Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks

1
Message-In-a-BottleUser-Friendly and Secure
Cryptographic Key Deployment in Sensor Networks
Cynthia Kuo, Mark Luk, Rohit Negi, Adrian
Perrig Carnegie Mellon University
2
How do nodes receive cryptographic keys?
Distribution is simple nodes are loaded with
the shared key before deployment. TinySec
send the key in the clear thus resulting in a
brief moment of vulnerability. ZigBee
3
Potential approach Factory installation
4
Potential approach Physical interface

• Properties achieved
• Secrecy
• Ease of use
• But
• Batch deployment remains a tedious task
• USB interface will not exist on many commodity
  nodes
• Sensors deployed in harsh environments
• USB interface are expensive

5
An ideal practical solution

• No physical interface
• No USB connectors, screens, or keypads
• Deploy keys wirelessly
• Resistant to eavesdropping and injection attacks
• Key deployment by end users
• End users are not security experts
• Batch deployment for multiple nodes
• Scales for large deployments

6
Agenda

• Motivation
• Problem definition
• Single node key deployment
• User study
• Batch deployment

7
Agenda

• Motivation
• Problem definition
• Single node key deployment
• User study
• Batch deployment

8
Problem definition (1/2)

• Securely setup a shared secret between a base
  station and a new node
• Key secrecy
• Attacker cannot compromise shared secret
• Key authenticity
• New node receives the key that base station
  intended it to receive
• Demonstrative identification
• Users are certain which devices are communicating

9
Problem definition (2/2)

• Robust to user error
• Fail safe - human error result in failure to
  setup a key, not key compromise
• Cost effective
• Does not require additional hardware on each node
• No asymmetric cryptography
• Even asymmetric crypto schemes need one
  authenticated value

10
Assumptions

• Installer
• Trusted
• Not expert
• Base station
• Trusted
• Generates keys
• Sensor node
• Unmodified hardware
• Loose time synchronization
• Unmodified software

11
Strong attacker model

• Dolev-Yao
• Overhear, intercept, modify, reorder, and send
  arbitrary messages
• Before, during, and after key deployment
• More powerful malicious device deployed around
  vicinity of nodes
• Higher antenna gain
• Faster processor

12
Agenda

• Motivation
• Problem definition
• Single node key deployment
• User study
• Batch deployment

13
How to send key wirelessly to new node?
Attacker eavesdrops on key!
Attacker
14
Need some type of isolation
Faraday cage approach proposed by Castelluccia
and Mutaf, 2005
15
Why isnt a Faraday cage sufficient?

• How does installer know when to open cage?
• How does installer know cage is closed?
• What happens if Faraday cage is imperfect?
• How does installer know if node has correct key?

16
How does installer know when to open cage?
Faraday Cage
17
How does installer know when to open cage?
Faraday Cage
18
Keying beacon interacts with user

• Solid blue - performing key deployment
• Blinking blue - done

Faraday Cage
19
Keying beacon interacts with user

• Solid blue - performing key deployment
• Blinking blue - done

Faraday Cage
20
Why isnt a Faraday cage sufficient?

• How does installer know when to open cage?
• How does installer know cage is closed?
• What happens if Faraday cage is imperfect?
• How does installer know if node has correct key?

21
How do nodes know when cage is closed?
Faraday Cage
22
Authenticated heartbeats determine whether cage
is closed
Faraday Cage
23
Why isnt a Faraday cage sufficient?

• How does installer know when to open cage?
• How does installer know cage is closed?
• What happens if Faraday cage is imperfect?
• How does installer know if node has correct key?

24
What if cage leaks?
Faraday Cage
25
What if cage leaks?

• Solution 1 Keying beacon eavesdrops

I hear shielded messages!
Faraday Cage
26
How leaky is cage?

• Lcage Attenuation of cage (dBm)
• Strong attenuation (large negative number)
• Attacker cannot overhear shielded messages
• Weak attenuation (small negative number)
• Attacker can overhear shielded messages
• Keying beacon can also detect leaked messages
• In order for leaking to go undetected
• Attacker needs a sweet spot
• Based on our setup -66 dBm

Faraday Cage
27
How far away does attacker have to be?

• RSe Eavesdroppers required radio sensitivity
• Attacker antenna gain of 10dBm
• Pt Transit power of keying device, at minimum
  power
• Lcage Attenuation of cage
• dmin Distance of eavesdropper

If cage leaks, attacker needs to be within 19cm
28
What if cage leaks?

• Solution 2 Keying beacon jams at full power
• Leaked messages overpowered by jamming signal

Faraday Cage
29
How do nodes know jammed at correct time?

• Requires loose time synchronization

Faraday Cage
30
Summary Protecting shielded messages

1. Faraday cage attenuates shielded messages
2. Shielded messages sent at minimum power
3. Keying beacon jams at full power

31
Why isnt a Faraday cage sufficient?

• How does installer know when to open cage?
• How does installer know cage is closed?
• What happens if Faraday cage is imperfect?
• How does installer know if node has correct key?

32
How does installer know if node has correct key?
Chal
MAC
Rsp
Faraday Cage
33
How does installer know if node has correct key?
Faraday Cage
34
Key verification
Rsp
Chal

Rsp
Faraday Cage
35
What if there was an error?

• Easy for user to detect
• Fail-safe

Rsp
Rsp
!
Faraday Cage
36
Summary Single node key deployment

• Installer places
• New Node and Keying Device inside Faraday cage
• Keying Beacon outside Faraday cage
• Keying Device and Beacon exchange authenticated
  heartbeats to determine whether cage is closed
• Installer closes cage
• Key exchange inside cage (Shielded messages)
• Beacon jams at full power
• Beacon notifies installer to open cage
• Key verification
• Compares jamming schedule
• Challenge response protocol
• Beacon signals to installer whether keying was
  successful

37
Agenda

• Motivation
• Problem definition
• Single node key deployment
• User study
• Batch deployment

38
User study
39
Agenda

• Motivation
• Problem definition
• Single node key deployment
• User study
• Batch deployment

40
Batch deployment
New Nodes
Keying Device
Faraday Cage
41
Same questions apply for batch deployment

• How does installer know when to open cage?
• Keying might take variable time!
• Need to determine number of nodes in batch
• How does installer know cage is closed?
• Authenticated heartbeats
• What happens if Faraday cage leaks signal?
• Beacon jams at full power
• How does installer know if node has correct key?
• Key verification

42
Batch deployment
New Nodes
Weight Scale
Keying Device
Faraday Cage
43
Batch deployment

• Same protocol from users perspective

nodes Weight / Unit weight
New Nodes
Weight Scale
Keying Device
Faraday Cage
44
Related Work

• Physical interface
• Resurrecting Duckling Stajano 01
• Seeing is Believing McCune 04
• Other side channel as sensors
• Talking to Strangers Balfanz 03
• Shake Them Up Castelluccia 05
• Requires pre-existing information
• Integrity code Cagalj 06
• Insecure
• Key Infection Chan 03

45
Conclusion

• Key deployment
• Hard problem
• Not currently addressed for highly secure
  environments
• Needed by all secure sensor network protocols
• Message-in-a-Bottle
• Secure
• Robust to user error