Key Management in Mobile and Sensor Networks Class 17
Outline Challenges in key distribution, trust bootstrapping Pre-setup keys (point-to-point, public) Resurrected ducking PGP trust graph Trusted third party (TTP) Kerberos, SPINS PKI Key infection Random-key predistribution
Key Management Goal: set up and maintain secure keys Public keys for signature verification or node-to- node key setup Shared keys for confidentiality or authenticity Group keys for secure group communication Challenges Trust establishment (Class example?) Node compromise Dynamic node addition/removal
Network Architectures Closed networks, centralized deployment (trusted authority controls and deploys nodes) All-pairs shared keys, or all public keys PKI, TTP (Kerberos, SPINS) Zhou & Haas threshold key management Randomkey predistribution Open networks, autonomous deployment Resurrected duckling PGP web of trust Key infection
Full Key Deployment Symmetric case All-pairs shared keys (need O(n 2 ) keys) Challenge: node addition Asymmetric case Distribute every node’s public key (n keys) Nodes can easily set up secure shared keys
Trusted Key Management Center Symmetric case Trusted third party (TTP) shares key with each node (n keys) Set up key between two nodes through TTP Kerberos, SPINS key agreement protocol Asymmetric case Public-key infrastructure (PKI) Certification authority (CA) signs public keys of nodes All nodes know CA’s public key
Zhou & Haas Key Management PKI drawbacks Revocation requires on-line PKI Single point of failure, CA replication increases vulnerability to node compromise Distributed CA Model, tolerates t faulty nodes Threshold signatures Signing needs coalition of t+1 correct nodes Secret sharing prevents t malicious nodes from reconstructing CA private key Proactive security Defend against mobile adversary
Discussion How can share refreshing tolerate faulty nodes? How can we tolerate compromised combiner? Who decides to be a combiner? How can we bootstrap this system? How can we introduce a new node? Why should node sign a message? How does node authenticate message? Is signature combination expensive if we have t faulty nodes? How efficient are these mechanisms?
Randomkey Predistribution Scenario: deploy 10 4 mote sensor from airplane Goal: set up secure node-to-node keys Simple approaches impractical Network-wide secret key Pairwise shared key with every other node Pairwise shared key with neighbors Public key infrastructure
Basic Random Key Scheme Eschenauer and Gligor, ACM CCS 2002 Observation: no need for all pairs of nodes to be able to communicate to get a connected network For any 2 nodes, if they can communicate with some probability p, then the network is a random graph that is connected with high probability (e.g ) p is a given parameter, dictated by communication range and density of deployment of the nodes
Basic Random Key Scheme Total Key Space Key Pool P Randomly choose |P| keys Randomly choose m keys Key ring of node A Key ring of node B Pick |P| s.t probability of any 2 nodes sharing at least 1 key = p
Key capture Security of the basic scheme is dependent on the adversary not knowing the key pool P Suppose adversary can compromise sensor nodes and read the keys off their key rings E.g., adversary captures node X and discovers key k. If node A and B were communicating using key k, the adversary can now eavesdrop although neither A or B was compromised. How can we improve resilience to node capture?
q-Composite Keys scheme Require any 2 nodes to share at least q keys to communicate Adversary must discover all q keys to eavesdrop To maintain probability of communication between any 2 nodes = p, must reduce size of key pool (samples from a smaller pool are more likely to overlap) Smaller key pool keys are more likely to be reused
Resilience vs node capture
Duckling Key Establishment Anderson and Stajano, IWSP ‘99 Problem: how can we set up keys in a ubiquitous computing environment? Devices use wireless communication How to set up a key between household devices and PDA? Solution: set up keys using trusted communication channel Physical contact establishes a secure channel
Duckling Security Model 1 Assumes wireless communication Goals Availability – Guard against jamming and battery exhaustion – “Sleep deprivation torture attack” Secure transient association with device – Even in absence of a trusted server – Security assiciations keep changing, as devices change owners, or owner changes controller
Duckling Security Model 2 Life cycle “similarities” Life cycle of a device – Buy device in store – Unpack it at home – Device breaks or gets a new owner Life cycle of a duckling – Duckling is in egg – When duckling hatches, first object is viewed as mother: imprinting – Duckling dies Device ownership similar to duck’s soul
Duckling Security Model 3 Device life cycle Imprinting: device meets master when it wakes up Reverse metempsychosis: device dies and gets new owner Escrowed seppuku: manufacturer can kill device to enable renewed imprinting Physical contact establishes secure key during imprinting phase
PGP Web of Trust Problem: how can we establish shared keys in ad hoc network without trusted PKI? Approach: use PGP web of trust approach Jean-Pierre Hubaux, Srđan Čapkun and Levente Buttyán: The Quest for Security in Mobile Ad Hoc Networks, MobiHoc 2001
Distributed storage of local certificates Nodes issue certificates (sign others’ keys), as in PGP Each node stores the certificates that it issued (out- bound certificates) and the certificates that other nodes issued for it (in-bound certificates) u v
Creating the subgraphs Each node builds up its own out-bound and in- bound subgraphs To establish secure communication, u and v merge their subgraphs and see if they intersect u v
Key Infection Ross Anderson and Adrian Perrig, 2001 Goal: Light-weight key setup among neighbors Assumptions: Attacker nodes have same capability as good nodes Attacker nodes less dense than good nodes Attacker compromises small fraction of good nodes Basic key agreement protocol A * : A, K A B A : { A, B, K B } K A K AB = H( A | B | K A | K B )
Key Infection AB M4 M2 M3 M1 Broadcast keys with maximum signal strength
Key Whispering Extension AB M4 M2 M3 M1 Broadcast keys with minimum signal strength to reach neighbor
Secrecy Amplification A B C D E A & B share K AB, A & C share K AC,, etc. Strengthen secrecy of K’ AB A C : { B, A, N A } K AC C B : { B, A, N A } K CB B D : { A, B, N B } K BD D E : { A, B, N B } K DE E A : { A, B, N B } K AE K’ AB = H( K AB | N A | N B )
Key Infection Summary Highly efficient Detailed analysis in progress Preliminary simulation results: Nodes uniformly distributed over a plane D (density): average # of nodes within radio range # of attacker nodes = 1% of good nodes Table shows fraction of compromised links DBasicWhisperSASA-W 21.1%0.4%1.0%0.3% 31.8%0.6%1.4%0.5% 52.9%1.0%2.4%0.8%
Discussion Tradeoff Trust perimeter and security? Security and management?