Sensor Network Security

1
Sensor Network Security

• Dijiang Huang
• Arizona State University

2
Agenda

• Sensor and Networks Overview
• Security Attacks
• Key Management in Sensor Network

3
Applications
4
Security

• Complex, many aspects to consider
• General, complete solution is unlikely
• Opportunity to address this properly from the
  start!
• Targeted solutions for targeted attacks
• Reasonably secure WSN

5
General Security Issues

• New (severe) constraints (memory, bandwidth, cpu
  processing speeds, power, )
• Lightweight solutions required
• Symmetric cryptography (asymmetric crypto is too
  expensive)
• Physical Environment
• Faults versus attacks
• Cheap to attack

6
Specific Security Problems

• Routing and/or Backbone Disruption
• Denial of service
• Jam
• Prevent wake-up
• Prevent sleep (dies soon)
• Modify group management information

7
Specific Security Problems

• System Initialization (re-sync messages and
  centralized base stations)
• Clock Sync
• Neighbor Discovery
• Localization
• Etc.

8
Communication Scenarios

• Confidentiality (eavesdrop)

Node2
Base Station
Msg
Node1
Adversary
9
Communication Scenarios

• Integrity

Base Station
Msg1
Msg1
Node1
Adversary
10
Communication Scenarios

• Authenticity

I am the Base Station
Node 1
Base Station
Node 2
Adversary
Node 3
Reprogram system Reset system parameters
Node 4
11
Summary- Basic Problems

• Initial trust establishment (efficient key
  management solution)
• Vulnerability of channels (eavesdrop and inject
  fake messages)
• Vulnerability of nodes (capture, modify messages,
  re-route)
• Absence of infrastructure (e.g., no centralized
  certification authorities)
• Dynamically changing topology (difficult to
  distinguish between dynamics and attacks)
• Minimum capacity devices
• Drain batteries
• Real-Time slow packets down

12
Key Graph

• Solid links represent direct keys
• Node 1 needs to establishindirect keys with
  nodes4,5,6,7, and 8.

13
Initial Key Agreement

• Main categories of existing solutions
• Purely Random Key Predistribution (P-RKP)
• Structured Key-pool RKP (SK-RKP)

14
Phases in RKP Schemes

• Key Predistribution
• Select and install keys in sensors
• Sensor Deployment
• Place the sensors
• Shared-key Discovery
• Sensors find common (shared) key(s)
• Pairwise Key Establishment
• Those who dont find shared key(s), take help
  from others.

15
Existing RKP Schemes (Phase 1)
K11

• P-RKP

K1
K16
K14
K23
K6
K3
K4
K20
K21
K18
ID
K7
K22
K10
K19
K5
K13
K15
K17
K9
K8
K24
K2
K12
Sensor m keys
KEY POOL Size n
m ltlt n
16
Existing RKP Schemes (Phase 1)
K11

• SK-RKP

K1
K16
K14
K23
K6
K3
K4
K20
K21
K18
ID
K7
K22
K10
K19
K13
K5
K15
K17
K9
K8
K24
K2
K12
Sensor m keys
KEY POOL Size n
m ltlt n
17
Proposed Scheme (Phase 1)
F ( ) K12 F (K12) K19 F (K19) K23
K11
K1
K16
K14
K23
K6
K3
K4
K20
K21
K18
ID1
K7
K22
K10
K19
K13
K5
K15
K17
K9
K8
K24
K2
K12
Sensor m keys
KEY POOL Size n
m ltlt n
18
So what is different ?

• Previous approaches do not use node ID for key
  selection, we do !
• That is we define RINK Relation between ID aNd
  Keys

19
Sensor Deployment (Phase 2)
Deployment Area
20
Shared-Key Discovery (Phase 3)

• P-RKP

K3, K1, K9, K24, .
.. K23, K21, K12, K19
ID 1
ID 2
K3
K23
K24
K1
K12
K21
K9
K18
K5
K17
K17
K19
21
Shared-Key Discovery (Phase 3)

• SK-RKP

.. G1, G5
G3, G6.
ID 1
ID 2
K3
K23
K24
K1
K12
K21
K9
K18
K5
K17
K17
K19
22
Shared-Key Discovery (Phase 3)

• RINK

ID 2
ID 1
ID 1
ID 2
K3
K23
K24
K1
K12
K21
K9
K18
K5
K17
K17
K19
23
After Shared-key Establishment
24
Security Problem - 1 - Reasons

• Unattended deployment environment
• Physically insecure
• No tamper-resistance due to low cost
• Compromised sensor can reveal the stored keys.

25
Problem-1 (Capturing Nodes)

• Random Capture (naïve approach)
• Randomly pick nodes and obtain keys
• Selective Capture (proposed approach)
• Pick sensors that can give you keys that you do
  not already have

26
Random vs. Selective Capture

• SK-RKP
• affected the most
• P-RKP and RINK-RKP not affected much

27
Security Problem - 2 - Reasons

• Wireless environment
• Passive listening is easy
• Unattended deployment environment
• Fake sensors can be added to the system (proposed
  attack)

28
Problem 2 (Deploying fake sensors)

• Learn keys from captured nodes and fabricate fake
  nodes
• Fake nodes have enough keys to look legitimate to
  other sensors
• Fake nodes can
• Inject / Absorb sensed data
• Alter data in specific way

