Mitigating Sandwich Attacks against a Secure Key Management in WSNs for PCS/SCADA

Queensland University of Technology

CRICOS No. 00213J

Mitigating Sandwich Attacks against a Secure Key Management

in WSNs for PCS/SCADA

Hani Alzaid, DongGook Park, Juan Gonzalez, and Ernest Foo

CRICOS No. 00213Ja university for the worldreal R

Key Management in WSNs for PCS/SCADA• Introduction.

– WSNs & SCADA.• Related Work.

– Nilsson et al.’s & Alzaid et al.’s schemes.• Sandwich Attack.• Performance Analysis

– Memory overhead, communication cost, & computation cost.

• Conclusion

2


Introduction: WSNs

EmbeddedProcessor

Transceiver

Memory

SensorsBattery

3

Limited Storage

Limited Lifetime

Slow Computations

1Kbps - 1Mbps, 3-100 Meters,


Introduction: SCADA

4

Master Center

Historian

Communication Systems

Remote field

Network Manager

Human Interaction

Database Storage

Processing Servers

Separate Subnet

Fiber Optics

Radio

Satellite

Gateways

IEDs

Sensors


Related Work

• Several papers proposed key management designs for SCADA.– They use heavy cryptographic mechanisms.– Do not consider the integration of WSNs with SCADA.

• The works that consider the integration, proposed by Nilsson et al. and Alzaid et al..

5


Related Work – Nilsson et al.

• Nilsson et al. designed two key update protocols:– The 1st protocol updates the pairwise symmetric key

between and .– The 2nd protocol updates the global or group key

among and .• They claimed that these protocols provide both

forward and backward secrecy (past and future key secrecy). It is not the case!

6


Related Work – Nilsson et al.

• Node compromise attacks was not considered in Nilsson et al..

• The new group key is directly carried by the protocols messages, encrypted under the pairwise key.

• The value of new pairwise key is determined by the sensor node.

• etc.• Alzaid et al.’s addressed these weaknesses.

7


Related Work – Alzaid et al.

• The adversary can launch node compromise – All the credentials stored in sensors.– All the software code installed within the sensors,

especially random number generation functions.• It cannot compromise the network manager.

8

Adversary Model


Related Work – Alzaid et al.

• Past key secrecy: the past keys should not be compromised.

• Future key secrecy: the future keys should not be compromised.

Security Requirements

9


The Proposed Key Management

0t 0s 10( )h s 0( )ih s0( )ih t 1

0( )h t

1GK

iGK

0GK

Forward hash chainReverse hash chain

Pastkey secrecy

Future key secrecy

The Group Key Update Protocol

10



The Group Key Update Protocol (Protocol-1)

11



The Pairwise Key Update Protocol (Protocol-2)

12


Sandwich Attack

The Problem• Alzaid et al.’s scheme suffers from a new kind of

attack called “Sandwich Attack”.• Suppose an attacker captures a node at

• are revealed.• All the subsequent hash images of the forward hash

chain (but not the reverse hash chain) can be computed.

13


Sandwich Attack

The Problem• When the attacker captures another node at

where .• The adversary is able to compute all the preimages of

the reverse hash chain between .• Then, the attacker can compute all the group

keys from to by computing:

14


Sandwich AttackForward hash chainReverse hash chain

15

unknown

unknown

unknownunknown unknown


Sandwich AttackForward hash chainReverse hash chain

16

unknown

known

knownunknown


Sandwich Attack

The Solution (Protocol-3)• Break the reverse hash chain into smaller ones.

17


Sandwich Attack

• can play two strategies:• Replace Protocol-1 completely with Protocol-3.

• rerun Protocol-3 until receives 2nd message of the protocol from to ensure the reestablishment of the reverse hash chain.

• Switch between Protocol-1 and Protocol-3 whenever it is needed.

• The choice between these two strategies depends on how much the Sandwich attack concerns the network designers.

18


Performance AnalysisMemory Overhead

19

Stored information per sensorNilsson et al. [2] Alzaid et al. [1] Our proposal

Qty Size (bits) Qty Size

(bits) Qty Size (bits)

Pairwise key shared with M . 2 256 1 256 1 256Key used for random number generation 1 128 - - - -M’s public key 1 256 - - - -Group key . 1 128 1 128 1 128Secret data . - - 2 128 2 128Indexes . - - 2 16 2 16Hashed value of the old pairwise key - - 1 128 1 128

Total 1024 800 800


Performance AnalysisCommunication Cost

20

Protocol Step

Nilsson et al. [2]

Alzaid et al. [1] Our proposal

# of bits Energy (J)# of bits Energy (J) # of bits Energy (J)

Pairwise

key

1. M → N - - 272 13.6 272 13.62. M ← N 256 19.2 256 19.2 256 19.2

Total 256 19.2 528 32.8 528 32.8

Group key

1. M → N 256 12.8 144 7.2 272 13.62. M ← N 128 9.6 128 9.6 128 9.6

Total 384 22.4 272 16.8 400 23.2


Performance AnalysisComputation Cost

21

Protocol Step

Consumed energy (J)Nilsson et

al. [2]Alzaid et

al. [1]Our

proposal

Pairwise

key

1. M→ N - 304 304 2. Compute the new key 154 52000 52000 3. M← N 52154 278 278

Total 52308 52582 52582

Group key

1. M→ N 150 278 304 2. Compute the new key - 154 154 3. M← N 154 154 154

Total 304 586 612


Conclusion

• Lamport’s reverse hash chain as well as usual hash chain are employed to ensure past and future key secrecy against node compromise.

• No delivery for the whole value of the new group key for group key update.

• Sandwich Attack is mitigated by breaking the reverse hash chain into shorter ones.

22


References

[1] Alzaid, Hani and Park, DongGook and Gonzalez Nieto, Juan and Boyd, Colin and Foo, Ernest. A Forward & Backward Secure Key Management in Wireless Sensor Networks for PCS/SCADA.

[2] Nilsson, Dennis K. and Roosta, Tanya and Lindqvist, Ulf and Valdes, Alfonso. Key management and secure software updates in wireless process control environments.

23

Queensland University of Technology

CRICOS No. 00213J

Mitigating Sandwich Attacks against a Secure Key Management

in WSNs for PCS/SCADA

Questions

Mitigating Sandwich Attacks against a Secure Key Management in WSNs for PCS/SCADA

Documents

Transcript of Mitigating Sandwich Attacks against a Secure Key Management in WSNs for PCS/SCADA