Title: Whisper : A Local Secret Maintenance Protocol for Sensor Networks
1Whisper A Local Secret Maintenance Protocol for
Sensor Networks
- Vinayak Naik, Anish Arora, Sandip Bapat (OSU),
and Mohamed Gouda (UT Austin)
Presented by Vinayak Naik The Ohio State
University
2Motivation
- Wireless Sensor Networks
- Computational (4 MHz, 8-bit microprocessor)
memory resource (128 Kbytes) constraint - Scale 1,000 nodes
- Low-cost secure communication is important for
sensor network
3Our Approach Secret Maintenance
- Uses Light-weight Crypto primitives
- Compensates for limited security of Light-weight
Crypto, using temporal dimension - Secrets are maintained regularly
- Small secret size
- Is local
- Pair-wise secrets are maintained
4Challenge
- Secret maintenance protocol that has
- Forward Secrecy
- Backward Secrecy
- Tolerance to frequent message losses
5Outline of talk
- The Whisper Protocol
- Model of intruder
- Definition of Fault-tolerance and Security
- Security and Fault-tolerance properties of
Whisper - Bootstrapping the secrets
- Defense against DOS attacks
- Related work and Conclusion
6What Whisper Does
- A and B are two neighboring sensor nodes, sharing
key KABi at the end of the ith session - Before (i1)th session, we need to update the key
-
7The Whisper Protocol
XAi ? h (XAi-1, B), h (KABi-1, XAi)
A XAi-1, YBi-1, KABi-1 h (XAi-1,
YBi-1)
B XAi-1, YBi-1, KABi-1 h (XAi-1,
YBi-1)
YBi ? h (YBi-1, A), h (KABi, YBi)
8Model of Intruder
- Dolev-Yao Model
- Informally, intruder can
- Intercept messages
- Construct new messages using known messages
- Encrypt, decrypt messages using known keys
9Notation
- SPEC specification of p in absence of F
- S specification invariant of protocol p
- F a set of actions of an intruder
- C critical variables of p in SPEC
- e.g. XAi-1, YBi-1,i in case of
Whisper - T specification invariant of p in presence of
F - s,t range over the states of p
10Fault-tolerance
- p is F -tolerant for SPEC in C from S iff
- ? T such that
- Safety S implies T
- Liveness ? t ?T , ? s ? S t leads-to s
11Security
- p is F -secure for SPEC in C from S iff
-
- p is F -tolerant for SPEC in C from S, and
- Protection ? t,t ? T, s ? S , act ? p ? F
- (t act t ? tC ? t C ? tC sC) ?
- (? act ? p s act s ? s C t C)
- Actions of an intruder are indistinguishable
from the protocol actions, if we look only at the
state of the critical variables
12Security of Whisper (intuitively)
- Intruder cannot analyze key?parts XAi, YBi,
and key KABi - h (XAi-1,B) is used to encrypt XAi
- Intruder cannot synthesize messages to affect
values of key?parts XAi, YBi - h (CABi-1, XAi) is used to authenticate XAi
13Backward Secrecy of Whisper
- (Def) Old secrets are safe, even if current
secrets are compromised - In Whisper, we provide backward secrecy for
key?parts XA, YB, and key KAB - Intuitive Proof While encrypting XAi and
YBi, we use one-way hash of XAi-1 and YBi-1
14Forward Secrecy of Whisper
- (Def) New secrets are safe, even if current
secrets are compromised - In Whisper, we provide forward secrecy for key
KAB - Intuitive Proof We need XAi and YBi to
derive XAi1 and YBi1 - Key KABi is computed using a one-way hash
function h - Keys are used more often than Key?parts
15Fault-tolerance of Whisper
- A and B are never out-of-synch by more than one
session - Saves memory of sensor nodes
- Whisper is self-stabilizing to corruption of
non-critical variables - Intuitive Proof F cannot synthesize messages
to affect values of XAi, YBi
16Bootstrapping the secrets
- We suggest multiple ways to bootstrap secrets,
e.g. - Centralized scheme
- Use of base station
- Hierarchical scheme
- Uses key trees
- Provides probabilistic security
17Defense against DOS attacks
- Due to resource constraints, DOS attacks are
important in Sensor Networks - Defense measures
- Self-authorizing messages
- Detecting outsiders messages
- Synchronization
- Detecting replay by an outsider
- Asymmetry in resource expenditures
- Compromised nodes spend more resources
- Caching
- Replay attack from a compromised node
18Related work
- Diffie-Hellman, RSA, El-Gamal based schemes
- Use asymmetric crypto
- SPINS using SNEP and µTesla
- Does not handle secret maintenance
- Does not consider DOS attacks
19Conclusion
- New computational paradigm of sensor networks
emphasizes temporal dimension and spatial
dimension of security to compensate for lack of
resources, and hence demands new security
protocols - Whisper is an example of use of temporal dimension