Random Key Predistribution Schemes for Sensor Networks

Authors: Haowen Chan, Adrian Perrig, Dawn SongCarnegie Mellon University

Presented by: Johnny FlowersFebruary 28, 2008

The Big Idea

Three key bootstrapping protocols for large sensor networks

Alternatives to public key cryptosystems

Each protocol trades a different drawback in exchange for the security it provides

Outline

Background The problem with sensor networks Related work Three schemes

q-composite keys scheme Multipath-reinforcement scheme Random pairwise keys scheme

Future directions

The Bootstrapping Problem

Initialization process Creating something

from nothing

Bootstrapping Security in Sensor Networks Especially challenging because of the

limitations of sensor networks:Constrained resourcesPhysical vulnerabilityUnpredictability of future configurationsTemptation to rely on base stations

Related Work

Previously proposed solutions often depend on: Asymmetric cryptographyArbitration by base stations (e.g., SPINS)

Some even require physical contact with a master device or assume that attackers do not arrive until after key exchange

Finding a Solution

Authors’ proposed schemes are based on the basic random key predistribution scheme

Basic scheme is modified to meet the appropriate design goals

What Makes a Key Predistribution Scheme Good?

Key Predistribution Scheme Design Goals Secure node-to-node communication Must not rely on base stations for

decision-making Adaptable to addition of nodes after initial

network setup

Key Predistribution Scheme Design Goals, Cont. Prevent unauthorized access No assumptions about which nodes will be

within communication range of each other Resource-efficient and robust to DoS

attacks

Evaluation Metrics

Resilience against node capture Resistance against node replication Revocation of misbehaving nodes Scalability

The Basic Scheme

The Basic Scheme

Three phases of operation: Initialization Key setup Graph connection

The Basic Scheme – Initialization

Pick a random key pool, S For each node, randomly

select m keys from S (this is the node’s key ring)

The size of S is chosen so that two key rings will share at least one key with probability p

The Basic Scheme – Key Setup

Nodes search for neighbors that share a key

Broadcast short IDs assigned to each key prior to deployment

Keys verified through challenge-response

The Basic Scheme – Graph Connection Nodes then set up path keys

with any unconnected neighbors through existing secure paths

# of secure links a node must establish during key setup (degree, d) to form a connected graph of size n with probability c is:

d = [(n-1)/n][ln(n) – ln(-ln(c))]

The Basic Scheme – Graph Connection The probability, p, that two

nodes successfully connect is

p = d/n′

where n′ is the expected number of neighbor nodes within communication range of A

½

Extensions of the Basic Scheme

q-composite Random Key Predistribution

Multipath Key Reinforcement

Random Pairwise Keys

q-composite Random Key Predistribution Scheme

q-composite Scheme

Instead of one key, a pair of nodes must share q keys to establish a secure link

Key pool must be shrunk in order to maintain probability p of two nodes sharing enough keys

Initialization and Key Setup

Similar to basic schemeEach node has m keys on key ring

Two nodes must discover at least q common keys in order to connectBefore connecting, a new key is created as a

hash of the q shared keys Broadcasting IDs is dangerous, however

Evaluation

Much harder for an attacker with a given key set to eavesdrop on a link

Necessary reduction in key pool size makes large-scale attacks even more powerful

Evaluation

Compromising a given # of nodes is more damaging

Harder to compromise nodes, however

Evaluation

Dangerous under large-scale attack

Absolute # of compromised nodes vs. fraction of compromised communications

Multipath Key Reinforcement Scheme

Multipath Key Reinforcement Scheme Initialization and key setup as in basic

scheme Key update over multiple independent

paths between nodes Key update is damage control in the event

that other nodes are captured

Evaluation

Better resistance against node capture Significantly higher maximum network size Comes at cost of greater communication

overhead

Random Pairwise Keys Scheme

Random Pairwise Keys Scheme

Key feature is node-to-node identity authentication

Ability to verify node identities opens up several security features

The Basics

Sensor network of n nodesPairwise scheme:

Each node holds n-1 keys Each key is shared with exactly one other node

Random pairwise scheme: Not all n-1 keys are needed for a connected graph Only np keys are needed to connect with

probability p

Initialization

n# of unique node IDs

mkeys on each node’s key ring

pProbability of two nodes connecting

n = m/p

Initialization

Each node ID pairs with m other random & distinct node IDs

Each pair is assigned a key Nodes store key-ID pairs on key rings

Key Setup

Node IDs are broadcast to neighbors Verified through cryptographic handshake

Multi-hop Range Extension

Node IDs are small Can be re-broadcast

at low cost Neighbors forward

IDs during key setup Increases

communication radius Increases max.

network size

Distributed Node Revocation

Faster than relying on base stations

Public votes are broadcast against compromised nodes

Offending node is cut off when votes reach threshold

Scheme Requirements

Compromised nodes can’t revoke arbitrary nodes

No vote spoofing Verifiable vote validity Votes have no replay value Not vulnerable to DoS

The Voting Process

A node’s voting members are those that share a pairwise key with it

All voting members are assigned a voting key

Votes are verified through a Merkle tree Voting members keep track of votes

received up to a threshold, t

Voting Threshold

If too high A node may not have

enough voting members to be revoked

If too low Easy for a group of

compromised nodes to revoke many legitimate nodes

Resisting Revocation Attacks

Node B’s revocation key for node A must be activated before useHashed with secret value known only by A

A gives B its secret value only after the two establish communication

Other DoS attacks are more practical

Resistance to Node Replication and Node Generation Place a cap, dmax , on the degree of a node

dmax is some small multiple of d Nodes keep track of degree and node IDs using

same method as vote counting

Evaluation

Perfect resilience against node capture All pairwise keys are unique, so capturing one node

reveals no information about communications outside of the compromised node’s

Evaluation, Cont.

Maximum network size suffers slightly

Evaluation, Cont.

Resistance to revocation attackSmall number of compromised nodes only

compromises a small portion of communications

Compromising large number of nodes is not economical

Summary

Three efficient schemes for secure key bootstrapping

Each scheme has trade-offs q-composite: good for small attacks, bad for large Multipath-reinforcement: improved security, more

communication overhead Random pairwise: max. network size is smaller

Future Work

How does the random pairwise scheme perform in small networks?

Can the random pairwise scheme be modified to handle larger networks?