Embed Size (px)
Citation preview
Key Managementin Mobile and Sensor Networks
Class 17
Outline
Challenges in key distribution, trust bootstrapping
Pre-setup keys (point-to-point, public) Resurrected ducking PGP trust graph Trusted third party (TTP)• Kerberos, SPINS • PKI
Key infection Random-key predistribution
Key Management
Goal: set up and maintain secure keys• Public keys for signature verification or node-to-
node key setup
• Shared keys for confidentiality or authenticity
• Group keys for secure group communication
Challenges• Trust establishment (Class example?)
• Node compromise
• Dynamic node addition/removal
Network Architectures
Closed networks, centralized deployment (trusted authority controls and deploys nodes)• All-pairs shared keys, or all public keys
• PKI, TTP (Kerberos, SPINS)
• Zhou & Haas threshold key management
• Randomkey predistribution
Open networks, autonomous deployment• Resurrected duckling
• PGP web of trust
• Key infection
Full Key Deployment
Symmetric case• All-pairs shared keys (need O(n2) keys)
• Challenge: node addition
Asymmetric case• Distribute every node’s public key (n keys)
• Nodes can easily set up secure shared keys
Trusted Key Management Center
Symmetric case• Trusted third party (TTP) shares key with each node
(n keys)
• Set up key between two nodes through TTP
• Kerberos, SPINS key agreement protocol
Asymmetric case• Public-key infrastructure (PKI)
• Certification authority (CA) signs public keys of nodes
• All nodes know CA’s public key
Zhou & Haas Key Management PKI drawbacks• Revocation requires on-line PKI
• Single point of failure, CA replication increases vulnerability to node compromise
Distributed CA Model, tolerates t faulty nodes Threshold signatures• Signing needs coalition of t+1 correct nodes
• Secret sharing prevents t malicious nodes from reconstructing CA private key
Proactive security• Defend against mobile adversary
Discussion How can share refreshing tolerate faulty nodes? How can we tolerate compromised combiner?• Who decides to be a combiner?
How can we bootstrap this system?• How can we introduce a new node?
Why should node sign a message?• How does node authenticate message?
Is signature combination expensive if we have t faulty nodes?
How efficient are these mechanisms?
Randomkey Predistribution
Scenario: deploy 104 mote sensor from airplane
Goal: set up secure node-to-node keys Simple approaches impractical• Network-wide secret key
• Pairwise shared key with every other node
• Pairwise shared key with neighbors
• Public key infrastructure
Basic Random Key Scheme Eschenauer and Gligor, ACM CCS 2002 Observation: no need for all pairs of nodes to
be able to communicate to get a connected network
For any 2 nodes, if they can communicate with some probability p, then the network is a random graph that is connected with high probability (e.g. 0.999)
p is a given parameter, dictated by communication range and density of deployment of the nodes
Basic Random Key Scheme
2128 Total Key Space
Key Pool P
Randomly choose |P| keys
Randomly choose m keys
Key ring of node A
Key ring of node B
Pick |P| s.t probability of any 2 nodes sharing at least 1 key = p
Key capture
Security of the basic scheme is dependent on the adversary not knowing the key pool P
Suppose adversary can compromise sensor nodes and read the keys off their key rings
E.g., adversary captures node X and discovers key k. If node A and B were communicating using key k, the adversary can now eavesdrop although neither A or B was compromised.
How can we improve resilience to node capture?
q-Composite Keys scheme
Require any 2 nodes to share at least q keys to communicate
Adversary must discover all q keys to eavesdrop
To maintain probability of communication between any 2 nodes = p, must reduce size of key pool (samples from a smaller pool are more likely to overlap)
Smaller key pool keys are more likely to be reused
Resilience vs node capture
Duckling Key Establishment
Anderson and Stajano, IWSP ‘99 Problem: how can we set up keys in a
ubiquitous computing environment?• Devices use wireless communication
• How to set up a key between household devices and PDA?
Solution: set up keys using trusted communication channel• Physical contact establishes a secure channel
Duckling Security Model 1
Assumes wireless communication Goals• Availability–Guard against jamming and battery exhaustion
–“Sleep deprivation torture attack”
• Secure transient association with device–Even in absence of a trusted server
–Security assiciations keep changing, as devices change owners, or owner changes controller
Duckling Security Model 2
Life cycle “similarities”• Life cycle of a device– Buy device in store
– Unpack it at home
– Device breaks or gets a new owner
• Life cycle of a duckling– Duckling is in egg
–When duckling hatches, first object is viewed as mother: imprinting
– Duckling dies
• Device ownership similar to duck’s soul
Duckling Security Model 3
Device life cycle• Imprinting: device meets master when it
wakes up
• Reverse metempsychosis: device dies and gets new owner
• Escrowed seppuku: manufacturer can kill device to enable renewed imprinting
Physical contact establishes secure key during imprinting phase
PGP Web of Trust
Problem: how can we establish shared keys in ad hoc network without trusted PKI?
Approach: use PGP web of trust approach Jean-Pierre Hubaux, Srđan Čapkun and
Levente Buttyán: The Quest for Security in Mobile Ad Hoc Networks, MobiHoc 2001
Distributed storage of local certificates Nodes issue certificates (sign others’ keys), as in PGP Each node stores the certificates that it issued (out-
bound certificates) and the certificates that other nodes issued for it (in-bound certificates)
u
v
Creating the subgraphs Each node builds up its own out-bound and in-
bound subgraphs To establish secure communication, u and v
merge their subgraphs and see if they intersect
u
v
Key Infection Ross Anderson and Adrian Perrig, 2001 Goal: Light-weight key setup among neighbors Assumptions:• Attacker nodes have same capability as good nodes• Attacker nodes less dense than good nodes• Attacker compromises small fraction of good nodes
Basic key agreement protocol
• A * : A, KA
• B A : { A, B, KB }KA
• KAB = H( A | B | KA | KB )
Key Infection
AB
M4
M2
M3
M1
Broadcast keys with maximum signal strength
Key Whispering Extension
AB
M4
M2
M3
M1
Broadcast keys with minimum signal strength to reach neighbor
Secrecy Amplification
AB
C
DE
A & B share KAB, A & C share KAC, , etc.
Strengthen secrecy of K’AB
• A C : { B, A, NA }KAC
• C B : { B, A, NA }KCB
• B D : { A, B, NB }KBD
• D E : { A, B, NB }KDE
• E A : { A, B, NB }KAE
• K’AB = H( KAB| NA | NB )
Key Infection Summary Highly efficient Detailed analysis in progress Preliminary simulation results: • Nodes uniformly distributed over a plane
• D (density): average # of nodes within radio range
• # of attacker nodes = 1% of good nodes
• Table shows fraction of compromised links
D Basic Whisper SA SA-W
2 1.1% 0.4% 1.0% 0.3%
3 1.8% 0.6% 1.4% 0.5%
5 2.9% 1.0% 2.4% 0.8%
Discussion
Tradeoff• Trust perimeter and security?
• Security and management?
