Whisper : A Local Secret Maintenance Protocol for Sensor Networks

1
Whisper A Local Secret Maintenance Protocol for
Sensor Networks

• Vinayak Naik, Anish Arora, Sandip Bapat (OSU),
  and Mohamed Gouda (UT Austin)

Presented by Vinayak Naik The Ohio State
University
2
Motivation

• Wireless Sensor Networks
• Computational (4 MHz, 8-bit microprocessor)
  memory resource (128 Kbytes) constraint
• Scale 1,000 nodes

• Low-cost secure communication is important for
  sensor network

3
Our Approach Secret Maintenance

• Uses Light-weight Crypto primitives
• Compensates for limited security of Light-weight
  Crypto, using temporal dimension
• Secrets are maintained regularly
• Small secret size
• Is local
• Pair-wise secrets are maintained

4
Challenge

• Secret maintenance protocol that has
• Forward Secrecy
• Backward Secrecy
• Tolerance to frequent message losses

5
Outline of talk

• The Whisper Protocol
• Model of intruder
• Definition of Fault-tolerance and Security
• Security and Fault-tolerance properties of
  Whisper
• Bootstrapping the secrets
• Defense against DOS attacks
• Related work and Conclusion

6
What Whisper Does

• A and B are two neighboring sensor nodes, sharing
  key KABi at the end of the ith session
• Before (i1)th session, we need to update the key

7
The Whisper Protocol
XAi ? h (XAi-1, B), h (KABi-1, XAi)
A XAi-1, YBi-1, KABi-1 h (XAi-1,
YBi-1)
B XAi-1, YBi-1, KABi-1 h (XAi-1,
YBi-1)
YBi ? h (YBi-1, A), h (KABi, YBi)
8
Model of Intruder

• Dolev-Yao Model
• Informally, intruder can
• Intercept messages
• Construct new messages using known messages
• Encrypt, decrypt messages using known keys

9
Notation

• SPEC specification of p in absence of F
• S specification invariant of protocol p
• F a set of actions of an intruder
• C critical variables of p in SPEC
• e.g. XAi-1, YBi-1,i in case of
  Whisper
• T specification invariant of p in presence of
  F
• s,t range over the states of p

10
Fault-tolerance

• p is F -tolerant for SPEC in C from S iff
• ? T such that
• Safety S implies T
• Liveness ? t ?T , ? s ? S t leads-to s

11
Security

• p is F -secure for SPEC in C from S iff
• p is F -tolerant for SPEC in C from S, and
• Protection ? t,t ? T, s ? S , act ? p ? F
• (t act t ? tC ? t C ? tC sC) ?
• (? act ? p s act s ? s C t C)
• Actions of an intruder are indistinguishable
  from the protocol actions, if we look only at the
  state of the critical variables

12
Security of Whisper (intuitively)

• Intruder cannot analyze key?parts XAi, YBi,
  and key KABi
• h (XAi-1,B) is used to encrypt XAi
• Intruder cannot synthesize messages to affect
  values of key?parts XAi, YBi
• h (CABi-1, XAi) is used to authenticate XAi

13
Backward Secrecy of Whisper

• (Def) Old secrets are safe, even if current
  secrets are compromised
• In Whisper, we provide backward secrecy for
  key?parts XA, YB, and key KAB
• Intuitive Proof While encrypting XAi and
  YBi, we use one-way hash of XAi-1 and YBi-1

14
Forward Secrecy of Whisper

• (Def) New secrets are safe, even if current
  secrets are compromised
• In Whisper, we provide forward secrecy for key
  KAB
• Intuitive Proof We need XAi and YBi to
  derive XAi1 and YBi1
• Key KABi is computed using a one-way hash
  function h
• Keys are used more often than Key?parts

15
Fault-tolerance of Whisper

• A and B are never out-of-synch by more than one
  session
• Saves memory of sensor nodes
• Whisper is self-stabilizing to corruption of
  non-critical variables
• Intuitive Proof F cannot synthesize messages
  to affect values of XAi, YBi

16
Bootstrapping the secrets

• We suggest multiple ways to bootstrap secrets,
  e.g.
• Centralized scheme
• Use of base station
• Hierarchical scheme
• Uses key trees
• Provides probabilistic security

17
Defense against DOS attacks

• Due to resource constraints, DOS attacks are
  important in Sensor Networks
• Defense measures
• Self-authorizing messages
• Detecting outsiders messages
• Synchronization
• Detecting replay by an outsider
• Asymmetry in resource expenditures
• Compromised nodes spend more resources
• Caching
• Replay attack from a compromised node

18
Related work

• Diffie-Hellman, RSA, El-Gamal based schemes
• Use asymmetric crypto
• SPINS using SNEP and µTesla
• Does not handle secret maintenance
• Does not consider DOS attacks

19
Conclusion

• New computational paradigm of sensor networks
  emphasizes temporal dimension and spatial
  dimension of security to compensate for lack of
  resources, and hence demands new security
  protocols
• Whisper is an example of use of temporal dimension