Security for ad-hoc networks: Cryptography and beyond

1
Security for ad-hoc networksCryptography and
beyond

• David Wagner
• U.C. Berkeley

2
How to think about security

• Security goals
• Confidentiality
• Integrity
• Availability

• Threats
• Outsiders? Insiders?
• Ordinary motes?Motes with superpowers?

3
Part ISecurity against outsiders
4
The security risk RF leakage
5
The outsider threat
Lesson build in security from the start
6
Keeping the outsider at bay
network
k
basestation
k
k
k
k
k
A simple approachglobal shared keys
7
Global shared keys

• Advantages
• Simple reasonable performance
• Limitations
• No security against insider attacks
• What if a mote is compromised or stolen?

8
Part IISecurity against insiders

• Tolerating compromised motes

9
Defending against insider attacks
k1, , k5
network
basestation
k1
k2
k3
k4
k5
per-mote keying
10
Per-mote keying

• Advantages
• Simple reasonable performance
• Lost motes dont reveal rest of networks keys
• Disadvantages
• Motes cant talk to each other without the help
  of the base station

11
Per-mote keying

• Advantages
• Simple reasonable performance
• Lost motes dont reveal rest of networks keys
• Disadvantages
• Motes cant talk to each other without the help
  of the base station
• Insiders can still falsify sensor readings

12
An example
f(67, , 68)
network
basestation
67
where f(x1, , xn) (x1 xn) / n
64
69
71
68
Computing the average temperature
13
An example an attack
result is drastically affected
f(67, , 1,000)
network
basestation
67
where f(x1, , xn) (x1 xn) / n
64
69
71
68
X
1,000
Computing the average temperature
14
Resilient aggregation

• Some theory
• For f ?n ? ?, a random variable X on ?n,and s
  StdDevf(X), define Pow(A) E(f(A(X))
  f(X))21/2 / s
• Say f is (m, a)-resilient if Pow(A) a for
  alladversaries A ?n ? ?n modifying only m of
  their inputs
• Example the average is not (m, a)-resilient
  for any constant a

15
Relevance of resilience

• Intuition
• The (m, a)-resilient functions are the ones that
  can be meaningfully and securely computed in the
  presence of m malicious insiders.
• Formalism
• Theorem. If f isnt (m, a)-resilient, m insiders
  can bias f(...) by at least a s, on average.If
  f is (m, a)-resilient, it can be computed
  centrally with bias at most a s, for m insiders.

16
Examples
f is (m, a)-resilient, where
average a 8
average, discarding 5 outliers a 1.65 m/n1/2 for m lt 0.05 na 8 for m gt 0.05 n
median a m/n1/2 for m lt 0.5 n
max a 8
95th percentile max a O(m/n1/2) for m lt 0.05 n
count a m/(p(1p)n)1/2
(assuming n independent Gaussian/Bernoulli
distributions)
17
Primitives for aggregation (1)

• Computing with histograms
• Theorem. If f is a (m, a)-resilient, symmetric
  function with ?i ?f/?xi ß, f can be computed
  securely using a histogram with buckets of width
  w. With m insiders, the bias will be at most
  about a s 0.5wß.

18
Primitives for aggregation (2)

• Computing with random sampling
• Idea in progress. If f is a (m, a)-resilient,
  symmetric function with ?i ?f/?xi ß, perhaps
  f can be computed securely by sampling the values
  at k randomly selected motes.

19
But An important caveat!
4
network
2
2
1
0
1
1
Aggregation in the network introduces new
challenges
20
Summary

• Crypto helps, but isnt a total solution
• Be aware of the systems tradeoffs
• Seek robustness against insider attack
• Resilience gives a way to think about insiders
• The law of large numbers is your friend
• Feedback?