Embed Size (px)
Citation preview
![Page 1: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/1.jpg)
Secure Aggregation for Wireless Networks
Lingxuan Hu David Evans[lingxuan, evans]@cs.virginia.edu
http://swarm.cs.virginia.edu
Department of Computer Science
University of Virginia
Charlottesville, VA
![Page 2: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/2.jpg)
WSAAN 28 Jan 2003 Hu & Evans 2
Scenario
Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly
High-power base station
![Page 3: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/3.jpg)
WSAAN 28 Jan 2003 Hu & Evans 3
Scenario
Transmitting each message all the way to the base station wastes resources.
High-power base station
![Page 4: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/4.jpg)
WSAAN 28 Jan 2003 Hu & Evans 4
Data Aggregation
If you only care about average, max, etc., aggregate data inside the network instead of sending it to the base station.
![Page 5: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/5.jpg)
WSAAN 28 Jan 2003 Hu & Evans 5
Integrity of Data
With data aggregation, authentication becomes harder.
Compromised Node
![Page 6: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/6.jpg)
WSAAN 28 Jan 2003 Hu & Evans 6
ProblemCan we provide the power-saving benefits of in-network data aggregation but limit the amount of damage a single compromised node can do?
Rest of Talk:1. Background: Inexpensive Authentication
without Aggregation2. Secure Aggregation3. Security and Cost Analysis4. Scalable Solution
![Page 7: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/7.jpg)
WSAAN 28 Jan 2003 Hu & Evans 7
Cryptographic Hash Chains
f f f x
f (x)f (f (x))f (f (f (x)))
Initially store: K0 = f4(x)K1 = f3(x)
verify f (K1) = K0
K2 = f2(x) verify f (K1) = K0
time
f is a one-wayfunction: easyto calculate f(x),but difficult toinvert f.
![Page 8: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/8.jpg)
WSAAN 28 Jan 2003 Hu & Evans 8
µTesla [Perrig, et. al., 2002]
• Initially: sensor nodes know K0 = fn(x) base station knows x
• Base station messages encrypted using K1 = fn-1(x)
• Nodes store and time stamp messages, but cannot decrypt them (yet)
• At time t1, base station broadcasts K1
• Nodes verify f (K1) = K0
• Nodes use K1 decrypt earlier messages• Nodes and base station must have loosely
synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed
![Page 9: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/9.jpg)
WSAAN 28 Jan 2003 Hu & Evans 9
Node Authentication
• Before deployment, establish a shared symmetric secret key between each node and base station: KNS
• Send readings with a MAC:RA | MAC (KAS, RA)
Assumes confidentiality of transmitted readings is not important. We are only concerned with integrity.
![Page 10: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/10.jpg)
WSAAN 28 Jan 2003 Hu & Evans 10
Authenticated Sensor Net
Each node transmits: N | RN | MAC (KNS, RN) Base station verifies MAC before accepting RN.
![Page 11: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/11.jpg)
WSAAN 28 Jan 2003 Hu & Evans 11
Authenticated Data Aggregation
A
B
C
A | RA | MAC (KAS, RA)
B | RB | MAC (KBS, RB)C | Aggr (RA, RB) | MAC (KCS, Aggr (RA, RB))
![Page 12: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/12.jpg)
WSAAN 28 Jan 2003 Hu & Evans 12
Secure Aggregation
• Delayed Aggregation: Only aggregate messages after they have traveled one hop
• Delayed Authentication: Use µTesla variation to reveal children’s keys to parents to provide delayed authentication
![Page 13: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/13.jpg)
WSAAN 28 Jan 2003 Hu & Evans 13
Protocol Example
IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
IDB | RB | MAC (KBi, RB)
IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))
IDA | RA | MAC (KAi, RA)
A B
C
D
E F
G
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))
KAi is the ith key in a µTesla key chain starting from KAS
![Page 14: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/14.jpg)
WSAAN 28 Jan 2003 Hu & Evans 14
IDA | RA | MAC (KAi, RA)| IDB | RB | MAC (KBi, RB)
| MAC (KEi, Aggr (RA, RB))
IDB | RB | MAC (KBi, RB)
IDC | RC | MAC (KCi, RC) | IDD | RD | MAC (KDi, RD) | MAC (KFi, Aggr (RC, RD))
IDA | RA | MAC (KAi, RA)
AA BB
CC
DD
EE FF
GG
IDE | Aggr (RA, RB) | MAC (KEi, Aggr (RA, RB)
| IDF | Aggr (RC, RD) | MAC (KFi, Aggr (RC, RD)| MAC (KGi, Aggr (RA, RB, RC, RD))
HH
IDG | Aggr (Aggr (RA, RB), Aggr (RC, RD)) | MAC (KGi, Aggr (RA, RB, RC, RD)
| … (same from right side)| MAC (KHi, Aggr (RA, RB, RC, RD, . . . readings from right side))
![Page 15: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/15.jpg)
WSAAN 28 Jan 2003 Hu & Evans 15
Data Transmission Summary
• Children send their data reading and MAC (using KNi) to their parents.
