Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor Networks Presented by: Qin Chen

Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

Background µTESLA Based on symmetric cryptography Divide time period into n intervals, assign different keys to different intervals, which will be disclosed after some fixed time interval Messages during a particular interval are authenticated by the corresponding key for that time interval Authenticate disclosed key: one-way hash key chain

Background K1K1 K n-2 Assign key Disclose key (delay = 2) K2K2 K3K3 KnKn K1K1 R Sender Receiver K0K0 K0K0 FFFFF Security Condition: [ T c +Δ-T 0 / T int ]<I i + d Bootstrap a new receiver: T c : Local time when the packet is received T 0 : Start time of the interval 0 T int : Duration of each time interval Δ : Maximum clock difference Time Sender Receiver request T c, K i, T i, T int, d

Contributions Using pre-determination and broadcast instead of unicast-based message transmission. Introduce a multi-level key chain scheme, the higher- level key chains are used to authenticate the commitments of the lower level one. Proposed periodic broadcast of commitment distribution message (CDM) and random selection strategies to improve the survivability and defeat some DOS attacks. Nice properties such as low overhead, tolerance of message loss, scalability, résistance to some DOS,etc

Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

Scheme I Predetermined Key Chain Commitment Predetermine the following parameters along with the master key distribution during the initialization of the sensor nodes Commitments Start time Other parameters Shortcomings Long key chain or large time interval? Difficulties in setting up start time

Scheme II Naïve Two-Level Key Chains To overcome the shortcoming of scheme I, i t puts forward Naive Two-level Key chains One high level key chain and multiple low level key chains High level key chain: broadcast CDM messages Low level key chain: broadcast actual data messages K1K1 K2K2 KnKn … … … K 1,1 K 1,2 K 1,m … K 2,1 K 2,2 K 2,m … K n,1 K n,2 K n,m K 1,0 K 2,0 K n,0 F0F0 F0F0 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1

Scheme II Naïve Two-Level Key Chains To use the low-level key chain during the time interval I i, they must authenticate the commitment K i,0 Immediate authentication for CDM messages KiKi K i+1 K i+2 CDM i =i|K i+1,0 |H(K i+2,0 ) |MAC K’i (i|K i+1,0 |H(K i+2,0 ))|K i- 1 K i+1,0 K i+2,0 Include hash image of K i+2,0 in CDM i In the time interval I,K i+1,0 could be authenticated

Scheme II Naïve Two-Level Key Chains CDM i-2 =i-2|K i-1,0 |H(K i,0 ) |MAC K’i-2 (i-2|K i-1,0 |H(K i,0 ))|K i-3 CDM i-1 =i-1|K i,0 |H(K i+1,0 ) |MAC K’i-1 (i-1|K i-1,0 |H(K i+1,0 ))|K i-2 … K i-2,1 K i-2,2 K i-2,m … K i-1,1 K i-1,2 K i-1,m … K i,1 K i,2 K i,m K i-2,0 K i-1,0 K i,0 KiKi K i-2 K i-1 F0F0 F0F0 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 I i-2 I i-1 IiIi In the time interval i-1,naïve two-level key can disclose the upper level key K i-2 and authentication the lower level key K i,0

Scheme II Naïve Two-Level Key Chains Shortcoming: Does not tolerate message loss as well as TESLA or uTESLA Normal messages loss CDM messages loss KiKi K i+1 K i+2 … K i,1 K i,2 K i,m … K i+1,1 K i+1,2 K i+1,m … K i+2,1 K i+2,2 K i+2,m K i,0 K i+1,0 K i+2,0 F 01 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F0F0 F0F0 missing

Scheme III Fault tolerant Two-Level Key Chains Tolerate normal message loss: Further connect the low level key chains and the high level key chain Tolerate CDM message loss: Rebroadcast CDM messages KiKi K i+1 K i+2 … K i,1 K i,2 K i,m … K i+1,1 K i+1,2 K i+1,m … K i+2,1 K i+2,2 K i+2,m K i,0 K i+1,0 K i+2,0 K i,m =F 01 (K i+1 ), F 01 : one way hash function, different from F 0 and F 1 F 01 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F1F1 F0F0 F0F0

Scheme II Naïve Two-Level Key Chains CDM messages are more attractive to attackers DOS attacks on CDM messages Jamming Smart attacks: only change hash image so that the receiver can not discard it until get the corresponding disclosed key CDM i =i|K i+1,0 |H(K’ i+2,0 ) |MAC K’i (i|K i+1,0 |H(K i+2,0 ))|K i-1 CDM i+1 =i+1|K i+2,0 |H(K i+3,0 ) |MAC K’i+1 (i+1|K i+2,0 |H(K i+3,0 ))|K i

Scheme IV: (Final) Two–Level Key Chains Randomize CDM distribution to mitigate channel jamming attacks Randomize CDM buffering to mitigate smart DOS attacks Single buffer random selection Multiple buffer random selection

Scheme V: Multi-Level Key Chain Multi-level key chain scheme: each higher level key chain is used to distribute the commitments for its immediate low level key chain. Every adjacent level works the same way as the two level key chain scheme works.

Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

Implementation Network model Simulate communication channel on IP multicast One base station and one attacker component Multiple sensor nodes; one-hop neighbors of base station and attacker Parameters Channel loss rate Percentage of forged CDM packets Buffer size (data packets and CDM packets)

Implementation Metrics %authenticated data packets at sensor node (#authenticated data packets/received data packets) Average data authentication delay (the average time between the receipt and the authentication of a data packet).

