Key Infection: Smart Trust for Smart Dust

1
Key Infection Smart Trust for Smart Dust
By Ross Anderson, Haowen Chan, Adrain Perrig

• Presented by Sree P. Kollipara

2
Overview

• Introduction
• Sensor Network
• Previous Work
• Real World Attacker Model
• Key Infection
• Secrecy Amplification
• Conclusion

3
Introduction

• Sensor network
• Widely used i.e., factory instrumentation,
  climate control, building safety
• Large number of sensors
• Small and low cost
• Self-organized network, peer-to-peer
• Limited battery power, resources
• Not tamper-proof hardware

4
Introduction

• Security
• Opponent attacker, adversary
• Passive, just monitoring or
• Active, jamming or network flooding
• Key Distribution
• Problem Shared keys between sensor nodes
• Asymmetric vs. Symmetric Cryptography
• Enough computing electronic power, memory
• Limited processor, memory battery
• Preloaded keys memory, infrastructure to load
• Setup of a key by touch large scale deployment

5
Contributions

• Identify realistic attacker model
• Key-infection, an efficient light weight
  key-distribution mechanism
• Analyze the security of key infection design
  Secrecy Amplification
• In real-world applications, the major cost is
  maintenance more than initial deployment

6
Sensor Network

• A sensor network consists of multiple detection
  stations called sensor nodes, each of which is
  small, lightweight and portable.
• Every sensor node is equipped with
• transducer
• microcomputer
• transceiver
• power source

7
Sensor Network
8
Sensor Network

• The development of wireless sensor networks (WSN)
  was originally done by military applications
• These WSNs are also used
• by other applications such
• as civilian application
• areas, health care
• applications, home automation
• and traffic control

9
Sensor Network

• The size of single sensor network can vary from
  shoebox sized nodes to the size of a grain of
  dust.
• Here, size cost constraints result in
  constraints on resources such as
• energy
• memory
• speed
• bandwidth

10
Sensor Network

• Sensors
• Sensors are hardware devices which produce
  responses to a change in a physical condition
  like temperature and pressure
• Sensors are classified into 3 categories
• Passive, Omni Directional Sensors
• Passive, Narrow-beam Sensors
• Active Sensors

11
Sensor Network

• There are two kinds of sensor nodes that are used
  in sensor network
• One is normal sensor node that is deployed to
  sense phenomena
• Other is gateway node which interfaces sensor
  network to the external world
• Some commonly used commercial motes/sensor nodes
  are Bean, Btnode, Cots, Dot, Eyes, I Mote, etc.

12
Sensor Network

• Various routing protocols used in sensor network
  are
• Classic flooding
• Gossiping
• Ideal dissemination
• SPIN (Sensor Protocols for Information
  Negotiation)

13
Previous Work

• Sensor network with a source based routing
  protocol
• Routing architecture executes the software with
  which they were loaded before deployment
• Security architecture
• Authenticated broadcast with initial keys
  diversified from master keys
• Using normal nodes as base stations
• Generation of base stations to possess master keys

14
Previous Work

• Alternative method
• Symmetric keys are pre-loaded on each node
• Shared keys are generated based on total of
  nodes and expected density of deployment
• Cost issues
• Uses lot of memory to store keys

15
Related Work

• Non-Public Key Distribution, Rolf Blom
• Investigation schemes which have Greater
  Theoretical Security with small demands on
  storage space
• The straight-forward approach of distributing
  each user N-1 different keys is the strongest
  possibility of security but has largest
  requirement on user storage
• There are 2 different key generation schemes that
  require same secret storage with simple functions
  for calculation of legal keys

16
Related Work

• The first scheme, based on MDS codes is good when
  there is no need to protect the key scheme
  against large groups of cooperating users trying
  to generate extra keys.
• The second scheme, can handle when enough users
  cooperate and succeed to generate one extra key
  in the polynomial based system, they can generate
  all keys in the system.
• It would be nice to have systems that degrade
  more gracefully but here more research is needed.

