Upload
ronny
View
47
Download
0
Embed Size (px)
DESCRIPTION
Wireless Sensor Network Security: The State of the Art. Credit: Yee Wei Law The University of Melbourne. Roadmap. Primer to cryptography and WSNs Secure data aggregation Key management Other areas: secure remote reprogramming secure localization energy-efficient jamming attacks. - PowerPoint PPT Presentation
Citation preview
Wireless Sensor Wireless Sensor Network Security:Network Security:The State of the ArtThe State of the Art
Credit: Yee Wei LawThe University of Melbourne
22
RoadmapRoadmap
Primer to cryptography andPrimer to cryptography andWSNsWSNs
Secure data aggregationSecure data aggregation Key managementKey management Other areas: Other areas:
secure remote reprogrammingsecure remote reprogramming secure localizationsecure localization energy-efficient jamming attacksenergy-efficient jamming attacks
Information Assurance
Protection Detection Reaction
33
Information assurance
Introduction to securityIntroduction to security Security threats: either somebody wants to steal Security threats: either somebody wants to steal
something from you or sabotage yousomething from you or sabotage you
Information assurance (IA) is a set of measures that Information assurance (IA) is a set of measures that protect and defend information and information protect and defend information and information systems by ensuring their systems by ensuring their availability, integrity, availability, integrity, authentication, confidentiality, and non-repudiationauthentication, confidentiality, and non-repudiation. . These measures include providing for restoration of These measures include providing for restoration of information systems by incorporating information systems by incorporating protection, protection, detection, and re-actiondetection, and re-action capabilities. capabilities.
Information security
Operationsecurity
44
PrimitivesPrimitives Security objectives:Security objectives:
ConfidentialityConfidentiality IntegrityIntegrity AuthenticationAuthentication Non-repudiationNon-repudiation
Encryption / decryptionEncryption / decryption Symmetric-key: Symmetric-key: EE((KK, , MM) / ) / DD((KK, , MM)) Asymmetric-key: Asymmetric-key: EE((PKPK, , MM) / ) / DD((SK, MSK, M))
Signature / verificationSignature / verification Symmetric-key: message authentication code (MAC), denotedSymmetric-key: message authentication code (MAC), denoted
MACMAC((KK, , MM)) Asymmetric-key: digital signature, denotedAsymmetric-key: digital signature, denoted
SignSign((SKSK, , MM), ), VerVer((PKPK, , MM))Notation:Public key = Public key = PKPKPrivate key = Private key = SKSK
55
Common usageCommon usage
EE((KK11, , MM) || ) || MACMAC((KK22, , EE((KK11, , MM))))
EE((KK11, , MM) || ) || SignSign((SKSK, , hh((EE((KK11, , MM))))))
Confidentiality
Confidentiality Integrity, authentication
Integrity, authentication,non-repudiation
Diff keys for encryption and authentication
Signing on hash is more efficient
66
Challenges in WSNsChallenges in WSNs
Sensor node hardware, resource constraints
Algos must be energy- and storage-efficient
Nodes operate unattended Adversary can compromise any node
Nodes not tamper-resistant Adversary can compromise any node’s keys
No fixed infrastructure Cannot assume any special-function node in vicinity
No pre-config’ed topology Nodes don’t know neighbours in advance
Communicate in an open medium
Communications are world-readable and world-writeable by default
Constraints Implications
77
Security design principlesSecurity design principles
Favour computation over communicationFavour computation over communication Communication 1000 times more energy-consuming Communication 1000 times more energy-consuming
than computationthan computation
Minimal public-key cryptoMinimal public-key crypto Tate pairing costs 5s (54mJ) on a Tmote Sky Tate pairing costs 5s (54mJ) on a Tmote Sky
(fastest recorded by [Szczechowiak et al. 08])(fastest recorded by [Szczechowiak et al. 08])
Favour resilience (tolerance) over absolute Favour resilience (tolerance) over absolute securitysecurity Strength in numberStrength in number
Part OnePart One
Secure data aggregationSecure data aggregation
99
Data aggregationData aggregation
aggregate
aggregate
aggregate
Purposes: (1)Save bandwidth (limited data rate)(2)Save energy (limited energy)
Reason why we put a processor on every node in the first place
1010
Phase 1: Query Phase 1: Query disseminationdissemination
Sample query: SELECT AVERAGE(temperature) FROM sensorsWHERE floor = 6EPOCH DURATION 30s
1111
Phase 2: Data Phase 2: Data aggregationaggregation
aggregate
aggregate
aggregate
Types of aggregation:(1) basic aggregation, (2) data compression, (3) parameter estimation
1212
Phase 3: Result Phase 3: Result verification (optional)verification (optional)
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
1313
Security goals of data Security goals of data aggregationaggregation
Robustness: Byzantine Robustness: Byzantine corruption of data would corruption of data would not make aggregation not make aggregation result totally result totally meaninglessmeaningless
Confidentiality: To Confidentiality: To ensure that other than ensure that other than the sink and the sources, the sink and the sources, no intermediate node no intermediate node should have knowledge should have knowledge of the raw data or the of the raw data or the aggregation resultaggregation result
perform averaging1
23
1000
So the average is 251.5… Oh wait a
minute
sources
sinkWhat the hell
am I aggregating
?
