Secure Aggregation for Wireless Networks
description
Transcript of Secure Aggregation for Wireless Networks
Secure Aggregation for Wireless Networks
Lingxuan Hu David Evans[lingxuan, evans]@cs.virginia.edu
http://swarm.cs.virginia.edu
Department of Computer Science
University of Virginia
Charlottesville, VA
WSAAN 28 Jan 2003 Hu & Evans 2
Scenario
Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly
High-power base station
WSAAN 28 Jan 2003 Hu & Evans 3
Scenario
Transmitting each message all the way to the base station wastes resources.
High-power base station
WSAAN 28 Jan 2003 Hu & Evans 4
Data Aggregation
If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.
WSAAN 28 Jan 2003 Hu & Evans 5
Integrity of Data
With data aggregation, authentication becomes harder.
Compromised Node
WSAAN 28 Jan 2003 Hu & Evans 6
ProblemCan we provide the power-saving benefits of in-network data aggregation but limit the amount of damage a single compromised node can do?
Rest of Talk:1. Background: Inexpensive Authentication
without Aggregation2. Secure Aggregation3. Security and Cost Analysis4. Scalable Solution
WSAAN 28 Jan 2003 Hu & Evans 7
Cryptographic Hash Chains
f f f x
f (x)f (f (x))f (f (f (x)))
Initially store: K0 = f4(x)K1 = f3(x)
verify f (K1) = K0
K2 = f2(x) verify f (K1) = K0
time
f is a one-wayfunction: easyto calculate f(x),but difficult toinvert f.
WSAAN 28 Jan 2003 Hu & Evans 8
µTesla [Perrig, et. al., 2002]
• Initially: sensor nodes know K0 = fn(x) base station knows x
• Base station messages encrypted using K1 = fn-1(x)
• Nodes store and time stamp messages, but cannot decrypt them (yet)
• At time t1, base station broadcasts K1
• Nodes verify f (K1) = K0
• Nodes use K1 decrypt earlier messages• Nodes and base station must have loosely
synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed
WSAAN 28 Jan 2003 Hu & Evans 9
Node Authentication
• Before deployment, establish a shared symmetric secret key between each node and base station: KNS
• Send readings with a MAC:RA | MAC (KAS, RA)
Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.
WSAAN 28 Jan 2003 Hu & Evans 10
Authenticated Sensor Net
Each node transmits: N | RN | MAC (KNS, RN) Base station verifies MAC before accepting RN.
WSAAN 28 Jan 2003 Hu & Evans 11
Authenticated Data Aggregation
A
B
C
A | RA | MAC (KAS, RA)
B | RB | MAC (KBS, RB)C | Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB))
WSAAN 28 Jan 2003 Hu & Evans 12
Secure Aggregation
• Delayed Aggregation: Only aggregate messages after they have traveled one hop
• Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication
WSAAN 28 Jan 2003 Hu & Evans 13
Protocol Example
IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
IDB | RB | MAC (KBi, RB)
IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))
IDA | RA | MAC (KAi, RA)
A B
C
D
E F
G
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))
KAi is the ith key in a µTesla key chain starting from KAS
WSAAN 28 Jan 2003 Hu & Evans 14
IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
IDB | RB | MAC (KBi, RB)
IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))
IDA | RA | MAC (KAi, RA)
AA BB
CC
DD
EE FF
GG
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))
HH
IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD)
| … (same from right side)| MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side))
WSAAN 28 Jan 2003 Hu & Evans 15
Data Transmission Summary
• Children send their data reading and MAC (using KNi) to their parents.
• Parents forward the data and MACs they receive to grandparents, along with a calculated MAC of the aggregation
• Grandparents forward MACs and aggregate values from parents and a calculated MAC of aggregation
WSAAN 28 Jan 2003 Hu & Evans 16
Data Validation• At some later time, the Base Station
reveals KNi for each node N that transmitted data, along with MAC (Ki, KNi)
• The parent of N uses KNi to verify MAC (KNi, RN)
• Nodes increment i to use the next µTesla key
• The Base Station broadcasts Ki (which nodes verify) and advances to the new µTesla key
WSAAN 28 Jan 2003 Hu & Evans 17
Abridged Attack Analysis• Intruder Node (no key material)
– Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys
– Replay attacks ineffective: keys change, can only replay readings within this time period
– Denial-of-service attack can succeed (but alerts operator)
• Compromised Node (all keys on one node)– Can lie about its own reading– But, cannot alter other nodes readings without getting
caught: aggregate will not match calculated aggregate at next level
WSAAN 28 Jan 2003 Hu & Evans 18
Successful Attacks
• Compromised node selectively drops child readings– Nothing to prevent this (but unlikely to
change much without base station noticing)– Can use child snooping to catch it earlier
• Compromise two consecutive (parent and grandparent) nodes– Can forge readings for entire subtree
WSAAN 28 Jan 2003 Hu & Evans 19
Communication Cost
0
100
200
300
400
500
600
700
800
340 1364 5460
No Aggregation
InsecureAggregationSecureAggregation
Sensor Nodes
Tot
al K
iloby
tes
Tra
nsm
itted
Sensor reading: 22 bytesMAC of message: 8 bytesIdeal binary network
Secure Aggregation requires about 3 times the amountof data transmission as Insecure Aggregation, but providesintegrity with < ½ the cost of no aggregation.
WSAAN 28 Jan 2003 Hu & Evans 20
Scalability
• Base station must broadcast next node key for every node
• To scale to larger sensor networks, use local µTesla between parent-child– Need base station to validate start of hash chain
• Two µTESLA keys are used each time, one for immediate authentication, and another for later authentication:
A Parent IDA | RA | KA1 | MAC (KA2, RA)
Authenticate the origin of
message (node A) immediately
Authenticate reading later
WSAAN 28 Jan 2003 Hu & Evans 21
Summary / Moral (?)• With our protocol, you can get
authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you.
• Not trusting your children is reasonable (inexpensive)
• Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol
http://swarm.cs.virginia.edu