17
Real World Attacker Model

• By experience of World War 2, World of
  international telephony post war years
  researchers assumed
• highly capable motivated attacker
• Global passive adversary, that can monitor
  store all communications
• Global active adversary, that can modify and
  inject communications

18
Real World Attacker Model

• More realistic attacker model
• Non-critical commodity sensor network
• extreme limitations on sensor hardware
• requires minimal pre-deployment setup
• less valuable as targets
• little damage is done to user
• So, dubious to apply stronger attack model

19
Real World Attacker Model

• Slightly relaxed attacker, attacker should use
  realistic protection requirements
• Low cost commodity sensor network,
• Extremely expensive to deploy surveillance
  devices
• Main obstacle is availability of power
• So, it is unlikely to be economical to attack
  comm. sensor n/w

20
Real World Attacker Model

• During the deployment phase
• attacker doesnt have physical access to
  deployment site
• monitor only a small proportion of network
• cannot execute active attacks
• After key exchange, both is possible

21
Real World Attacker Model

• Contravening the attacker model
• An Adversary,
• has to have foresight to deploy surveillance
  equipment
• its eavesdropping devices must be operational
  undetected
• must be able to identify, retrieve process the
  eavesdropped product to extract key exchange
  messages

22
Key Infection

• Each node chooses a key broadcasts it in plain
  text to its neighbor
• Short range transmission will have about half a
  dozen nodes within a range of 10 meters
• Detect each others presence organize themselves
  into a network
• Packets are transmitted with minimum power
• Gives significant protection when opponents are
  present
• Improvement with a slight change in the protocol,
  key whispering

23
Key Whispering

• A node transmits a key very quietly steadily
  increases the power until the response is heard
• A link is established with responder
  broadcasted with a new initial key
• Two nodes within a range will exchange a secure
  key
• The no of links an opponent can eavesdrop falls
  to 0.8 as opposed to 2.4 in key infection

24
Analysis

• Key infection is secure if the attacker arrives
  after key infection phase
• Considering the case when black dust nodes are
  installed before white dust nodes, then if black
  nodes collude, probability that a black node can
  eavesdrop is ?R2Nb / S
• where R is max range of radio
• Nb is number of black dust nodes
• s is size of distribution of smart nodes over an
  area

25
Analysis

• Using Key Whispering, the probability that a
  black node can eavesdrop is 1.2r2Nb /s
• where 1.2r2 is the effective eavesdropping area
• r, length of a link
• Nb, no of black dust nodes
• s, size of distribution of smart nodes over an
  area
• Whisper mode extension results in approximately
  fewer compromised links

26
Analysis

• We assume that black modes have the same receiver
  sensitivity as white nodes, which appears
  reasonable of the single-chip receiver
  technology.
• This would have
• larger batteries, or
• wired network
• so as to transmit further more.

27
Secrecy Amplification

• Uses multipath key establishment to make job
  harder
• Simulate different strategies for key
  establishment
• Here, we combine keys along different paths
• We suppose the nodes W1, W2 W3 are neighbors
• W1, W2 set up the key k12
• W1, W3 set up the key k13
• W2, W3 set up the key k23
• To amplify the secrecy of key k12, W1 asks W3 to
  exchange an additional key with W2.

28
Secrecy Amplification
W1 ? W3 W1,W2,N1k13 W3 ? W2
W1,W2,N1k23 W2 computes k'12 H(k12
N1) W2 ? W1 N1,N2k'12 W1 ? W2 N2k'12
W3
W2
W1
W2
W1
29
Key Establishment

• Uniformly distributed, 1000 white dust equals
  transmission range
• Key infection vs. Key whispering
• d, average no of neighbors of a node
• other columns shows the ratio of the links

30
Key Establishment

• Key infection vs. Secrecy Amplification
• d, average no of neighbors of a node
• other columns shows the ratio of the links
• Here, the secrecy amplification is improved

31
Secrecy Amplification

• The tables list the ratio of links for a density
  a of black dust nodes
• 1, 2 3
• SA is not limited to two path hops
• Source routing algo in sensor n/ws give limited
  information
• SA is significantly better because of its
  complexity.

32
Multihop Keys

• When we link W1 W2 with W3, then we can invoke
  W2 to set up a key with the help of W1 W3
• This has 2 purposes
• Supports end-t-end cryptography
• Energy efficient for base-to-node communications
• When memory is not restricted, multihop keying
  may seem like a natural mechanism for using.