Experimental result Buffer allocation schemes

Experimental result %authenticated data packets

Experimental result Average data packet authentication delay

Conclusion Advantages Remove uni-cast based key commitments distribution Resistance to message loss, DOS attacks Communication efficient Low overhead Scalable to large sensor networks Limitation Long delay after commitments loss failure

Future work Seeking solutions to reduce the long delay after commitments loss failure Broadcast authentication with multiple base stations Implement this scheme in real sensor networks

Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

Random Key Predistribution Schemes To establish keys in a sensor network Three new mechanisms for key establishment Enhance the security of the network and increase the cost of potential attacks

The Task Problem Distribute symmetric keys in a physically insecure network with a broadcast channel The solutions q-composite keys Multipath-reinforcement Random-pairwise keys The metrics Resilience against node capture, resistance against node replication, revocation capability, and scalability

Basic Scheme n nodes, each having m keys out of the key pool S A common key ensures secure communication K1, k2, k3, …, k100 S has 100 keys K1, k3 K1, k5 K3, k7

Basic Scheme Problems Easy to compromise Difficult to authenticate K1, k3 K3, k7 CompromisedCompromised node Compromised communicatio n

q-composite Keys q: the amount of key overlap Requires a least q common keys to establish a secure communication channel K1, k3, k5 K1, k3, k9 K3, k5, k7 m = 3 q = 2

q-composite Keys Performance concerns Parameters |S|, m, d, p We want to increase |S| and decrease m to mitigate the effect of compromised nodes We want to maintain d and p to ensure good connectivity

q-composite keys Performance concerns To increase |S| and decrease |m| will often decrease p, so there must be a tradeoff We choose the largest |S| while maintain a suitable p

q-composite Keys Performance concerns The effect of compromised nodes The proportion of compromised network links goes up when the number of compromised nodes increases This adversely affect the reasonable scale of the network

Key Reinforcement How to make the keys stronger? Increase m? It may make it weaker What if we make the keys much more difficult to figure out? Use multiple paths to transmit multiple parts of a key to the communication partner To figure out the real key used, the attacker needs to compromise all the paths

Key Reinforcement Usually, the paths of length two are used v1 v2 v3

Performance The number of connected nodes depends on the area A(x), which depends on the length of x Integrating over the distribution of x, the expected number of reinforcing neighbors are With k paths and the possibility of compromising a link as b, the possibility of an additional compromised link is The reinforcement can be pretty strong Key Reinforcement A(x) BC x

Performance The distribution of links with different reinforcing neighbors and the compromised links The compromised links can be pretty small fraction in the total number of links Key Reinforcement

Random-pairwise keys If a pair of nodes share a unique symmetric key, they can Establish a secure channel Authenticate each other Potentially achieve good performance in security and scalability K12, k13 K12, k29 k13, k37 m = 2

Random-pairwise Keys Revocation Since nodes can authenticate each other, a group of nodes can selectively revoke a specific (adverse) node ’ s privilege in the network This is done in a distributed way K12, k13 K12, k23 k13, k23 m = 2 t = 2 Node 1 Node 2 Node 3 Node 2 and 3 vote to revoke node 1

Random-pairwise Keys Question: How to revoke a node The revoked node may still jam the part of network after it knows it has been revoked The revoked node can impersonate another node, given that it has another compromised key ring K12, k23 k13, k23 m = 2 t = 2 Node “ 2 ” Node 2 Node 3 Node “ 2 ” jams the real node 2 and impersonate node 2 to communicate with node 3

Random-pairwise Keys How to detect a bad node? Integrity check Some methods are recommended in the paper but there may not be a perfect solution How to avoid the revocation mechanism ’ s being misused? Limit the nodes ’ revocation capability to resist revocation attack Limit the nodes ’ broadcast capability to resist DoS K12, k23 k23, k35 m = 2 t = 2 Node 1 Node 2 Node 3 Node 2 can vote to revoke node 1 but node 3 cannot

Random-pairwise Keys Question: do the security measures affect other aspects of the network? Does it affect the connectivity? This paper has a good example of applying restricted broadcast measure without obviously reducing the connectivity Does it affect other protocols, like routing? Based on the distribution of the keys, the security topology of the network may differ greatly from the physical topology Some routing protocols may have difficulty working correctly, or have degraded performance Geographic forwarding Trajectory based routing Direct diffusion

Outline Efficient Distribution of Key Chain Commitments Background and Contributions Five proposed schemes Implementation and Experimental results Random Key Predistribution Schemes Three schemes Scalability Comparison and discussion

Scalability Network size Limited global payoff requirement After simplifying and approximation q-composite keys increase the reasonable network size

Scalability Network size Compare different schemes Multipath reinforcement greatly enhance the reasonable size of the network

Comparison and discussion Both protocols target sensor networks Same resource limit: bandwidth, computing capacity, memory, … Some common assumptions: trustworthy base stations, insecure communication channel, inexpensive hardware that can be compromised Both take the advantage of existing cryptographic techniques

Comparison and discussion The two papers focus on different aspects of security E-paper focuses on 1-to-many broadcast R-paper focuses on key distribution, which can be used to construct more general semantics and more varied traffic patterns

Comparison and discussion Are the assumptions in the papers reasonable? Are base stations really secure? Does the network has a density to maintain a reasonable p in the key predistribution schemes?

Thank you!