Title: Random Key Predistribution Schemes For Sensor Networks
1Random Key Predistribution Schemes For Sensor
Networks
- Haowan Chen, Adrian Perigg, Dawn Song
2Index
- Introduction
- Basic Scheme
- Q-composite Scheme
- Multi path Key Reinforcement Scheme
- Random Pair wise Scheme
- Conclusion
3Sensor Networks
- What are Sensors ?
- A device that responds to physical stimulus (as
heat, light, motion etc) and transmits a
resulting measurement impulse - Revolutionizes information gathering and
processing - Networking sensors ability to coordinate among
themselves on a larger sensing task -
4Applications
- Real time traffic monitoring
- Real time pollution and temperature monitoring
- Building safety monitoring systems
- Wild Life Monitoring and Tracking
- Military sensing and tracking
- Monitoring complex machinery and processes
- Video surveillance
5Sensor Network Limitations
- Impracticality of public key cryptosystems
- Vulnerability of nodes to physical capture
- Nodes not tamper resistant (neighbor distrust)
- Lack of a-priori knowledge of post deployment
configuration - Limited memory resources
- Limited bandwidth and transmission power
- Over-reliance on base stations exposes
vulnerabilities
6Bootstrapping Security Requirements
- Deployed nodes must be able to establish secure
node to node communication - Scheme should be functional without involving the
base station as arbiter or verifier - Additional legitimate nodes deployed at a later
time can form secure connections with
already-deployed nodes - Unauthorized nodes should not be able to
establish communications with network nodes and
thus gain entry into the network -
- The scheme must work without prior knowledge of
which nodes will come into communication range of
each other after deployment. - The computational and storage requirement of the
scheme must be low, and the scheme should be
robust to DoS attacks from out-of-network
sources.
7Evaluation Metrics In Key Setup Schemes
- Resilience against node capture
- Resistance against node replication
- Revocation
- Scale
8Review Of Basic Scheme
- Proposed by Eschenauer and Gligor
- 4 phases
- - Initialization
- - Node Deployment
- - Key Setup
- - Path Key Generation
9Initialization Phase
- Pick a random set of keys S out of the total
possible key space - Key Ring for each node, randomly select m
keys from S and store in node memory - Criteria two random subsets of size m in S
will share at least one key with probability P
10Deployment And Key Setup Phases
- Sensor nodes are deployed
- Key Setup Phase
- key discovery
- a short identifier is assigned to each key before
deployment - each node broadcasts its set of identifiers
- verification nodes containing shared keys in
their key rings verify that neighbor actually
holds key by challenge response protocol
11Path Key Generation
- A connected graph of secure links is formed
- Nodes setup path keys with nodes in their
vicinity whose share keys are not present in
their key rings - Path can be found from source node to its
neighbor from connected graph - Source node generates path key and sends it
securely via the path to target node
12Parameter choices for connected graph
(Erdös-Rényis Formula)
- For high graph connectivity during key-setup
phase right parameters need to be picked - D -gt degree for the vertices in graph such that
graph is connected with a high probability c
0.999 - D ((n-1)/n) (ln(n) ln(-ln(c))) where n is
network size - Probability of successful key setup with some
neighbor, p (d/n) where n is expected no. of
neighbors
13Q-composite scheme An improved Basic Scheme
- Initialization same as Basic Scheme but with
different size of selected key pool S - In Key Setup Phase, key discovery is more secure,
using Merkle Puzzles - In Key Discovery every node identifies every
neighbor node with which it shares at least q
keys - Link Key K is generated as a hash of all shared
q keys, where q gt q - eg K hash( k1 ll k2 ll k3 ll.ll kq )
- Key Setup is not performed between nodes that
share fewer than q keys
14Key Pool Size Computation- A Tradeoff
- amount of key overlap required for key setup is q
(increased from 1 in Basic) - Hence exponentially harder for adversary with a
given key set to break a link - But to preserve probability of two nodes sharing
sufficient keys to establish a secure link, size
of key pool S to be reduced - Reduced pool size allows attacker to gain larger
sample of S by breaking fewer nodes - Optimum overlap best security !!