What the hell am I
forwarding?
1414
Securing data Securing data aggregation: aggregation: multipronged defencemultipronged defence
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
1515
Resilient aggregationResilient aggregation
Objective: To bound the effect of data Objective: To bound the effect of data corruptioncorruption
Corruption can be arbitrary – ByzantineCorruption can be arbitrary – Byzantine By convention, we denote the number of By convention, we denote the number of
corruptions as corruptions as kk Methods:Methods:
Robust statistics (1-hop networks)Robust statistics (1-hop networks) RANBAR (1-hop networks)RANBAR (1-hop networks) Quantiles aggregation (multi-hop networks)Quantiles aggregation (multi-hop networks)
1616
Robust statisticsRobust statisticsSay an aggregation function is actually an estimator
Say we are estimating a parameter Θ and there are k rouge nodes
An aggregation function is (k,)-resilient if
ˆ ˆrms*( , ) rms( )k
That is, the RMS error as a result of k-corruption, must be bounded by a constant factor of the original RMS error
We win if we can limit
The attacker wins if he manages to unbound
1717
Examples of (k,Examples of (k,)-)-resilient aggregation resilient aggregation functionsfunctions
AVG
x1 x2 x3 x4
y
AVG
x1 x2 x3 x4+4
y=y+Non-resilient, example: Average
Resilient, examples
rms(y)> rms(y)
Aggregation function Resilience Breakdown point ε*
Sample median wrt Gaussian distribution
21 2 ( / )k n , if k n 0.5
5%-trimmed average wrt Gaussian distribution
1 6.278 /k n , if k < 0.05n 0.05
[l, u]-truncated average wrt Gaussian distribution
1 ( ) / /u l k n Not applicable
Count wrt Bernoulli distribution with parameter p
21 / [ (1 )]k np p Not applicable
1818
RANBARRANBAR
Based on RANdom SAmple ConsensusBased on RANdom SAmple Consensus, which , which originates in computer vision (hence the name originates in computer vision (hence the name RANBAR = RANsac-Based AggRegation [ButtyRANBAR = RANsac-Based AggRegation [Buttyáán n et al. 06])et al. 06])
Step1: Use as few samples as possible to Step1: Use as few samples as possible to determine a preliminary modeldetermine a preliminary model
Step 2: Use the preliminary model to identify Step 2: Use the preliminary model to identify samples that are consistent with the modelsamples that are consistent with the model
Step 3: Refine the model with all the samples that Step 3: Refine the model with all the samples that are found to be consistentare found to be consistent
1919
Quantiles aggregation Quantiles aggregation (extending resilient (extending resilient aggregation to multihop)aggregation to multihop)
Median
1 2 3
6
Median
4 16
Median
Actual median = 3
Median
1 2 3 4 16
Median
4
This approach suggests that instead of taking a median every hop on the way, we should compress the data judiciously at each hop
2 10 2
2020
Quantiles aggregationQuantiles aggregation
Rules for deriving a q-digest: Rule (A): count(node) + count(parent) + count(siblings) ≥ n/k + 1 Rule (B): count(node) n/k
q-digest in this example: {<8,2>,<9,2>,<1,1>}
tree nodes are numbered
count
2121
Quantiles aggregationQuantiles aggregation
Derived median = data value represented by node 9 = 3.5Actual median = 3
tree nodes are numbered
count
2222
Resilient aggregation Resilient aggregation guidelinesguidelines
1-hop1-hop multihopmultihop
Data Data distribution distribution knownknown
Robust Robust statistics, statistics, RANBARRANBAR
Quantiles Quantiles aggregationaggregation
Data Data distribution distribution unknownunknown
Robust Robust statisticsstatistics
Quantiles Quantiles aggregationaggregation
Two approaches actually:(1)estimate by minimizing
effects of outliers(2)detect outliers and
estimate without outliers
Two approaches actually:(1)estimate by minimizing
effects of outliers(2)detect outliers and
estimate without outliers
2323
Progress so far…Progress so far…
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
2424
VotingVoting
Resource-intensive, only good for mission-critical, small-scale networks
1
1
2
3 300
malicious
malicious
No
No
No
No Yes
“is mean = 61.4 reasonable?”
