SIA: Secure Information Aggregation in Sensor Networks

1
SIA Secure Information Aggregation in Sensor
Networks

• Bartosz Przydatek, Dawn Song, and Adrian perrig
• ACM SenSys 2003
• November 9, 2004
• Dept. Computer Science, KAIST
• Minsoo Kim

2
Contents

• 1. Introduction
• 2. Secure Information Aggregation
• 3. General Approach
• - Aggregate-Commit-Prove Framework
• 4. Secure Computing Protocols
• - Computing the Median
• - Computation of Min/Max
• - Counting Distinct Elements
• 5. Forward Secure Authentication
• 6. Discussion and Conclusion

3
Introduction(1/2)

• Large scale of Sensor Networks
• Aggregation is need
• To transmit all data from each sensor is
  inefficient
• Sensor nodes have limited resources
  (computation, storage, battery)
• Secure information aggregation is need
• To prevent stealthy attack which provides false
  aggregation results
• to user
• False aggregation result (Home server does not
  know!)
• Sensor nodes and aggregator can be corrupted

Secure Information Aggregation(SIA) mechanism is
proposed
4
Introduction(2/2)

• Problem Definition

SmartSensorNode
SmartSensorNode
Aggregator (Base Station) - Min, Avg, Counting,
etc
SmartSensorNode
SmartSensorNode
Home Server(User)
SmartSensorNode
Low communication cost
Measured values
Uncorrupted Sensor
Corrupted Sensor
5
Secure Information Aggregation(1/3)

• Key setup and Communication model
• Key setup (Assumption)
• Home server and aggregator stores a master key
  KB and KA, respectively
• Sensor node stores shared keys MACKB(node ID)
  and MACKA(node ID),
• MAC (Secure) Message Authentication Code
• Communication model (Assumption)
• Uncorrupted sensors form a connected component
  containing the aggregator
• Attack Model and Security Goals
• Attacker can corrupt at most a small fraction of
  all the sensors
• Attackers goal is to make the home server
  accept false aggregation results
• Security goal is to prevent stealthy attack

6
Secure Information Aggregation(2/3)

• Efficiency vs. Accuracy Tradeoff
• Simple solution for stealthy attack
• Aggregator forwards to home sever all data and
  authentication information
• from each sensor
• Accurate, but inefficient
• Communicating just the result of a query(e.g.
  count, min/max, average)
• Very efficient, but not guarantee of correctness
• Relax the accuracy requirements and accept
  approximative results
• Difference between real result and approximation
• Some sensors may be corrupted and report wrong
  values
• When aggregtor uses sampling techniques,
  sampling techniques will be error
• Aggregator may be corrupted

7
Secure Information Aggregation(3/3)

• Notation and Conventions
• n the number of sensors (S1, , Sn)
• A aggregator
• B home server
• ai the values measured by the sensors
• totally ordered set, integers from m 1,,m
  

8
General Approach (1/4)
1.Computation of the aggregation result (R)
2.Committing to the collected data and report
back the aggregation result (v0,0 R)
Aggregator (Base Station)
Home Server(User)
3.Proving the correctness of the result
9
General Approach (2/4)

• Aggregate-Commit-Prove framework
• This approach improves both security and
  efficiency
• Step 1 Computation of the aggregation result
• Aggregator collects sensors data and computes
  aggregation result
• Aggregator can verify the authenticity of each
  sensors data using KA and
• MACKA(node ID)
• Step 2 Committing to the collected data and
  report back the
• aggregation result
• Aggregator commits to the collected data
• Merkle hash-tree is used for committing to the
  data
• All data is placed at leaves of the tree
• Compute a binary has tree starting from the leaf
  nodes
• Internal node is computed as the hash value of
  the concatenation of two childs
• Root is called the commitment of the collected
  data

10
General Approach (3/4)

• Step 3 Proving the correctness of the result
• Aggregator communicates the aggregation result
  and the
• commitment to the server
• Interactive proof is used to prove the
  correctness of the result
• Home server checks that the committed data is a
  good representation
• Home server checks if the aggregator is cheating

11
General Approach (4/4)

• Merkle hash-tree used to commit a set of values
• Cryptographic hash function
• v3,0 H(m0), vi,j H(vi1,2j vi1,2j1)
• (ex) Authentication of m5, aggregator sends m5
  along with v3,4, v2,3, v1,0
• v0,0 H(v1,0 H(H(v3,4 H(m5)
  v2,3))

12
Secure Computing Protocol(1/8)
Efficient protocols to detect the aggregator
cheating!

• 1.Computing the median
• Trivial solution
• Sending all measurements to home server
• Naive approach Median by Random Sampling
• Aggregator
• Only forwards samples from the sensors without
  doing any processing
• Home server
• (1) Takes a random sample l (It is related with
  efficiency)
• (2) Computes the median of the sample as an
  approximation of the real median
• Sample of l out of n elements l O(1/?2)
• Estimation range ?n
• (Ex) n 32,768(215), ? 0.01
• Estimation range ?n ? 327, Sample number ?
  10,000

