Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer.

Slides:



Advertisements
Similar presentations
Chris Karlof and David Wagner
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
A Survey of Secure Wireless Ad Hoc Routing
Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.
DoS Attacks on Sensor Networks Hossein Nikoonia Department of Computer Engineering Sharif University of Technology
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Efficiently Authenticating Code Images in Dynamically Reprogrammed Wireless Sensor Networks PerSec 2006 Speaker: Prof. Rick Han Coauthors Jing Deng and.
Security Issues In Sensor Networks By Priya Palanivelu.
Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
A Lightweight Hop-by-Hop Authentication Protocol For Ad- Hoc Networks Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date:2005/01/20.
Wireless Sensor Networks Security Lindsey McGrath and Christine Weiss.
ITIS 6010/8010: Wireless Network Security Weichao Wang.
LEAP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks By: Sencun Zhu, Sanjeev Setia, and Sushil Jajodia Presented By: Daryl Lonnon.
Computer Science Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks Presented by Akshay Lal.
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
Security Considerations for Wireless Sensor Networks Prabal Dutta (614) Security Considerations for Wireless Sensor Networks.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
Secure Data Aggregation in Wireless Sensor Networks: A Survey Yingpeng Sang, Hong Shen Yasushi Inoguchi, Yasuo Tan, Naixue Xiong Proceedings of the Seventh.
KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 ELSEVIER Mar
Aggregation in Sensor Networks
Using Directional Antennas to Prevent Wormhole Attacks Lingxuan HuDavid Evans Department of Computer Science University of Virginia.
Providing Transparent Security Services to Sensor Networks Hamed Soroush, Mastooreh Salajegheh and Tassos Dimitriou IEEE ICC 2007 Reporter :呂天龍 1.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson
Secure routing in wireless sensor network: attacks and countermeasures Presenter: Haiou Xiang Author: Chris Karlof, David Wagner Appeared at the First.
Security on Sensor Networks Presented by Min-gyu Cho SPINS: Security Protocol for Sensor Networks TinySec: Security for TinyOS SPINS: Security Protocol.
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures Chris Karlof and David Wagner (modified by Sarjana Singh)
SIA: Secure Information Aggregation in Sensor Networks B. Przydatek, D. Song, and A. Perrig. In Proc. of ACM SenSys 2003 Natalia Stakhanova cs610.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
CCSP 8 Dec Securing Wireless Sensor Networks CCSP Seminar 8 December 2003 David Evans
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer.
Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)
Shambhu Upadhyaya 1 Sensor Networks – Hop- by-Hop Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 22)
Security for Broadcast Network
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
Aggregation and Secure Aggregation. Learning Objectives Understand why we need aggregation in WSNs Understand aggregation protocols in WSNs Understand.
Computer Science Using Directional Antennas to Prevent Wormhole Attacks Stephen Thomas Acknowledgement: Portions of this presentation have been donated.
NDSS 2004Hu and Evans, UVa1 Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu and David Evans [lingxuan, Department.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
1 An Interleaved Hop-by-Hop Authentication Scheme for Filtering of Injected False Data in Sensor Networks Sencun Zhu, Sanjeev Setia, Sushil Jajodia, Peng.
1 Routing security against Threat models CSCI 5931 Wireless & Sensor Networks CSCI 5931 Wireless & Sensor Networks Darshan Chipade.
June All Hands Meeting Security in Sensor Networks Tanya Roosta Chris Karlof Professor S. Sastry.
Network Security Celia Li Computer Science and Engineering York University.
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
Security Review Q&A Session May 1. Outline  Class 1 Security Overview  Class 2 Security Introduction  Class 3 Advanced Security Constructions  Class.
Aggregation and Secure Aggregation. [Aggre_1] Section 12 Why do we need Aggregation? Sensor networks – Event-based Systems Example Query: –What is the.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
SPINS: Security Protocols for Sensor Networks
The TESLA Broadcast Authentication Protocol CS 218 Fall 2017
SPINS: Security Protocols for Sensor Networks
Aggregation.
Presentation transcript:

Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer Science University of Virginia Charlottesville, VA

WSAAN 28 Jan 2003Hu & Evans2 Scenario Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly High-power base station

WSAAN 28 Jan 2003Hu & Evans3 Scenario Transmitting each message all the way to the base station wastes resources. High-power base station

WSAAN 28 Jan 2003Hu & Evans4 Data Aggregation If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.

WSAAN 28 Jan 2003Hu & Evans5 Integrity of Data With data aggregation, authentication becomes harder. Compromised Node

WSAAN 28 Jan 2003Hu & Evans6 Problem Can we provide the power-saving benefits of in-network data aggregation but limit the amount of damage a single compromised node can do? Rest of Talk: 1.Background: Inexpensive Authentication without Aggregation 2.Secure Aggregation 3.Security and Cost Analysis 4.Scalable Solution

WSAAN 28 Jan 2003Hu & Evans7 Cryptographic Hash Chains fff x f (x) f (f (x))f (f (f (x))) Initially store:K 0 = f 4 (x) K 1 = f 3 (x) verify f (K 1 ) = K 0 K 2 = f 2 (x) verify f (K 1 ) = K 0 time f is a one-way function: easy to calculate f(x), but difficult to invert f.