malicious
Alright, 61.4 is not
reasonable!
2525
Progress so far…Progress so far…
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
2626
Progress so far…Progress so far…
Sink
Sources
...
...Aggregators
Forwarders
'Witness nodes'vote on validityof aggregationresult
Sink verifies aggregationresult with sources
End-to-endkeying
Privacy homomorphismResilient aggregation
Privacy homomorphism
1
2
3
4
2727
Privacy homomorphism Privacy homomorphism (PH)(PH)
First proposed by Rivest et al. in 1978 to process encrypted data First proposed by Rivest et al. in 1978 to process encrypted data without decrypting the data firstwithout decrypting the data first
A function is (A function is (,,)-homomorphic)-homomorphic ifif
ff((xx) ) ff ((yy) = ) = ff ((xx yy))
where ‘where ‘’ is an operator in the range and ‘’ is an operator in the range and ‘’ is an operator in the ’ is an operator in the domain. domain.
If If ff is an encryption function and the inverse function is an encryption function and the inverse function ff--11 is the is the corresponding decryption function, then corresponding decryption function, then ff is a PH.is a PH.
2828
Types of PHsTypes of PHs
There are three main approaches to PHs in WSNs so There are three main approaches to PHs in WSNs so far:far: PHs that are based on PHs that are based on polynomial ringspolynomial rings, e.g., , e.g.,
Domingo-Ferrer’s schemeDomingo-Ferrer’s scheme PHs that are based on PHs that are based on one-time padsone-time pads homomorphic homomorphic public-keypublic-key cryptosystems cryptosystems
Insecure under known-plaintext attacksAttacks involve only computation of gcd and linear algebra [Wagner 03]
Insecure under known-plaintext attacksAttacks involve only computation of gcd and linear algebra [Wagner 03]
2929
PHs based on one-time PHs based on one-time padspads
Encryption: Encryption:
Decryption by sink:Decryption by sink:
Drawbacks:Drawbacks: Use of the addition operator in place of the XOR operator in the plaintext Use of the addition operator in place of the XOR operator in the plaintext
space is unproven in terms of securityspace is unproven in terms of security Synchronization of keys causes scalability problemSynchronization of keys causes scalability problem
1 1 1
( , ) ( ) modn n n
i i i ii i i
C E k m m k p
1 1
mod modn n
i ii i
m p C k p
sinkm1 + k1
One-time pad
One-time pad
m2 + k2
m1 + m2+ k1 + k2
m3 + k3
m4 + k4
m1+m2+m3+k1+ k2+k3
m1+m2+m3+m4+k1+ k2+k3+k4
3030
aggregate
aggregate
aggregate
In Secure Data Aggregation, we secure one-way traffic.
In Key Management, we secure generic traffic.
