Authors: H. Chan, A. Perrig, and D. Song Carnegie Mellon University Presented by: Yuliya Olmo April 13,

 Three key bootstrapping protocols for large sensor networks  Alternatives to public key cryptosystems  Each protocol trades a different drawback in exchange for the security it provides 2

 Background Sensor networks overview Related work  Basic Techniques  Proposed solution (three schemes) Random pairwise keys scheme Q-composite keys scheme Multipath key reinforcement scheme  Future directions  Conclusions 3

Berkeley (Mica) Motes Spec Motes 4

Mica Mote: Processor: 4Mhz Memory: 128KB Flash and 4KB RAM Radio: 916Mhz and 40Kbits/second. Transmission range: 100 Feet TinyOS operating System: small, open source and energy efficient. Features: Self-organizing set of small battery operated sensors (1000+ total), communicating via wireless medium (~20 neighbors within range) 5

Deploy Sensors 6

 Battle ground surveillance Enemy movement (tanks, soldiers, etc)  Environmental monitoring Habitat monitoring (deer, ducks) Forrest fire monitoring, pollution monitoring  Hospital tracking systems Tracking patients, doctors, drug administrators.  Data collection Tire pressure sensor in a car Temperature in a building Many more 7

 Protecting confidentiality, integrity, and availability of the communications and computations  Sensor networks are vulnerable to security attacks due to the broadcast nature of transmission  Sensor nodes can be physically captured or destroyed 8

 Bootstrapping in general Initialization process Creating something from nothing  Bootstrapping in WSN Initialize/preload some secret material pre-distribution (prior to contact) Secure communication for the whole network  Especially challenging because of the limitations of sensor networks:  Constrained resources  Physical vulnerability  Unpredictability of future configurations  Temptation to rely on base stations 9

 Previously proposed solutions often depend on: Asymmetric cryptography Arbitration by base stations (SPINS) Preloading a set of keys before deployment  Some assume that attackers do not arrive until after key exchange (previous paper) 10

 Guarantee future secure node-to-node communication  Prevent unauthorized access  Not rely on base stations for decision making  Allow addition of nodes after initial network setup  Not make assumptions about which nodes will be within communication range of each other  Resource-efficient and robust to DoS attacks 11

 Resilience against node capture How many misbehaving nodes can be tolerated  Resistance against node replication How to deal with duplicates  Revocation of misbehaving nodes How to tell if a node is gone wild  Scalability What is the maximum supportable network size 12

13

 Three phases of operation: Initialization  Before nodes are deployed Key setup  Establish a secret with (some of ) the nodes in communication range Graph connection  Establish secure communication between any two given nodes. 14

 Eschenauer and GligorPick a random key pool S  For each node, randomly select m keys from S (this is the node’s key ring)  Associate IDs with every key  The size of S is chosen so that two key rings will share at least one key with probability p  Any two nodes can find a common/shared key in their key rings to initiate secure communication with any other node with probability p 15

 Key discovery: nodes search for neighbors that share a key Broadcast short IDs assigned to each key prior to deployment (set of IDs) Find neighbors that have the same ID in their set (have the same key in the key ring)  Keys verified through challenge- response The shared key becomes the key for that link 16

 Form a connected graph of secure links How to ensure the graph is connected? (Erdos, Renyi) -- given number of nodes and probability of any two nodes being connected  Nodes then set up path keys with any unconnected neighbors through existing secure paths  Reformulate the problem (Eschenauer and Gligor) – given number of nodes, what is connection degree of individual nodes to ensure graph is connected  # of secure links a node must establish during key setup (degree, d) to form a connected graph of size n with probability c is: d = [(n-1)/n][log(n) – log(-log(c))] d = O(log n) 17

 The probability, p, that two nodes successfully connect is p = d/n′ where n′ is the expected number of neighbor nodes within communication range of A  Since connection is probabilistic (plus geometry of space and obstacles), there is a chance the graph is partially connected Ways of detecting the graph is not fully connected Ways of recovering (e.g. range extension) 18

 q-composite Random Key Pre-distribution Large-scale attacks are unlikely (infeasible) Strengthen the scheme against small-scale attacks  Multipath Key Reinforcement Strengthen security between any two nodes by using existing (established) secure links Attacker has to compromise too many nodes to assure any given communication is compromised  Random Pairwise Keys If any node is captured, the rest are still secure Quorum based revocation without base station 19

20

 Instead of one key, a pair of nodes must share q (q > 1) keys to establish a secure link Implication 1 (attacker): By increasing the amount of key overlap required for key-setup, the resilience of the network against node capture is increased Implication 2(network setup): Key pool must be shrunk in order to maintain probability p of two nodes sharing enough keys  Implication 3 (attacker): fewer captured nodes required to gain a larger sample of S 21

