Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Published byStacy Trew Modified over 9 years ago

Similar presentations

Presentation on theme: "Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech."— Presentation transcript:

1 Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech

2 Agenda Introduction Contributions Key Distribution Schemes Proposed Protocol Properties of Key Revocation Proof of Properties Conclusions

3 Introduction Complexity of secure communication Large number of nodes No knowledge of topology before hand Limited resources Exposure of nodes to adversary Possible key revocation schemes Centralized Distributed

4 Contributions Rigorous definition of distributed revocation properties A general active adversary model Protocol for distributed Key revocation

5 Key Distribution Schemes Fully Pairwise-Shared Keys Every node shares key with every other node Large number of keys Use of Trusted KDC KDC distributes keys Small number of keys Centralized point of attack λ-Secure n x n Keys Property of λ-Security

6 Key Distribution Schemes Random Key Distribution Scheme Key Ring of size m Key pool of size |Q| 2 random subsets of size m will share at least 1 key with probability p Use of q-composite keys Tradeoff between initial resistance to subsequent weakness

7 Key Distribution Schemes Random Pairwise Keys Proposed by Chan et al Preload just m keys, where m<<n Node share a key with neighbor with probability p Can provide node authentication

8 Key Distribution Schemes MultiSpace Keys Select pools of keyspaces Common keyspace provide λ-security Deterministic Key Predistribution Allocation to ensure key sharing Memory is O(√n) Same keys could be shared between many nodes

9 Node Revocation Problem Takes place in presence of active adversaries Adversaries can modify and monitor messages Limited resources available Distributed Scheme is more useful Decisions made by neighbors Decision can be made faster More complex

10 Attacker & Communications Model Adversary has universal communication presence Adversary can perform chosen node compromise Compromised nodes collaborate Adversary cannot block or significantly delay communications

11 Assumptions Deployment Atomicity Do not occur while there are active revocation sessions in the network Locality Restriction of Compromised Nodes Nodes cannot replicate and move to other places in the network Node Degrees Number of local participants, d i >>t Adversary can attempt to reduce degree of legitimate nodes

12 Assumptions Node Revocation Events are visible to the neighborhood Malicious nodes providing spurious revocations Revocation Sessions are always available Revocation attempts by legitimate nodes are infrequent Malicious node tries to exhaust revocation sessions against target, known by neighborhood Do not assume time synchronization

13 Cryptographic Primitives Random polynomial q(x) = a 0 + a 1 x + a 2 x 2 +… + a t-1 x t-1 Cryptographic Hash 1 way function, hash of coefficients Authenticated Encryption Detect ciphertext forgeries Detect false decryption keys

14 Merkle Tree

15 Secret Share How to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D.

16 Offline Node Initialization

17 Stages of Revocation A is initially in pending state for session s When 1 st vote is cast or received, it moves to active state It records votes of other participants After Δs time, it moves to completed state For full dissemination of messages, Δs>2Δc, where Δc is the time to propagate a message in the neighborhood

18 Voting in Revocation Session When node A detects compromise, it votes in this session and the next It transmits (q Bs (X ABs ), X ABs ) Also transmits (log m) Merkle tree authentication hash values

19 Completing Revocation Session If A receives t votes Able to compute q Bs Transmits Hash of the polynomial Other nodes verify this hash and delete the shared keys with the target Otherwise Session number is updated All nodes privately notify base station of failed revocation

20 Properties of Distributed Revocation Completeness If a compromised node is detected by t or more uncompromised neighboring nodes, then it is revoked from the entire network permanently. Soundness If a node is revoked from the network using this scheme, then at least t nodes must have agreed on its revocation.

21 Properties of Distributed Revocation Bounded Time Revocation Completion Revocation decision and execution occur within a bounded time period from the time of sending of the first revocation vote. Unitary Revocation Revocations of nodes are unitary (all-or-nothing) in the network. Specifically, if a node is revoked in one part of the network, then it will be revoked in the whole network.

22 Properties of Distributed Revocation Revocation attack resistance If c nodes are compromised, then they can only revoke at most αc other nodes where α is a constant and α<<m/t. Comes from definition of Revocation Attack An attack where an adversary uses the distributed node revocation protocol to selectively revoke uncompromised nodes from the network.

23 Session Agreement Two nodes are in session agreement with respect to a target node at some instant in time if, for some session s, either session s is pending for both nodes, session s is active for both nodes, session s is active for one node B and session s is completed for another node A, but session s is completing within time Δc for node B, or session s is active for one node A and pending for the other node B, but node B is activating session s within Δc time.

24 Lemmas Every node is deployed with the correct current revocation session for its participants. At any given point in time, any two uncompromised local participants are in session agreement for any target node.

25 Proof of Lemma Case1 Session s is pending for both nodes at time T, and at time T+ε, node A activated session s. Case2 Session s is active for both nodes at time T. At time T+ε, node A completed session s, but node B still has the session active.

26 Proof of Lemma Case3 Session s is active for node B and session s is complete for node A at time T. At time T+ε, session s has completed for node B. Case4 At time t, session s is active for A and pending for B. At time T+ε, session s has completed for node A.

27 Proof for Completeness Node B has lowest session number Arbitrary Node A Case1 Session s is pending for B Node A has either session s pending or active Case2 Session s-1 is active for B Node A has session s-1 pending or s-1 active or s pending or s active

28 Proof for Soundness If Node C is revoked, H(q cs ) is broadcast For this q cs must be obtained By secret share, only possible from t shares

29 Proof for Bounded Time Revocation First vote cast at time T All nodes activate session within T+Δc Decision taken within time Δs Time to propagate decision is Δd Total time is bounded

30 Proof for Unitary Revocation Case 1 Node is revoked in 1 part of the network Correct value of q cs is received and transmitted and revoked in time Δd Case 2 If a node is not revoked in some part of the network, then it was not revoked in any part of the network in the time prior to the last Δd

31 Proof for Attack Resistance Each compromised node can form connections with d i nodes Thus, each compromised node can unmask at most d i votes each. The total number of unmasked votes is thus

32 Conclusions Overview of key distribution techniques Precise formulation of distributed revocation problem Protocol for distributed revocation Distributed algorithms are more complex but are faster than centralized Avoidance of single point of failure

33 Questions?

Download ppt "Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech."

Similar presentations

Security in Sensor Networks By : Rohin Sethi Aranika Mahajan Twisha Patel.

Security in Sensor Networks By : Rohin Sethi Aranika Mahajan Twisha Patel.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.

Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
The Sybil Attack in Sensor Networks: Analysis & Defenses J. Newsome, E. Shi, D. Song and A. Perrig IPSN’04.

The Sybil Attack in Sensor Networks: Analysis & Defenses J. Newsome, E. Shi, D. Song and A. Perrig IPSN’04.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.

Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.
Presented By : Ankita Jaiswal Guided By : Dr. Agrawal sir.

Presented By : Ankita Jaiswal Guided By : Dr. Agrawal sir.
1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.

1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.

Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.

ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.
SUMP: A Secure Unicast Messaging Protocol for Wireless Ad Hoc Sensor Networks Jeff Janies, Chin-Tser Huang, Nathan L. Johnson.

SUMP: A Secure Unicast Messaging Protocol for Wireless Ad Hoc Sensor Networks Jeff Janies, Chin-Tser Huang, Nathan L. Johnson.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.

INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
Random Key Predistribution Schemes For Sensor Networks Haowan Chen, Adrian Perigg, Dawn Song.

Random Key Predistribution Schemes For Sensor Networks Haowan Chen, Adrian Perigg, Dawn Song.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

Similar presentations

Ads by Google