generalized
PartPart Two TwoKey managementKey management
3131
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
3232
Protocol verificationProtocol verification
Verification gives us indication and confidence Verification gives us indication and confidence of securityof security
If we simulate unbounded sessions, verification If we simulate unbounded sessions, verification of secrecy and authentication is of secrecy and authentication is undecidableundecidable
If we limit number of parallel sessions, we can If we limit number of parallel sessions, we can use use constraint solvingconstraint solving for verification for verification
Model: strand space modelModel: strand space model Tool: CoProVe implements the strand space Tool: CoProVe implements the strand space
model using constraint solving (Prolog)model using constraint solving (Prolog)
3333
Strand space modelStrand space model
Protocol Strand space model Example
Role: What a principal does in the protocol
Strand: A sequence of events Initiator, responder, server
Complete run: A complete iteration of the protocol
Bundle: A set of strands legitimate or otherwise hooked together where one strand sends a message and another receives that same message, that represents a full protocol exchange
1. Initiator Attacker: …
2. Attacker Responder: …
3. Responder Attacker: …
4. Attacker Initiator: …
3434
Node-to-node key Node-to-node key establishmentestablishmentA wants to establish a secure channel with B via a
common trusted node S:
A B: NA || AB S: NA || NB || A || B || MAC(KBS, NA || NB || A || B)S A: E(KAS, KAB) || MAC(KAS, NA || B || E(KAS, KAB))S B: E(KBS, KAB) || MAC(KBS, NB || A || E(KBS, KAB))A B: Ack || MAC(KAB, Ack)
3535
Node-to-node key Node-to-node key establishmentestablishment
NA || A
NA || N
B || A || B || MAC(K
BS , …)E(K AS
, KAB) ||
MAC(K AS
, NA ||
B || …
) E(KBS , K
AB ) || MAC(K
BS , NB || A || …
)
Ack || MAC(KAB, Ack)
3636
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
3737
Key establishmentKey establishment
Definition: a process or protocol whereby Definition: a process or protocol whereby a shared secret key becomes available to a shared secret key becomes available to two or more parties, for subsequent two or more parties, for subsequent cryptographic usecryptographic use
Types:Types:Key establishment
Key transport Key agreement
Key pre-distribution
A key agreement protocol whereby the resultingestablished keys are completely determined a priori by initial keying material
3838
Protocol design by Protocol design by communication modescommunication modes
Global broadcasts: Global broadcasts: Authenticated broadcast using Authenticated broadcast using μμTESLATESLA
Local broadcasts: Local broadcasts: Passive participationPassive participation
Unicast:Unicast: Only consider neighboOnly consider neighbouur-to-neighbor-to-neighbouurr Multihop can be secured hop by hopMultihop can be secured hop by hop Random key pre-distribution schemesRandom key pre-distribution schemes LEAP+LEAP+ EBSEBS
3939
Global broadcast: Global broadcast: μμTESLATESLA
““Micro” version of the Timed, Efficient, Streaming, Micro” version of the Timed, Efficient, Streaming, Loss-tolerant Authentication Protocol Authenticated Loss-tolerant Authentication Protocol Authenticated broadcastbroadcast
i i+1 i+δ...Mi+δ || Ki || MAC(Ki+δ, Mi+δ || Ki)Mi || MAC(Ki, Mi)
Time interval:Message:
authentication succeeds if(1) Ki generates MAC
(2) and there exists a past key Kj = Hi-j(K i)
K1 K2 K3 K4 Kn……
keys are generated in reverse order
keys are released in forward order
Ki-1 = h(Ki)
4040
μμTESLA example (1)TESLA example (1)
K1 K2 K3 K4
h()
(1) Generate one-way reverse key chain on the base station
K1
(2) Give K1 to everybody
K1
(3) Generate one-way reverse key chain on the base station
K1
K1
M K2 MAC(K3, …)
4141
μμTESLA example (2)TESLA example (2)(4) K2 is genuine because h(K2) = K1 butpacket tagged with MAC(K3, M||K2) still needs to be authenticated
K2
(5) Base station later sends K3 that can be used to authenticate message M
M MAC(K3, …)
K2
M2 K3 MAC(K4, …)
M MAC(K3, …)
Authentication steps:(a) K3 is genuine because K2 = h(K3)(b) M is genuine because K3 is genuine and K3 authenticates M
4242
Local broadcast: Passive Local broadcast: Passive participationparticipation
A
B
C
D
E
Passive participation: nodes B, C, D, E suppress their transmissions when they find A transmitting about the same data
To secure passive participation, A uses a cluster key and a one-way key chain to achieve encrypted and authenticated local broadcast
A is just transmitting a similar data to I have, so I shall not transmit.