 Similar to basic scheme Each node has m keys on key ring  Two nodes must discover at least q common keys in order to connect Broadcasting IDs (like in basic scheme)is dangerous: a casual eavesdropper can identify the key sets of all the nodes in a network and thus pick an optimal set of nodes to compromise in order to discover a large subset of the key pool S. Client Merkle puzzles: each node issues m puzzles for every key, only nodes who have the key can solve it  Before connecting, a new key is created as a hash of the q shared keys 22

 p(i) probability of any two nodes have exactly i keys in common  ( ) number of ways to pick m keys from the pool size |S|; total number of ways for both nodes to pick m keys each  There are ways to pick the i common keys; this leaves 2 (m-i) keys (in both key rings) to choose the remaining keys 23

 p(i) probability of any two nodes have exactly i keys in common  P_connect probability of any two nodes sharing sufficient keys (i = q)  Choose the largest |S| such that p_connect >p, where p is minimum connection probability 24

 Much harder for an attacker with a given key set to eavesdrop on a link  Necessary reduction in key pool size makes large-scale attacks even more powerful 25

 Compromising a given # of nodes is more damaging  Harder to compromise nodes, however 26

 Creates an incentive for large- scale attack: fraction is compromised – all are compromised  Removes the incentive for small scale attacks: too little information is obtained 27

28

 Initialization and key setup as in basic scheme  Key update over multiple independent paths between nodes  Key update is damage control in the event that other nodes are captured  Works good in conjunction with the basic scheme, but not q-composite scheme 29

 A has a secure link to B after key setup (single key k from the pool S)  Key k can be in the key ring of some other nodes, let us say node C  If C is compromised, the secure link between A and B is jeopardized.  Solution: update communication key to a random value after key setup. 30

 Solution: update communication key to a random value after key setup. Cannot use the direct link between A and B So update using multiple independent paths  A knows all paths to B within h hops (let’s say j paths); the same is true for B  Choose disjoint paths, i.e. no links in common (let’s say i paths)  Send random values v1, v2, … vi along the paths  Reassamble at B 31

 Better resistance against node capture Adversary has to eavesdrop on all paths The longer the path, the higher the probability it can be eavesdropped  Significantly higher maximum network size  Comes at cost of greater communication overhead 32

33

 Key feature is node-to-node identity authentication  Ability to verify node identities opens up several security features Perfect resilience against node capture Resilience against node replication Distributed node revocation 34

 Sensor network of n nodes Pairwise scheme:  Each node holds n-1 keys  Each key is shared with exactly one other node Random pairwise scheme:  Not all n-1 keys are needed for a connected graph  Only random set of np pariwise keys are needed to connect with probability p (Erdos, Renyi calculated the smallest p, s.t. the entire graph is connected with high probability c) 35

 n # of unique node IDs  m keys on each node’s key ring  p Probability of two nodes connecting  n = m/p Maximum supportable network size 36

 Each node ID pairs with m other random & distinct node IDs; n = m/p unique identifiers Unused IDs can be used later to extend the network  Each pair is assigned a key  Nodes store key-ID pairs on key rings; they also store ID of the other node who knows that key A holds some key k; A also holds the identity of the node that also has the same key k, let’s call it B Thus, if k is used in communication, both nodes know who they are talking to because nobody else holds the key k. 37

 Node IDs are broadcast to immediate neighbors  Search for other node’s ID in the key ring Find the nodes with whom they share a pairwise key  Verified through cryptographic handshake 38

 Faster than relying on base stations  Public votes are broadcast against compromised nodes Public since identities of the nodes are known  Offending node is cut off when votes reach threshold Base station relays this information to a secure location (possible node replacement) 39

 Compromised nodes can’t revoke arbitrary nodes Voting members or who can vote against node A  No vote spoofing Legitimate node A cannot pretend to be legit node B  Verifiable vote validity  Votes have no replay value  Not vulnerable to DoS 40

 A node’s voting members are those that share a pairwise key with it Exactly m nodes  All voting members are assigned a voting key  Votes are verified through a Merkle tree Compact data structure (partial information only)  Voting members keep track of votes received up to a threshold t 41

 If too high A node may not have enough voting members to be revoked  If too low Easy for a group of compromised nodes to revoke many legitimate nodes  Subtle consequence Every node has to have t (value of threshold) neighbors in order to be revoked 42

 Each node can cast a vote against m other nodes Attacker compromises a small fixed number of nodes They revoke a significant proportion of the network, regardless of the network size.  Solution: only nodes that established direct communication can revoke Node B’s revocation key for node A must be activated before use Hashed with secret value known only by A A gives B its secret value only after the two establish communication  Other DoS attacks are more practical 43

 Place a cap, d max, on the degree of a node  d max is some small multiple of d  Nodes keep track of degree and node IDs using same method as vote counting So now we need to memorize d max Do not need to be precise though; network is expected to be heavily connected 44

 Resistance to revocation attack Small number of compromised nodes only compromises a small portion of communications Compromising large number of nodes is not economical  Perfect resilience against node capture All pairwise keys are unique, so capturing one node reveals no information about communications outside of the compromised node’s 45

 Three efficient schemes for secure key bootstrapping  Each scheme has trade-offs q-composite: good for small attacks, bad for large Multipath-reinforcement: improved security, more communication overhead Random pairwise: max. network size is smaller, but offers best security 46

47