13
Secure Computing Protocol(2/8)

• New approach for Median (More efficient)
• Aggregator
• (1) Computes the median(amed) of the measured
  values from the sensors
• (2) Commits the measured values and the sequence
  of the values is sorted
• Home server performs interactive proof with
  aggregator
• (1) Verifies that the committed sequence is
  sorted
• Sort-Check-II spot checker
• Sample number O(log n/?)
• (2) Checks that amed is (close to) the median of
  committed sequence
• Median check program
• Sample number O(1/?)
• Total sample number l O(log n/?)
• Estimation range ?n
• (Ex) n 32,768(215), ? 0.01
• Estimation range ?n ? 327, Sample number ? 1,500

14
Secure Computing Protocol(3/8)

• Median Check Program
• Home server runs this program

Sensor Number
Median computed by aggregator
Estimation parameter
aj
Median Check
Aggregator (Base Station)
Home Server(User)
n, amed, ?
Left half Check
Right half Check
15
Secure Computing Protocol(4/8)

• 2.Computation of Min/Max
• Secure min-discovery protocol
• Constructing protocol of aggregator Checking
  protocol of Home server
• Constructing protocol (Minimum spanning tree
  construction)
• Construct a spanning tree, such that the root
  holds the minimum element

Initial State
Min Rooted Tree Construction
After the construction, all sensors have the same
smallest value and form a tree rooted at the node
is the owner of the smallest value
16
Secure Computing Protocol(5/8)

• Checking protocol
• Each node Si authenticate its final state
  (pi,vi,idi) from construction protocol,
• and send the authenticated state to the
  aggregator(A)
• A commits to the list of all nodes and their
  states, finds the root node, and
• reports the root node to home server
• Home server performs FindMin protocol

MinRootedTree Construction
(pj,vj,idj)
Aggregator (Base Station)
Home Server(User)
n, root node,, ?
Consistency Check of the Constructed Tree
17
Secure Computing Protocol(6/8)

• 3.Counting Distinct Elements
• Method I Counting Distinct Elements by
  Min-Computation
• Sensor node level processing (not aggregator)
• Random sample Space-efficient estimation
• Random sample (Random selection of a node)
• (1) Home server picks random hash function h and
  sends it to aggregator
• (2) Aggregator broadcast h with sampling request
• (3) Each sensor computes hash value of its ID and
  current time interval
• (4) Whole network performs a MIN-discovery
  protocol
• Space-efficient estimation of the number of
  distinct elements in a stream
• (1) Pick random hash function h m -gt 0..1
• (2) Keep the value v mini1 h(ai)
• (3) Estimated number of distinct elements ?
  1/v
• Basic idea for improvement is to maintain t
  smallest values ? t/v

n
18
Secure Computing Protocol(7/8)

• Method II Proving Bounds on the Number of
  Distinct Elements
• Aggregator level processing (More efficient than
  Method I)
• Approximation of lower upper bounds
• Lower bound on the number of distinct elements
• Difference compared with Method I
• Method I is performed in sensor nodes, but
  Method II in Aggregator
• Home server has no means to check aggregator in
  evaluating hash function
• and reporting element
• Aggregator may report larger v compared with
  exact v gt estimate ? is
• smaller than ? gt Lower Bound

Space-efficient estimation
19
Secure Computing Protocol(8/8)

• Upper bound on the number of distinct elements
• Aggregator commits to the multi-set S of all the
  elements and subset S
• containing all distinct elements
• Aggregator reports ? S to home server
• Home server verifies aggreggtors claim by
  asking that all the distinct
• elements from S are present in S
• Ramdom sampling home server request random
  element from S, and
• ask aggregator for an element with the same
  value present in S

20
Forward Secure Authentication

• What is forward secure authentication?
• Sensor is corrupted at a certain time,
• Attacker should not be able to alter the past
  data before the certain time
• Forward secure authentication mechanism
• Each sensor updates its key shared with home
  server at each time interval
• using one-way function
• Each sensor uses the updated key to compute MAC
  on sensing data
• Attacker in a later time is unable to compute
  the MAC key for the
• previous time interval
• Because of one-way function
• Challenges
• How to efficiently store the past data
• How to efficiently compute many one-way
  functions for deriving the
• MAC in home server

21
Conclusion Discussion

• Aggregate-commit-prove framework is proposed
• Concrete protocols
• Securely computing the median
• Securely finding the min/max
• Securely counting the number of distinct
  elements
• Securely computing average
• First paper on handling the secure aggregation
  problem
• especially between home server and aggregator
• Hierachical aggregation is needed in large
  sensor networks
• In this paper some protocol is possible, others
  is impossible