4343
Local broadcast: Passive Local broadcast: Passive participationparticipation
If only the key chain is used, the keys If only the key chain is used, the keys in the key chain would have to be in the key chain would have to be broadcast in the clear, and in the broadcast in the clear, and in the absence of time interval differentiationabsence of time interval differentiation, , a cluster-outsider would be able to a cluster-outsider would be able to forge messages using these keysforge messages using these keys
If only the cluster key is used, If only the cluster key is used, authentication of the sender cannot be authentication of the sender cannot be achievedachieved
But if used together, the cluster key But if used together, the cluster key can be used to encrypt messages as can be used to encrypt messages as well as to hide the key chain keys from well as to hide the key chain keys from cluster-outsiders; and at the same cluster-outsiders; and at the same time, the key chain keys can be used time, the key chain keys can be used for authenticationfor authentication
A
B
C
D
4444
Securing unicastSecuring unicast
Random key pre-distribution schemesRandom key pre-distribution schemes LEAP+LEAP+ EBSEBS
4545
Random key pre-Random key pre-distribution (RKP)distribution (RKP)
Pool
at random
at random
Able to establish session key?
‘Keying material’
P = pool size (4 in this example)K = key ring size (1 in this example)
4646
Random key pre-Random key pre-distribution (RKP)distribution (RKP)
Different types:Different types:
Type 1 Type 2 Type 3
Symmetric key[Eschenauer & Gligor 02]
Symmetric bivariate polynomial[Liu et al. 05]
Part of a matrix[Du et al. 05]
, 0
( , )t
i ji j
i j
f x y a x y
4747
Symmetric-key-based Symmetric-key-based RKPRKP
3
4
1
2
6
7
1
5
I’ve got keys 1, 2, 3, 4
I’ve got keys 1, 5, 6, 7
OK, so our session key can be derived
from key 1
OK, so our session key can be derived
from key 1
Although not all neighbouring pairs of nodes can establish a session key (aka pairwise key), the network will remain connected, with a suitable choice of K and P.K = key ring size (4 in this example)P = key pool size (7 in this example)
4848
Symmetric-key-based Symmetric-key-based RKPRKP
K = 4, P = 15, RMSE = 0.0427
Pr{connectivity ≥ k} vs k
K = 4, P = 30, RMSE = 0.0436
Pr{connectivity ≥ k} Expected connectivity
Derived from results of random geometric graphs [Law et al. 07]
4949
In this example, t = 2, K = 2, P = 3The pairwise key is f2(1,2) = f2(2,1) = 10 + 24 + 56 = 28 + 35 + 27 = 90*In reality, the value must of course be as large as normal crypto keysStorage requirement: K(t + 1) coefficients, where t is the threshold
Node 1
Polynomial-basedPolynomial-basedRKPRKP
I’ve got f2(), f3()
OK, so our session key can be derived
from f2()
f1(x, y) = 1+2y+3y2+2x+xy+4xy2
+3x2+4x2y+x2y2
Pool
f1(1, y) = 6+7y+8y2
f2(x, y) = 2+3y+5y2+3x+2xy+7xy2
+5x2+7x2y+2x2y2
f3(x, y) = 3+4y+5y2+4x+3xy+6xy2
+5x2+6x2y+3x2y2
f2(1, y) = 10+12y+14y2
Node 2
f2(2, y) = 28+35y+27y2
f3(2, y) = 31 + 34y + 29y2OK, so our session key can be derived
fromf2()
I’ve got f1(), f2()
, 0
( , )t
i ji j
i j
f x y a x y
5050
Matrix-basedMatrix-basedRKPRKP
2 3
2 2 2 3 2 2
2 3
1 1 1 ... 1
...
