Random Key Predistribution Schemes For Sensor Networks

1
Random Key Predistribution Schemes For Sensor
Networks

• Haowan Chen, Adrian Perigg, Dawn Song

2
Index

• Introduction
• Basic Scheme
• Q-composite Scheme
• Multi path Key Reinforcement Scheme
• Random Pair wise Scheme
• Conclusion

3
Sensor Networks

• What are Sensors ?
• A device that responds to physical stimulus (as
  heat, light, motion etc) and transmits a
  resulting measurement impulse
• Revolutionizes information gathering and
  processing
• Networking sensors ability to coordinate among
  themselves on a larger sensing task

4
Applications

• Real time traffic monitoring
• Real time pollution and temperature monitoring
• Building safety monitoring systems
• Wild Life Monitoring and Tracking
• Military sensing and tracking
• Monitoring complex machinery and processes
• Video surveillance

5
Sensor Network Limitations

• Impracticality of public key cryptosystems
• Vulnerability of nodes to physical capture
• Nodes not tamper resistant (neighbor distrust)
• Lack of a-priori knowledge of post deployment
  configuration
• Limited memory resources
• Limited bandwidth and transmission power
• Over-reliance on base stations exposes
  vulnerabilities

6
Bootstrapping Security Requirements

• Deployed nodes must be able to establish secure
  node to node communication
• Scheme should be functional without involving the
  base station as arbiter or verifier
• Additional legitimate nodes deployed at a later
  time can form secure connections with
  already-deployed nodes
• Unauthorized nodes should not be able to
  establish communications with network nodes and
  thus gain entry into the network
• The scheme must work without prior knowledge of
  which nodes will come into communication range of
  each other after deployment.
• The computational and storage requirement of the
  scheme must be low, and the scheme should be
  robust to DoS attacks from out-of-network
  sources.

7
Evaluation Metrics In Key Setup Schemes

• Resilience against node capture
• Resistance against node replication
• Revocation
• Scale

8
Review Of Basic Scheme

• Proposed by Eschenauer and Gligor
• 4 phases
• - Initialization
• - Node Deployment
• - Key Setup
• - Path Key Generation

9
Initialization Phase

• Pick a random set of keys S out of the total
  possible key space
• Key Ring for each node, randomly select m
  keys from S and store in node memory
• Criteria two random subsets of size m in S
  will share at least one key with probability P

10
Deployment And Key Setup Phases

• Sensor nodes are deployed
• Key Setup Phase
• key discovery
• a short identifier is assigned to each key before
  deployment
• each node broadcasts its set of identifiers
• verification nodes containing shared keys in
  their key rings verify that neighbor actually
  holds key by challenge response protocol

11
Path Key Generation

• A connected graph of secure links is formed
• Nodes setup path keys with nodes in their
  vicinity whose share keys are not present in
  their key rings
• Path can be found from source node to its
  neighbor from connected graph
• Source node generates path key and sends it
  securely via the path to target node

12
Parameter choices for connected graph
(Erdös-Rényis Formula)

• For high graph connectivity during key-setup
  phase right parameters need to be picked
• D -gt degree for the vertices in graph such that
  graph is connected with a high probability c
  0.999
• D ((n-1)/n) (ln(n) ln(-ln(c))) where n is
  network size
• Probability of successful key setup with some
  neighbor, p (d/n) where n is expected no. of
  neighbors

13
Q-composite scheme An improved Basic Scheme

• Initialization same as Basic Scheme but with
  different size of selected key pool S
• In Key Setup Phase, key discovery is more secure,
  using Merkle Puzzles
• In Key Discovery every node identifies every
  neighbor node with which it shares at least q
  keys
• Link Key K is generated as a hash of all shared
  q keys, where q gt q
• eg K hash( k1 ll k2 ll k3 ll.ll kq )
• Key Setup is not performed between nodes that
  share fewer than q keys

14
Key Pool Size Computation- A Tradeoff

• amount of key overlap required for key setup is q
  (increased from 1 in Basic)
• Hence exponentially harder for adversary with a
  given key set to break a link
• But to preserve probability of two nodes sharing
  sufficient keys to establish a secure link, size
  of key pool S to be reduced
• Reduced pool size allows attacker to gain larger
  sample of S by breaking fewer nodes
• Optimum overlap best security !!

15
Evaluation Pool Size Computation
M 200 keys P 0.5
Observation For Optimal Choice of key overlap,
expected no. of nodes to be
captured for eavesdropping (0.1 probability) is
high
16
Pool Size Computation

• P(i) -gt no. of ways to choose two key ring with i
  common keys
• Pconnect -gt probability of any two nodes sharing
  sufficient keys to form a secure connection
• Then p(i) is given as

Pconnect 1 (p(0) p(1) ..p(q-1)) For
minimum key overlap q and min. connection
probability p, choose largest ISI such that
pconnect gt p
17
Evaluation
Metric resilience against node capture by
calculating the fraction of links in the network
that an attacker is able to eavesdrop on
indirectly as a result of recovering keys from
captured nodes
18
Evaluation
Metric estimation of max. supported size of
network given certain security properties hold
19
Multipath Key Reinforcement An Add On to Basic
Scheme

