Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.
![Page 1: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/1.jpg)
Security for ad-hoc networks:Cryptography and beyond
David Wagner
U.C. Berkeley
![Page 2: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/2.jpg)
How to think about security
Security goals: Confidentiality Integrity Availability
Threats: Outsiders? Insiders? Ordinary motes?
Motes with superpowers?
![Page 3: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/3.jpg)
Part I:Security against outsiders
![Page 4: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/4.jpg)
The security risk: RF leakage
![Page 5: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/5.jpg)
The outsider threat
Lesson: build in security from the start
![Page 6: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/6.jpg)
Keeping the outsider at bay
networkbase
station
k
k
k
k
k
k
A simple approach:global shared keys
![Page 7: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/7.jpg)
Global shared keys
Advantages– Simple; reasonable performance
Limitations– No security against insider attacks– What if a mote is compromised or stolen?
![Page 8: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/8.jpg)
Part II:Security against insiders
Tolerating compromised motes
![Page 9: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/9.jpg)
Defending against insider attacks
networkbase
station
k4
k5
k1
k3
k2
k1, …, k5
per-mote keying
![Page 10: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/10.jpg)
Per-mote keying
Advantages– Simple; reasonable performance– Lost motes don’t reveal rest of network’s keys
Disadvantages– Motes can’t talk to each other without the help
of the base station
![Page 11: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/11.jpg)
Per-mote keying
Advantages– Simple; reasonable performance– Lost motes don’t reveal rest of network’s keys
Disadvantages– Motes can’t talk to each other without the help
of the base station– Insiders can still falsify sensor readings
![Page 12: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/12.jpg)
An example
networkbase
station
Computing the average temperature
67°
64°69°
71°68°
f(67°, …, 68°)
where f(x1, …, xn) = (x1 + … + xn) / n
![Page 13: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/13.jpg)
An example + an attack
networkbase
station
Computing the average temperature
67°
64°69°
71°68°
f(67°, …, 1,000°)
where f(x1, …, xn) = (x1 + … + xn) / n
1,000°
result is drastically affected
![Page 14: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/14.jpg)
Resilient aggregation
Some theory:– For f : n → , a random variable X on n,
and σ = StdDev[f(X)], define Pow(A) = E[(f(A(X)) – f(X))2]1/2 ⁄ σ
– Say f is (m, α)-resilient if Pow(A) ≤ α for alladversaries A : n → n modifying only m of their inputs
– Example: the “average” is not (m, α)-resilient for any constant α
![Page 15: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/15.jpg)
Relevance of resilience
Intuition– The (m, α)-resilient functions are the ones that
can be meaningfully and securely computed in the presence of m malicious insiders.
Formalism– Theorem. If f isn’t (m, α)-resilient, m insiders
can bias f(...) by at least ± α σ, on average.If f is (m, α)-resilient, it can be computed centrally with bias at most ± α σ, for m insiders.
![Page 16: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/16.jpg)
Examplesf … is (m, α)-resilient, where
average α = ∞
average, discarding 5% outliers
α ≈ 1.65 m/n1/2 for m < 0.05 nα = ∞ for m > 0.05 n
median α ≈ m/n1/2 for m < 0.5 n
max α = ∞
95th percentile “max” α ≈ O(m/n1/2) for m < 0.05 n
count α ≈ m/(p(1–p)n)1/2
(assuming n independent Gaussian/Bernoulli distributions)
![Page 17: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/17.jpg)
Primitives for aggregation (1)
Computing with histograms– Theorem. If f is a (m, α)-resilient, symmetric
function with ∑i |∂f/∂xi| ≤ β, f can be computed securely using a histogram with buckets of width w. With m insiders, the bias will be at most about α σ + 0.5wβ.
![Page 18: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/18.jpg)
Primitives for aggregation (2)
Computing with random sampling– Idea in progress. If f is a (m, α)-resilient,
symmetric function with ∑i |∂f/∂xi| ≤ β, perhaps f can be computed securely by sampling the values at k randomly selected motes.
![Page 19: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/19.jpg)
But: An important caveat!
network
Aggregation in the network introduces new challenges
2
4
1 0 1 1
2
![Page 20: Security for ad-hoc networks: Cryptography and beyond David Wagner U.C. Berkeley.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d3e5503460f94a16bdc/html5/thumbnails/20.jpg)
Summary
Crypto helps, but isn’t a total solution– Be aware of the systems tradeoffs
Seek robustness against insider attack– Resilience gives a way to think about insiders– The law of large numbers is your friend
Feedback?