• Parents forward the data and MACs they receive to grandparents, along with a calculated MAC of the aggregation
• Grandparents forward MACs and aggregate values from parents and a calculated MAC of aggregation
![Page 16: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/16.jpg)
WSAAN 28 Jan 2003 Hu & Evans 16
Data Validation• At some later time, the Base Station
reveals KNi for each node N that transmitted data, along with MAC (Ki, KNi)
• The parent of N uses KNi to verify MAC (KNi, RN)
• Nodes increment i to use the next µTesla key
• The Base Station broadcasts Ki (which nodes verify) and advances to the new µTesla key
![Page 17: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/17.jpg)
WSAAN 28 Jan 2003 Hu & Evans 17
Abridged Attack Analysis• Intruder Node (no key material)
– Cannot forge sensor readings: they will be detected when the base station reveals the node MAC keys
– Replay attacks ineffective: keys change, can only replay readings within this time period
– Denial-of-service attack can succeed (but alerts operator)
• Compromised Node (all keys on one node)– Can lie about its own reading– But, cannot alter other nodes readings without getting
caught: aggregate will not match calculated aggregate at next level
![Page 18: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/18.jpg)
WSAAN 28 Jan 2003 Hu & Evans 18
Successful Attacks
• Compromised node selectively drops child readings– Nothing to prevent this (but unlikely to
change much without base station noticing)– Can use child snooping to catch it earlier
• Compromise two consecutive (parent and grandparent) nodes– Can forge readings for entire subtree
![Page 19: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/19.jpg)
WSAAN 28 Jan 2003 Hu & Evans 19
Communication Cost
0
100
200
300
400
500
600
700
800
340 1364 5460
No Aggregation
InsecureAggregationSecureAggregation
Sensor Nodes
Tot
al K
iloby
tes
Tra
nsm
itted
Sensor reading: 22 bytesMAC of message: 8 bytesIdeal binary network
Secure Aggregation requires about 3 times the amountof data transmission as Insecure Aggregation, but providesintegrity with < ½ the cost of no aggregation.
![Page 20: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/20.jpg)
WSAAN 28 Jan 2003 Hu & Evans 20
Scalability
• Base station must broadcast next node key for every node
• To scale to larger sensor networks, use local µTesla between parent-child– Need base station to validate start of hash chain
• Two µTESLA keys are used each time, one for immediate authentication, and another for later authentication:
A Parent IDA | RA | KA1 | MAC (KA2, RA)
Authenticate the origin of
message (node A) immediately
Authenticate reading later
![Page 21: Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, evans]@cs.virginia.edu Department of Computer](https://reader043.pdfslide.us/reader043/viewer/2022032803/56649e375503460f94b27882/html5/page/21.jpg)
WSAAN 28 Jan 2003 Hu & Evans 21
Summary / Moral (?)• With our protocol, you can get
authenticated results without trusting your children at all, and trusting your parents and grandparents not to conspire together against you.
• Not trusting your children is reasonable (inexpensive)
• Not trusting your parents is expensive: requires over twice the resources of the insecure aggregation protocol
http://swarm.cs.virginia.edu