( ) ( ) ... ( )
( ) ( ) ... ( )
N
N
t t t N t
s s s s
G s s s s
s s s s
D1 D2 D3 D4
Randomsymmetricmatrices
M1=(D1G)T M2 M3 M4
N = number of nodes = number of columns
Vandemonde-likegenerator matrix
this seed can be used as an ID
5151
Matrix-basedMatrix-basedRKPRKP
Pairwise key = Pairwise key = MM22(1)(1)GG(2) = (2) = MM22(2)(2)GG(1)(1)
Storage requirement: Storage requirement: KK((tt+1)+1+1)+1 coefficients, where coefficients, where tt is the threshold is the threshold
Node 1
I’ve got M1, M2
I’ve got M2, M3
OK, so our session key can
be derived from M2
OK, so our session key can be derived
fromM2
Pool
Node 2
M1
M2
M3
M4
M1(1)
M2(1)M2(2)
M3(2)G(1)
G(2)
Here’s G(1)
Here’s G(2)
5252
Node-to-node key Node-to-node key establishmentestablishmentRKP schemes only good for keying two neighbouring nodes
with common key(s); what about neighbours without any common key? Use common trusted node
A wants to establish a secure channel with B via a common trusted node S:
A B: NA || AB S: NA || NB || A || B || MAC(KBS, NA || NB || A || B)S A: E(KAS, KAB) || MAC(KAS, NA || B || E(KAS, KAB))S B: E(KBS, KAB) || MAC(KBS, NB || A || E(KBS, KAB))A B: Ack || MAC(KAB, Ack)
5353
Node Ainitial key Kin
LEAP+LEAP+ LEAP+ is a key pre-distribution scheme but not randomLEAP+ is a key pre-distribution scheme but not random Every node is pre-distributed with Every node is pre-distributed with KKinin
Node Bnode key KB = PRF(Kin, B)Kin already deletedHello, I’m A
I’m B
A and B compute pairwise key = PRF(PRF(Kin, B), A)
KB
1
2
3
4 Timer fires, A deletes Kin
0 A sets timer
5454
EBS (Exclusion Basis EBS (Exclusion Basis System)System)
Nodes
Key
s
Pro: Two nodes always share at least 2K-P keys.
Con: When a node is compromised, more than half of the keys in the key pool are compromised.
615 key combinations
4
P
K
5555
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
5656
Key refreshmentKey refreshment
Parallel re-keying:
Lose the key Lose the key KK, then , then allall past and future keys are past and future keys are exposedexposed
Not suitable for WSNsNot suitable for WSNs
Why? The more a key is used, the more it is open to Why? The more a key is used, the more it is open to cryptanalytic attacks, birthday attacks etc.cryptanalytic attacks, birthday attacks etc.
5757
Key refreshmentKey refreshment
Serial re-keying: preferable because of forward security
Only need to store this:Only need to store this:
Lose this, then all future keys are compromisedLose this, then all future keys are compromised But past keys are intactBut past keys are intact
0
1 times -1 times
(... ( ,0)...,0)i i
PRF PRF K
5858
ComponentsComponents
Protocolverification
Key managementKey establishment
Key refreshment
Key revocation
1
2
3
4
5959
Which keys to revoke?Which keys to revoke?
When When AA is compromised is compromised Global broadcast keys: Global broadcast keys: BB, , CC, , DD, , EE need to have their copies of need to have their copies of KKSS
globalglobal
replacedreplaced Local broadcast keys: Local broadcast keys: BB,, C C,, D D,, E E need to purge need to purge KKAA
clustercluster and and KKAAchainchain; ; BB
needs to re-gen and re-distribute needs to re-gen and re-distribute KKBBclustercluster and and KKBB
chainchain; similarly for ; similarly for CC,, D D,, E E
A
B
CD
EKD
cluster
KD
chain
KCcluster
KC
chain
KBcluster
KB
chain
KEcluster
KE
chain
KSglobal
KSchain
Compromisednode
KSglobal
KSchain
KSglobal
KSchain
Base stationS
Big picture:
6060
StrategyStrategyGateway
6161
Re-keying unicast keysRe-keying unicast keys
If using polynomial-based or matrix-based RKP or If using polynomial-based or matrix-based RKP or LEAP+, do nothingLEAP+, do nothing
If using symmetric key-based RKP, re-keying is If using symmetric key-based RKP, re-keying is desirable but can be done withoutdesirable but can be done without
If using EBS, re-keying is a mustIf using EBS, re-keying is a must
A
B
CD
EKD
cluster
KD
chain
KCcluster
KC
chain
KBcluster
KB
chain
KEcluster
KE
chain
KSglobal
KSchain
Compromisednode
KSglobal
KSchain
KSglobal
KSchain
Base stationS
Big picture:
6262
Re-keying local broadcast Re-keying local broadcast keyskeys
6363
Re-keying global Re-keying global broadcast keysbroadcast keys
New global key is propagated from the base station in two stages:
(1) The hash of the key is propagated(2) Then the key itselfOver each hop, the key is protected by a cluster key and a
cluster key chain
6464
Thank yThank y’’allallDank uDank uDankeDankeGrazieGrazieMult'umescMult'umescDziekujeDziekujeKöszönömKöszönömTesekkurlerTesekkurlerShukran Shukran
धन्यवा�दधन्यवा�द 谢谢谢谢