• Initial Key Setup using Basic Scheme
• Now, consider the secure link between nodes A and
  B after key-setup
• This link is secured using a single key k from
  pool S

20
Problem

• Problem - k may be present in key ring memory of
  some other nodes
• If any of these nodes are captured, security of
  A-gtB is in jeopardy
• Solution update communication key to a random
  value after key setup
• Coordinate key update over multiple independent
  paths

21
Multipath Key Update

• Assumption j be the no. of disjoint paths
  between A and B created during key setup
• Node A generates j random values v1,v2vj of same
  length as shared key
• Each value is routed along a different path to B
  and when B receives all j keys, new link key is
  computed as
• k k v1 v2 . vj
• Long paths are not suitable
• 2-hop multipath key reinforcement is optimal
• Discovery overhead is minimized

22
Evaluation
Metric Resistance against node capture
Observation reinforced basic scheme works best
23
Evaluation
Metric Maximum Supportable Network Sizes
Observation Multipath Key Reinforcement gives
boost when implemented with basic scheme
24
Random-pairwise keys scheme

• In all schemes so far, no node can authenticate
  the identity of a neighbor it is communicating
  with
• Ex. A shares some set of keys with B
• It is possible that C could also posses this key
• Hence, A does not know if is communicating with B
  for sure

25
Node to node authentication

• Possible if a node can ascertain the identity of
  the nodes that it is communicating with
• Useful in many cases
• Detecting node misbehavior
• Resisting node replication attack
• Shift security functions away from the base
  station

26
Random pairwise scheme properties

• Perfect resilience against node capture
• Node to node identity authentication
• Distributed node revocation
• Resistance to node replication
• Comparable scalability

27
Random pairwise scheme description

• To achieve the probability p described by ER
  formula, in a network of n nodes
• Each node need only store a random set of np
  pairwise keys (instead of n-1)
• Thus, if node can store m keys, network size
  nm/p
• n should increase with increasing m and
  decreasing p

28
Phase 1 Initialization

• nm/p unique node identities generated
• Each node identity matched with m other randomly
  selected distinct node IDs
• Pairwise key generated for each pair of nodes
• Along with ID of other node that also knows the
  key, key is stored at both nodes

29
Phase 2 Key Setup

• Each node broadcasts node ID to immediate
  neighbors
• By searching in each others key rings,
  neighboring nodes can tell if they share a common
  pairwise key
• Cryptographic handshake performed between
  neighbors to accept the fact that they both have
  knowledge of key

30
Multihop range extension

• Key discovery involves much less traffic than
  random key predistribution
• Hence can have nodes rebroadcast node ID for
  certain number of hops

31
Multihop range extension

• Has impact on maximum supportable network size n
• nmn/d (as seen earlier, pd/n, nm/p)
• Since n increases, maximum network size n also
  increases
• Should be used with caution since message
  rebroadcast is performed without
  authentication/verification can lead to
  potential DoS attacks
• To prevent, can remove multihop range extension,
  as is not required for random pairwise scheme

32
Support for Distributed Node Revocation

• Node revocation in random pairwise possible via
  base stations (but is slow)
• Assumption mechanism present in each sensor to
  detect if neighboring nodes have been compromised
• Nodes broadcast public votes against a detected
  misbehaving node.
• If any B observes more than threshold number t of
  public votes against A, then B breaks off all
  communication with A
• Voting scheme, voting members

33
Support for Distributed Node Revocation

• Scheme 1 Consider any node A in the network
  there are m nodes matched with it
• These are voting members for A
• Each assigned a random voting key Ki
• Each also knows hashes of other nodes keys
• Nodes compute hash of Ki to verify vote
• Increases memory requirement to O(m2)

34
Support for Distributed Node Revocation

• Scheme 2 Merkle tree mechanism O(log m)
  computation per output (fractal traversal)
• Only a single verifying hash value (root) needs
  to be stored
• Drawback necessary to remember which nodes
  already traversed, to avoid replay votes

35
Threshold issues

• t should be
• Low enough that unlikely that any node has degree
  lt t
• High enough that compromised nodes cannot revoke
  legitimate nodes

36
Broadcast Mechanism

• Voting scheme uses naïve broadcast, vulnerable to
  DoS attack
• Network of voting members form random graph with
  almost same (high) probability of being connected
  as original network (mn/n)

37
Resisting revocation attack

• To prevent widespread release of revocation keys
  by compromised nodes, only nodes that have
  established direct communication with a node B
  have ability to revoke B
• Done by distributing revocation keys to voting
  members in deactivated form, source node knows
  secret SBi, which voting members request during
  key discovery and setup

38
Resistance against node replication/node
generation

• To be resistant to addition of infiltrator nodes
  derived form captured nodes, in case of capture
  being undetected by the network
• Degree of a node limited to counter replication
• Method for degree counting implemented with
  public vote counting, thus a node able to track
  nodes which share pairwise keys with it

39
Conclusion

• Efficient bootstrapping of secure keys important
  for secure sensor networks
• Tradeoffs exist in each scheme, choice depends on
  which tradeoff is most appealing (scenario
  dependent)
• q-composite scheme good security for small scale
  attacks/vulnerable to large scale
• 2-hop multipath improved security/network
  traffic overhead
• Random pairwise resilient, good security/does
  not support as large networks as other schemes