the key is as follows: When the controller needs to communicate with an individual node u, it computes it on the fly. The storage and the computational overhead are negligible. Pseudo random function Node unique ID

Pseudo random function A function from {0,1}n to {0,1}m. A good PRF is acting as “almost” random function. Meaning, given two strings from {0,1}m , one is completely random, and the other is an output of a PRF, the probability that an adversary will be able to tell the different between them is negligible.

Key Establishment continue… Establishing Pairwise Shared Keys: Assume a lower bound interval Tmin necessary for an adversary to take control of a sensor node. Assume also Ttest is the time for a newly deployed node needs to discover its immediate neighbors, and Ttest < Tmin (a reasonable assumption for most sensor networks and adversaries).

Key Establishment continue… Four steps for adding a new node- The controller generates an initial key kI and loads each node with it. Each node v derives a master key When u is deployed it broadcasts a “HELLO” massage. Each neighbor v reply Each side compute Erasing all the master keys and kI. A random number Massage authenticated code Special case – u and v added at the same time. Key is kvu if v < u.

Massage authenticated code An efficient function MACk(m): {0,1}l × {0,1}* {0,1}l. To authenticate m, send <m,MACk(m)> Upon receiving <m,a>, verify that a= MACk(m).

Key Establishment continue… Establishing Cluster Keys: Node u generates a random key and encrypts it with the pairwise key of each neighbor vi. Node vi decrypts the massage and keeps the key. If one of the neighbors is revoked, node u generates a new cluster key. Encryption

Key Establishment continue… Establishing Multi-hops Pairwise Shared Keys: Extend the circle of neighbors. Not just for immediate neighbors but also multiple hops away nodes. Works well only if: Multiple hops pairwise shared key can be established within Tmin. A node has enough memory space. What if not?

Key Establishment continue… Establishing Two-hops Pairwise Shared Keys: Secure against m-1 nodes corruption. Node u has to find by a QUERY massage, all the neighbors v1,…,vi that are common to it and the target node c. To establish a pairwise key S with node c, node u split S into i shares such that , it then forwards each ski to c through vi: Authentication key of ski

Key Establishment continue… Establishing Group Keys: A key that is shared by all the nodes in the network. Necessary when the controller distributing a massage to all the nodes. Instead of using the hop-by-hop method, which is too wasteful (each node has to decrypt and encrypt the massage), the group key will be pre-load into every node. An important question arises: How do we securely update the key? Naïve approach – Use individual key. Not scalable. Solution – Secure Key Distribution using TESLA.

Key Establishment continue… Authentic Node Revocation: TESLA - broadcast authentication protocol. Based on the use of a one-way key chain and delayed key discloser. The node to be revoked To be disclosed TESLA key Verification key New group key

Key Establishment continue… Secure Key Distribution: Organize the nodes in BFS. Each node keep tracks with its immediate neighbors. The new group key is distributed via recursive process. Each node transmit it down the tree using its own cluster key. Hop-by-hop is not too wasteful due to the small massage – key, and the event infrequency. The key should update even if no revocation event occurs.

Inter-node Traffic Authentication: A mandatory requirement is that every massage must be authenticated before it is forwarded or processed. Authenticated scheme must be easy to compute. TESLA is not suitable – due to latency and storage. Pairwise key authentication preclude passive participation. Hop-by-hop authentication is possible, overhead is small because a MAC is easy to compute, but does not protect against inner adversaries which compromise a node.

Inter-node Traffic Authentication: One–way Key Chain Based Authentication: protects against impersonation attack. Every key generates a one way hash key chain, then transmit the first key to each neighbor encrypted with the pairwise key. Each massage authenticate with the next key chain. The keys are disclosed reversely. Triangular inequality: |uv|<|ux|+|xv|. Adversary x can not reuse node’s u auth’ keys to impersonate u. v x u

Inter-node Traffic Authentication: Probabilistic Challenge Scheme: The following attack can not be prevented still: an insider adversary can shield node v by letting two node transmit at the same time, and then using the key which was not received to authenticate its own message. Solution: challenge the authenticity of a received packet with a certain probability. Challenge probability Pc pc=pr/d pr, probability that a node get challenged. The adversary does no know it

Performance Evaluation (key establishment, key updating) Computational cost: Only consider the cost of group and cluster keys. Updating cluster key require to encrypt the new one with the pairwise keys, computational depends on the neighbors number. Number of nodes being revoked. Number of legitimate neighbors of each d0.

Performance Evaluation (key establishment, key updating) Computational cost: For an network size N, the average number of symmetric key operations is 2se/N. Distributing group key require 2N operations. The average cost is two operations per node. The average number of symmetric key operations for each node is where each node’s degree is 2(d-1)2/(N-1)+2.

Performance Evaluation (key establishment, key updating) Communication Cost: Same as computational. Group rekeying based on logical key tree requires O(logN) communication cost. Storage Requirement: Each node has to keep four types of keys. For d neighbors, it has one individual key, d pairwise keys, d cluster keys and one group key. In addition, it keeps each neighbor commitment and its own chain key.

Performance Evaluation (key establishment, key updating) To avoid storing the entire key chain, deploy the optimization algorithm of Coppersmith and Jakobsson to trade storage and computation cost which performs hashes per output element using memory cells. Total number of stored keys is: 3d+2+L. The number of keys a node stores for its key chain. L=20, d=20, a node stores 82 keys, totally 656 bytes when a key size is 8 bytes.

Security Analysis (keying mechanisms) Upon compromise detection, an efficient revocation takes place: update the group and cluster keys, and delete its pairwise keys from each node. Survivability- Obtaining Individual key does not help the adversary to launch attacks. Spoofing and altering massages are difficult.

Security Analysis (keying mechanisms) Possessing the pairwise and cluster keys, allows the adversary establish false massages. The possible damage can be localized, since a node can establish trust relationships only with its neighbors. Possessing the group key allows the adversary reading the massages from the base station, but not to impersonating to it because of the authentication mechanism.

Security Analysis Defending against various attacks on secure routing- Adversary tries to convince all or part of the nodes that it is their neighbor. Adversary replicates the compromised node and add multiple replicates into the network and try to establish pairwise keys with his so called neighbors. Adversary convince other nodes that they are localized in a different distance from the base station.

Related Work Stajano and Anderson proposed that bootstrap trust relationship through physical contact. Perrig et al present security protocols for sensor networks like SNEP for data confidentiality and two parties data authentication and TESLA. There scheme uses base station to establish individual key. Zhu et al propose bootstrapping trust among mobile nodes based on TESLA and one-way hash. Eschenauer and Gilgor present a key management scheme for sensor networks based on probabilistic key predyployment, which was extended by Chan et al to three mechanisms for key establishment. Basagni et al discuss rekeying scheme for periodicity updating encryption key in a sensor network. Nodes temper free and trust each other.

Summery LEAP, key management protocol for sensor networks, provides authentication and confidentiality. Support in ‘in network’ processing and passive participation. Different types of massages require different security levels, hence four types of keys are established.