29
Damage by fake sensors !
30
A Comprehensive Solution
Dijiang Huang and Deep Medhi Secure Pairwise Key
Establishment in Large-scale Sensor Networks An
Area Partitioning and Multi-group Key
Predistribution Approach
31
Key Predistribution

• A set of keys is predistributed to each sensor
• Purely Random Key Predistribution
• Each sensor randomly select a set of keys without
  replacement from a large key pool
• Structured key pool predistribution (Liu and Ning
  CCS 2003, Du et al. CCS 2003)
• A large key pool is partitioned into multiple (?)
  small key spaces
• A key space is composed of a
  key matrix
• Each sensor randomly select t key spaces (t ?)
• In each selected key space, a row of key matrix
  (l1 keys) is preinstalled in the sensor
• Structured key pool security property
• If less than l1 rows of a key matrix are
  compromised, an attacker cannot compromise the
  whole key matrix
• The row number can serves as a node id, it can
  uniquely identify a sensor.

32
Structured key pool approach

• The SK-RKP scheme uses the key predistribution
  scheme proposed by Blom Blom1985.
• A publicly known matrix G of size (?1) N
• a secret matrix D of size (? 1) (? 1) created
  by key distribution center.
• The matrix A of size N (? 1) is then created
  as A (D G)T over the finite field GF(q).
• Each row of A is the keys distributed to a group
  member and the row number can serve as a sensor's
  id. Since K A G is a symmetric matrix, nodes
  i and j can generate a shared key (Kij or Kji)
  from their predistributed secrets, where Kij is
  the element in K located in the ith row and jth
  column.
• A key pool is constructed by many key spaces,
  represented by A(t), where t 1,,?.
• Each sensor randomly selects t key spaces out of
  ? key spaces, where t lt ?.
• If sensor k selects key space A(t), the kth row
  of A(t) and kth column of G are preinstalled in
  the sensor (note that the G matrix is unique).
• Once two nodes i and j have keys preinstalled
  from the same key space A(t), they can derive a
  shared key K(t)ij K(t)ji .

33
Area Partitioning and Key Distribution

• If an attacker has the knowledge of more than ?
  rows, the entire matrix A can be derived. Thus,
  we restrict the number of rows distributed to
  sensors for each key matrix A to be no more than
  ?.
• The number of nodes in each partition
• The number of keys for each sensor randomly
  select t key spaces from w key spaces. In each
  space distribute a row to the sensor. Note no
  more than ? key spaces are selected for sensors.

34
Sensor Deployment

• Location-unaware distribution
• Sensors are uniformly distributed in a large
  area
• Location-aware distribution
• Normal distribution (Du et al. 2004 Infocom)
• Sensors are divided into groups
• At the deployment point (e.g., dropped from a
  helicopter), the sensor density follows normal
  distribution.
• Uniform distribution
• The deployment area is partitioned into multiple
  small areas
• In each small area, a group of sensors are
  uniformly distributed

Phase two sensor deployment
35
Key Discovery

• Plaintext broadcast
• Purely random key predistribution key list or
  one-way function method (Pietro et al. 2004)
• Structured key pool (within the same zone)
  sensor id (row of the key matrix) , selected
  key spaces id, a seed (to generate a public
  known key generating matrix)
• Shared key discovery (between adjacent zone)
  based on the sensor id, a group member can easily
  identify the nodes that share a preinstalled key
  in adjacent zones.
• Private shared-key discovery
• Multiple rounds of challenges and responses to
  discover shared key

Phase three key discovery
36
Key Establishment Protocol

• Goal to set up a pairwise key between two
  adjacent nodes that do not share preinstalled
  key(s)
• One-path key establishment pairwise key is
  established via a single path
• k-path key establishment pairwise key is
  established via k paths (keyk1Å... Åkj)
• Two phases
• Set up pairwise key within the same zone
• Set up pairwise key between adjacent zones

37
Attack Model

• The attacker has unlimited energy and computing
  power.
• The attacker knows all the information stored in
  a sensor once the sensor is captured.
• The attacker can listen to and record all the
  traffic in the network.
• The attacker has the ability to physically locate
  a given sensor by listening to the traffic.
• The attacker has the ability to fabricate similar
  nodes, deploy, and control them.

38
Attack Models Attack classification

• Selective node capture attack attacking
  communication link.
• Node fabrication attack attacking authenticity.
• Insider attack attacking PKE Protocol.

39
Deployment Area Partition and Key Predistribution

• A large sensor deployment area is partitioned
  into multiple small areas (zones)
• Post-deployment information
• A group of sensors is known to be deployed in a
  particular zone
• Key predistribution
• A structured key pool is created for each zone
• We can restrict the number of rows distributed
  from a key space to l
• The maximum number of sensors distributed in
  each area is wl/t
• Each sensor shares a unique key with exactly one
  sensor (randomly picked without replacement) in
  each of its neighbor zones

40
Selective Node Capture Attack for Random Key
Predistribution
41
Selective Node Capture Attack for Structured Key
Pool
42
Node Fabrication Attack

• The attacker compromises only few sensors and
  uses the captured keys to fabricate sensors
• Purely random key predistribution
• By capturing only two node, the attacker can
  fabricate nodes about
• Structured key pool
• An attacker requires to capture more than l
  sensors in order to compromise a key space. Thus
  we restrict the number of key rows distributed
  from a key space to l.
• An attacker cannot arbitrarily generate new ids
  for the fabricated sensors

Attack analysis