33
Multihop Keys

• In Smart Dust, memory size cost of messages are
  limited have limited types of traffic,
• Messages between base stations nodes
• local routing messages
• time beacons, i.e., broadcast of signals
• Here, Base-to-node traffic should be end-to-end
  encrypted

34
Interaction with Routing Algorithms

• Existing prototypes use strategies that are based
  on dynamic source routing mechanisms.
• Multipath key infection automatically discovers
  multipaths that are used
• Here, the analogy with biological infection is
  coming to a break down
• Multihop keying enables keying to try different
  logical paths along the same physical path

35
Interaction with Routing Algorithms

• Identify isolate faulty or subverted node
• If pairs of motes can no longer route to each
  other, then a recovery phase may be initiated.
• This involves back-up nodes, re-run of n/w
  discovery algo, sticky random routing.
• Most sensor networks do not need to do mobile
  routing

36
Interaction with Routing Algorithms

• Topology can be changed
• when the battery is exhausted, and
• a node is destroyed
• In future, we need routing strategies that work
  for mobile principals.

37
Key Establishment

• Key whispering vs. Secrecy Amplification
• Here, the basic key infection uses key whispering
• d, average no of neighbors in a node
• Other columns shows the ratio of the links
• Table shows the improvement of secrecy
  amplification over key infection

38
Key Establishment

• Basic two-hop key infection, with multipath
  extension
• d, average no of neighbors in a node
• basic column, return path of the key infection is
  the same as the forward path
• m-path column, return path of the key infection
  is different from forward path

39
Experiment Results

• KI
  KW SA over KW
• lttable1gt
  lttable2gt lttable3gt

40
Other Applications

• Peer-to-peer systems typically start out
  optimistically with a large number of hopefully
  trustworthy nodes
• Black nodes join once the network starts to
  operate, and white nodes may be subverted
  (e.g., by court order)
• Here too the issue isnt the initial key
  bootstrapping, but resilience in the face of what
  happens later

41
Other Applications

• Subversive networks are similar. Law enforcement
  can only monitor so many people, and so many
  phones
• Once subversive activity manifests, the task is
  to penetrate a network that may have been fairly
  open at the start, but has now closed up
• Again, the important aspect is not the initial
  bootstrapping, but the subsequent lockdown, and
  any associated resilience

42
Security Economic Issues

• Economics provide the big showstopper for
  security in general
• Here, the game depends on both initial and
  marginal costs of attack and defense
• Initial keying increases initial cost to both
• Equilibrium depends on marginal costs - defender
  efforts vs. attacker resilience

43
Security Economy Issues

• Logically, defender will give up, or attacker
  have to go all out to maintain network
• Attacker will logically make marginal investment
  in resilience, not bootstrapping

44
Research Problems

• What are the relative costs of key establishment
  vs. maintenance in different types of network?
• What are the best attack and defense strategies
  at equilibrium?
• Whats the interaction with routing algorithms?
• Can you deal with new motes joining?

45
Research Problems

• Can you have multiple virtual networks (United
  Nations Dust)?
• Can multiple users interact locally
  (Neighborhood Watch Dust)?

46
Conclusion

• Sensor networks present interesting and novel
  protection problems
• They provide a tractable model for bigger
  problems, from P2P network design to some
  real-world policing problems
• Challenge the conventional wisdom that
  authentication is about trust bootstrapping

47
Conclusion

• In many real social networks, trust is more about
  group reinforcement / bonding
• Will future pervasive computing systems be
  command-and-control, or societal?

48
Questions???
49
References

• R. Blom. Non-public key distribution. In Advances
  in Cryptology Proceedings of Crypto 82, pages
  231236, 1982.
• C. Blundo, A. D. Santis, A. Herzberg, S. Kutten,
  U. Vaccaro,and M. Yung. Perfectly-secure key
  distribution for dynamic conferences. In Advances
  in Cryptology - Crypto 92, pages 471486, 1992.

• D. Liu and P. Ning. Location-based pairwise key
  establishments for static sensor networks. In
  ACMWorkshop on Security in Ad Hoc and Sensor
  Networks (SASN 03), Oct. 2003.
• K. Sirois and S. Kent. Securing the nimrod
  routing architecture. In Proceedings of the
  Symposium on Network and Distributed Systems
  Security (NDSS 97). Internet Society, Feb1997.