15Evaluation Pool Size Computation
M 200 keys P 0.5
Observation For Optimal Choice of key overlap,
expected no. of nodes to be
captured for eavesdropping (0.1 probability) is
high
16Pool Size Computation
- P(i) -gt no. of ways to choose two key ring with i
common keys - Pconnect -gt probability of any two nodes sharing
sufficient keys to form a secure connection - Then p(i) is given as
Pconnect 1 (p(0) p(1) ..p(q-1)) For
minimum key overlap q and min. connection
probability p, choose largest ISI such that
pconnect gt p
17Evaluation
Metric resilience against node capture by
calculating the fraction of links in the network
that an attacker is able to eavesdrop on
indirectly as a result of recovering keys from
captured nodes
18Evaluation
Metric estimation of max. supported size of
network given certain security properties hold
19Multipath Key Reinforcement An Add On to Basic
Scheme
- Initial Key Setup using Basic Scheme
- Now, consider the secure link between nodes A and
B after key-setup - This link is secured using a single key k from
pool S
20Problem
- Problem - k may be present in key ring memory of
some other nodes - If any of these nodes are captured, security of
A-gtB is in jeopardy - Solution update communication key to a random
value after key setup - Coordinate key update over multiple independent
paths
21Multipath Key Update
- Assumption j be the no. of disjoint paths
between A and B created during key setup - Node A generates j random values v1,v2vj of same
length as shared key - Each value is routed along a different path to B
and when B receives all j keys, new link key is
computed as - k k v1 v2 . vj
- Long paths are not suitable
- 2-hop multipath key reinforcement is optimal
- Discovery overhead is minimized
22Evaluation
Metric Resistance against node capture
Observation reinforced basic scheme works best
23Evaluation
Metric Maximum Supportable Network Sizes
Observation Multipath Key Reinforcement gives
boost when implemented with basic scheme
24Random-pairwise keys scheme
- In all schemes so far, no node can authenticate
the identity of a neighbor it is communicating
with - Ex. A shares some set of keys with B
- It is possible that C could also posses this key
- Hence, A does not know if is communicating with B
for sure
25Node to node authentication
- Possible if a node can ascertain the identity of
the nodes that it is communicating with - Useful in many cases
- Detecting node misbehavior
- Resisting node replication attack
- Shift security functions away from the base
station
26Random pairwise scheme properties
- Perfect resilience against node capture
- Node to node identity authentication
- Distributed node revocation
- Resistance to node replication
- Comparable scalability
27Random pairwise scheme description
- To achieve the probability p described by ER
formula, in a network of n nodes - Each node need only store a random set of np
pairwise keys (instead of n-1) - Thus, if node can store m keys, network size
nm/p - n should increase with increasing m and
decreasing p
28Phase 1 Initialization
- nm/p unique node identities generated
- Each node identity matched with m other randomly
selected distinct node IDs - Pairwise key generated for each pair of nodes
- Along with ID of other node that also knows the
key, key is stored at both nodes
29Phase 2 Key Setup
- Each node broadcasts node ID to immediate
neighbors - By searching in each others key rings,
neighboring nodes can tell if they share a common
pairwise key - Cryptographic handshake performed between
neighbors to accept the fact that they both have
knowledge of key
30Multihop range extension
- Key discovery involves much less traffic than
random key predistribution - Hence can have nodes rebroadcast node ID for
certain number of hops
31Multihop range extension
- Has impact on maximum supportable network size n
- nmn/d (as seen earlier, pd/n, nm/p)
- Since n increases, maximum network size n also
increases - Should be used with caution since message
rebroadcast is performed without
authentication/verification can lead to
potential DoS attacks - To prevent, can remove multihop range extension,
as is not required for random pairwise scheme
32Support for Distributed Node Revocation
- Node revocation in random pairwise possible via
base stations (but is slow) - Assumption mechanism present in each sensor to
detect if neighboring nodes have been compromised - Nodes broadcast public votes against a detected
misbehaving node. - If any B observes more than threshold number t of
public votes against A, then B breaks off all
communication with A - Voting scheme, voting members
33Support for Distributed Node Revocation
- Scheme 1 Consider any node A in the network
there are m nodes matched with it - These are voting members for A
- Each assigned a random voting key Ki
- Each also knows hashes of other nodes keys
- Nodes compute hash of Ki to verify vote
- Increases memory requirement to O(m2)
34Support for Distributed Node Revocation
- Scheme 2 Merkle tree mechanism O(log m)
computation per output (fractal traversal) - Only a single verifying hash value (root) needs
to be stored - Drawback necessary to remember which nodes
already traversed, to avoid replay votes
35Threshold issues
- t should be
- Low enough that unlikely that any node has degree
lt t - High enough that compromised nodes cannot revoke
legitimate nodes
36Broadcast Mechanism
- Voting scheme uses naïve broadcast, vulnerable to
DoS attack - Network of voting members form random graph with
almost same (high) probability of being connected
as original network (mn/n)
37Resisting revocation attack
- To prevent widespread release of revocation keys
by compromised nodes, only nodes that have
established direct communication with a node B
have ability to revoke B - Done by distributing revocation keys to voting
members in deactivated form, source node knows
secret SBi, which voting members request during
key discovery and setup
38Resistance against node replication/node
generation
- To be resistant to addition of infiltrator nodes
derived form captured nodes, in case of capture
being undetected by the network - Degree of a node limited to counter replication
- Method for degree counting implemented with
public vote counting, thus a node able to track
nodes which share pairwise keys with it
39Conclusion
- Efficient bootstrapping of secure keys important
for secure sensor networks - Tradeoffs exist in each scheme, choice depends on
which tradeoff is most appealing (scenario
dependent) - q-composite scheme good security for small scale
attacks/vulnerable to large scale - 2-hop multipath improved security/network
traffic overhead - Random pairwise resilient, good security/does
not support as large networks as other schemes