WSAAN 28 Jan 2003Hu & Evans8 µTesla [Perrig, et. al., 2002] Initially: sensor nodes know K 0 = f n (x) base station knows x Base station messages encrypted using K 1 = f n-1 (x) Nodes store and time stamp messages, but cannot decrypt them (yet) At time t 1, base station broadcasts K 1 Nodes verify f (K 1 ) = K 0 Nodes use K 1 decrypt earlier messages Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K 1 after K 1 was revealed

WSAAN 28 Jan 2003Hu & Evans9 Node Authentication Before deployment, establish a shared symmetric secret key between each node and base station: K NS Send readings with a MAC: R A | MAC (K AS, R A ) Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.

WSAAN 28 Jan 2003Hu & Evans10 Authenticated Sensor Net Each node transmits: N | R N | MAC (K NS, R N ) Base station verifies MAC before accepting R N.

WSAAN 28 Jan 2003Hu & Evans11 Authenticated Data Aggregation A B C A | R A | MAC (K AS, R A ) B | R B | MAC (K BS, R B ) C | Aggr (R A, R B ) | MAC (K CS, Aggr (R A, R B ))

WSAAN 28 Jan 2003Hu & Evans12 Secure Aggregation Delayed Aggregation: Only aggregate messages after they have traveled one hop Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication

WSAAN 28 Jan 2003Hu & Evans13 Protocol Example ID A | R A | MAC (K Ai, R A ) | ID B | R B | MAC (K Bi, R B ) | MAC (K Ei, Aggr (R A, R B )) ID B | R B | MAC (K Bi, R B ) ID C | R C | MAC (K Ci, R C ) | ID D | R D | MAC (K Di, R D ) | MAC (K Fi, Aggr (R C, R D )) ID A | R A | MAC (K Ai, R A ) A B C D E F G ID E | Aggr (R A, R B ) | MAC (K Ei, Aggr (R A, R B ) | ID F | Aggr (R C, R D ) | MAC (K Fi, Aggr (R C, R D ) | MAC (K Gi, Aggr (R A, R B, R C, R D )) K Ai is the i th key in a µTesla key chain starting from K AS

WSAAN 28 Jan 2003Hu & Evans14 ID A | R A | MAC (K Ai, R A ) | ID B | R B | MAC (K Bi, R B ) | MAC (K Ei, Aggr (R A, R B )) ID B | R B | MAC (K Bi, R B ) ID C | R C | MAC (K Ci, R C ) | ID D | R D | MAC (K Di, R D ) | MAC (K Fi, Aggr (R C, R D )) ID A | R A | MAC (K Ai, R A ) AB C D E F G ID E | Aggr (R A, R B ) | MAC (K Ei, Aggr (R A, R B ) | ID F | Aggr (R C, R D ) | MAC (K Fi, Aggr (R C, R D ) | MAC (K Gi, Aggr (R A, R B, R C, R D )) H ID G | Aggr (Aggr (R A, R B ), Aggr (R C, R D )) | MAC (K Gi, Aggr (R A, R B, R C, R D ) | … (same from right side) | MAC (K Hi, Aggr (R A, R B, R C, R D,... readings from right side))

WSAAN 28 Jan 2003Hu & Evans15 Data Transmission Summary Children send their data reading and MAC (using K Ni ) to their parents. Parents forward the data and MACs they receive to grandparents, along with a calculated MAC of the aggregation Grandparents forward MACs and aggregate values from parents and a calculated MAC of aggregation

WSAAN 28 Jan 2003Hu & Evans16 Data Validation At some later time, the Base Station reveals K Ni for each node N that transmitted data, along with MAC (K i, K Ni ) The parent of N uses K Ni to verify MAC (K Ni, R N ) Nodes increment i to use the next µTesla key The Base Station broadcasts K i (which nodes verify) and advances to the new µTesla key

WSAAN 28 Jan 2003Hu & Evans17 Abridged Attack Analysis Intruder Node (no key material) –Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys –Replay attacks ineffective: keys change, can only replay readings within this time period –Denial-of-service attack can succeed (but alerts operator) Compromised Node (all keys on one node) –Can lie about its own reading –But, cannot alter other nodes readings without getting caught: aggregate will not match calculated aggregate at next level

WSAAN 28 Jan 2003Hu & Evans18 Successful Attacks Compromised node selectively drops child readings –Nothing to prevent this (but unlikely to change much without base station noticing) –Can use child snooping to catch it earlier Compromise two consecutive (parent and grandparent) nodes –Can forge readings for entire subtree

WSAAN 28 Jan 2003Hu & Evans19 Communication Cost Sensor Nodes Total Kilobytes Transmitted Sensor reading: 22 bytes MAC of message: 8 bytes Ideal binary network Secure Aggregation requires about 3 times the amount of data transmission as Insecure Aggregation, but provides integrity with < ½ the cost of no aggregation.

WSAAN 28 Jan 2003Hu & Evans20 Scalability Base station must broadcast next node key for every node To scale to larger sensor networks, use local µTesla between parent-child –Need base station to validate start of hash chain Two µTESLA keys are used each time, one for immediate authentication, and another for later authentication: A  ParentID A | R A | K A1 | MAC (K A2, R A ) Authenticate the origin of message (node A) immediately Authenticate reading later

WSAAN 28 Jan 2003Hu & Evans21 Summary / Moral (?) With our protocol, you can get authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you. Not trusting your children is reasonable (inexpensive) Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol