Upload
bhumikashah22111990
View
203
Download
1
Tags:
Embed Size (px)
DESCRIPTION
tesla & snep
Citation preview
SPINS Security Protocols for Sensor SPINS Security Protocols for Sensor NetworksNetworks
By BHUMIKA SHAH(ME IT)
OutlineOutline Introduction to sensor networks
-What are sensor network
-Hardware
Security for sensor networks
- Research Problem
Proposed Techniques
- SPINS building blocks Applications Discussion Conclusion
Sensor networksSensor networksApplicationsenvironmental monitoring and disaster
preventionbuilding monitoring and automationmonitoring the physical conditions of patients
(eg elderly people) battlefield
Energy consumption is an issuemulti-hop communications in-network
processingspecially designed protocolssleep modeenergy harvesting
Hardware specification[1]Hardware specification[1]
Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-
-memory is not enough to store even the variables of standard asymmetric key crypto systems
-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory
-available memory may increase in the future (price is still an issue)
-some asymmetric crypto systems may require less resources
Processor-
-4 MHz 8 bit RISC processor with 32 general purpose registers
-limited instruction set
bull good support for bit- and byte-level IO operations
bull lack of arithmetic and logic operations
Battery power-
-will remain a crucial limitation for some time
-communications consume much more energy than computation
-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption
System AssumptionsSystem Assumptions
Communication patterns
-Node to base station (eg sensor readings)
-Base station to node (eg specific requests)
-Base station to all nodes Base Station
-Sufficient memory power
-Shares secret key with each node Node
-Limited resources limited trust
A
B
D
EF
G
C
Base Station
Communication architecture[23]Communication architecture[23] RF communications broadcast
ndash easy to eavesdrop messages
ndash easy to inject fake messages
ndash easy to delete messages (jamming)
ndash modification of messages on-the-fly is hard
ndash but delete ndash modify - re-inject may work Typical communication patterns
ndash many-to-one (nodes to base station) (measurement)
ndash one-to-many (base station to all nodes) (control information) Nodes can
ndash recognize packets addressed to them (addressing)
ndash handle broadcast messages
ndash forward packets toward the base station (using the routing topology)
The base station can access individual nodes using source routing if needed
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
OutlineOutline Introduction to sensor networks
-What are sensor network
-Hardware
Security for sensor networks
- Research Problem
Proposed Techniques
- SPINS building blocks Applications Discussion Conclusion
Sensor networksSensor networksApplicationsenvironmental monitoring and disaster
preventionbuilding monitoring and automationmonitoring the physical conditions of patients
(eg elderly people) battlefield
Energy consumption is an issuemulti-hop communications in-network
processingspecially designed protocolssleep modeenergy harvesting
Hardware specification[1]Hardware specification[1]
Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-
-memory is not enough to store even the variables of standard asymmetric key crypto systems
-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory
-available memory may increase in the future (price is still an issue)
-some asymmetric crypto systems may require less resources
Processor-
-4 MHz 8 bit RISC processor with 32 general purpose registers
-limited instruction set
bull good support for bit- and byte-level IO operations
bull lack of arithmetic and logic operations
Battery power-
-will remain a crucial limitation for some time
-communications consume much more energy than computation
-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption
System AssumptionsSystem Assumptions
Communication patterns
-Node to base station (eg sensor readings)
-Base station to node (eg specific requests)
-Base station to all nodes Base Station
-Sufficient memory power
-Shares secret key with each node Node
-Limited resources limited trust
A
B
D
EF
G
C
Base Station
Communication architecture[23]Communication architecture[23] RF communications broadcast
ndash easy to eavesdrop messages
ndash easy to inject fake messages
ndash easy to delete messages (jamming)
ndash modification of messages on-the-fly is hard
ndash but delete ndash modify - re-inject may work Typical communication patterns
ndash many-to-one (nodes to base station) (measurement)
ndash one-to-many (base station to all nodes) (control information) Nodes can
ndash recognize packets addressed to them (addressing)
ndash handle broadcast messages
ndash forward packets toward the base station (using the routing topology)
The base station can access individual nodes using source routing if needed
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Sensor networksSensor networksApplicationsenvironmental monitoring and disaster
preventionbuilding monitoring and automationmonitoring the physical conditions of patients
(eg elderly people) battlefield
Energy consumption is an issuemulti-hop communications in-network
processingspecially designed protocolssleep modeenergy harvesting
Hardware specification[1]Hardware specification[1]
Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-
-memory is not enough to store even the variables of standard asymmetric key crypto systems
-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory
-available memory may increase in the future (price is still an issue)
-some asymmetric crypto systems may require less resources
Processor-
-4 MHz 8 bit RISC processor with 32 general purpose registers
-limited instruction set
bull good support for bit- and byte-level IO operations
bull lack of arithmetic and logic operations
Battery power-
-will remain a crucial limitation for some time
-communications consume much more energy than computation
-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption
System AssumptionsSystem Assumptions
Communication patterns
-Node to base station (eg sensor readings)
-Base station to node (eg specific requests)
-Base station to all nodes Base Station
-Sufficient memory power
-Shares secret key with each node Node
-Limited resources limited trust
A
B
D
EF
G
C
Base Station
Communication architecture[23]Communication architecture[23] RF communications broadcast
ndash easy to eavesdrop messages
ndash easy to inject fake messages
ndash easy to delete messages (jamming)
ndash modification of messages on-the-fly is hard
ndash but delete ndash modify - re-inject may work Typical communication patterns
ndash many-to-one (nodes to base station) (measurement)
ndash one-to-many (base station to all nodes) (control information) Nodes can
ndash recognize packets addressed to them (addressing)
ndash handle broadcast messages
ndash forward packets toward the base station (using the routing topology)
The base station can access individual nodes using source routing if needed
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Hardware specification[1]Hardware specification[1]
Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-
-memory is not enough to store even the variables of standard asymmetric key crypto systems
-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory
-available memory may increase in the future (price is still an issue)
-some asymmetric crypto systems may require less resources
Processor-
-4 MHz 8 bit RISC processor with 32 general purpose registers
-limited instruction set
bull good support for bit- and byte-level IO operations
bull lack of arithmetic and logic operations
Battery power-
-will remain a crucial limitation for some time
-communications consume much more energy than computation
-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption
System AssumptionsSystem Assumptions
Communication patterns
-Node to base station (eg sensor readings)
-Base station to node (eg specific requests)
-Base station to all nodes Base Station
-Sufficient memory power
-Shares secret key with each node Node
-Limited resources limited trust
A
B
D
EF
G
C
Base Station
Communication architecture[23]Communication architecture[23] RF communications broadcast
ndash easy to eavesdrop messages
ndash easy to inject fake messages
ndash easy to delete messages (jamming)
ndash modification of messages on-the-fly is hard
ndash but delete ndash modify - re-inject may work Typical communication patterns
ndash many-to-one (nodes to base station) (measurement)
ndash one-to-many (base station to all nodes) (control information) Nodes can
ndash recognize packets addressed to them (addressing)
ndash handle broadcast messages
ndash forward packets toward the base station (using the routing topology)
The base station can access individual nodes using source routing if needed
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Is security on sensors possible at all[1]Is security on sensors possible at all[1]Memory constraints-
-memory is not enough to store even the variables of standard asymmetric key crypto systems
-standard implementations of symmetric key primitives (ciphers and hash functions) need to be optimized in order to fit in the memory
-available memory may increase in the future (price is still an issue)
-some asymmetric crypto systems may require less resources
Processor-
-4 MHz 8 bit RISC processor with 32 general purpose registers
-limited instruction set
bull good support for bit- and byte-level IO operations
bull lack of arithmetic and logic operations
Battery power-
-will remain a crucial limitation for some time
-communications consume much more energy than computation
-crypto algorithms and PROTOCOLS must be designed and optimized to reduce energy consumption
System AssumptionsSystem Assumptions
Communication patterns
-Node to base station (eg sensor readings)
-Base station to node (eg specific requests)
-Base station to all nodes Base Station
-Sufficient memory power
-Shares secret key with each node Node
-Limited resources limited trust
A
B
D
EF
G
C
Base Station
Communication architecture[23]Communication architecture[23] RF communications broadcast
ndash easy to eavesdrop messages
ndash easy to inject fake messages
ndash easy to delete messages (jamming)
ndash modification of messages on-the-fly is hard
ndash but delete ndash modify - re-inject may work Typical communication patterns
ndash many-to-one (nodes to base station) (measurement)
ndash one-to-many (base station to all nodes) (control information) Nodes can
ndash recognize packets addressed to them (addressing)
ndash handle broadcast messages
ndash forward packets toward the base station (using the routing topology)
The base station can access individual nodes using source routing if needed
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
System AssumptionsSystem Assumptions
Communication patterns
-Node to base station (eg sensor readings)
-Base station to node (eg specific requests)
-Base station to all nodes Base Station
-Sufficient memory power
-Shares secret key with each node Node
-Limited resources limited trust
A
B
D
EF
G
C
Base Station
Communication architecture[23]Communication architecture[23] RF communications broadcast
ndash easy to eavesdrop messages
ndash easy to inject fake messages
ndash easy to delete messages (jamming)
ndash modification of messages on-the-fly is hard
ndash but delete ndash modify - re-inject may work Typical communication patterns
ndash many-to-one (nodes to base station) (measurement)
ndash one-to-many (base station to all nodes) (control information) Nodes can
ndash recognize packets addressed to them (addressing)
ndash handle broadcast messages
ndash forward packets toward the base station (using the routing topology)
The base station can access individual nodes using source routing if needed
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Communication architecture[23]Communication architecture[23] RF communications broadcast
ndash easy to eavesdrop messages
ndash easy to inject fake messages
ndash easy to delete messages (jamming)
ndash modification of messages on-the-fly is hard
ndash but delete ndash modify - re-inject may work Typical communication patterns
ndash many-to-one (nodes to base station) (measurement)
ndash one-to-many (base station to all nodes) (control information) Nodes can
ndash recognize packets addressed to them (addressing)
ndash handle broadcast messages
ndash forward packets toward the base station (using the routing topology)
The base station can access individual nodes using source routing if needed
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Trust setup[1]Trust setup[1]
The base station is trusted by all nodes
Sensor nodes are untrusted
ndash they are unattended
ndash they are not tamper resistant
ndash they can be captured and compromised
RF communication channels are untrusted
Initial keys
ndash each node has a unique key that it shares with the base station
ndash compromise of this key affects only a single sensor
Time synchronization
ndash upper bound on the node lsquos clock drift
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Security for Sensor Networks[1]Security for Sensor Networks[1] Data Authentication-
ndash it is easy to inject fake packets into the network
ndash special requirements of broadcast authentication
bull symmetric MAC cannot be used
bull asymmetric digital signatures are not feasible Data Confidentiality-
ndash sensor readings might be sensitive some control data (eg keys) must be kept secret
ndash eavesdropping is easy Data Integrity-integrity of sensor readings and control data is important Data Freshness-freshness of sensor readings is usually important and replay of old
packets is easy
ndash weak freshness
bull provides partial message ordering but no delay information
bull useful for sensor readings
ndash strong freshness
bull allows delay estimation
bull required by time synchronization
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Notation[4]Notation[4]
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
ContributionsContributions
SNEP
-Sensor Network Encryption Protocol
-Secures point-to-point communication
microTESLA -Micro Timed Efficient Stream Loss-tolerant Authentication
-Provides broadcast authentication
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Properties of SNEP[1]Properties of SNEP[1]
Semantic security
ndash same messages are encrypted differently each time due to the different counter value
Data authentication and integrity by using MAC Weak freshness and replay protection
ndash counter is part of the MAC
ndash it ensures message ordering Low communication overhead
ndash counter is not sent it is maintained locally by both parties
ndash using the block cipher in CTR mode results in a stream cipher 1048774 Encrypted messages has the same length as plain messages
ndash MAC adds only 8 bytes per message Reduced computational overhead
ndash MAC verification doesnrsquot need decryption
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Key Generation Setup[4]Key Generation Setup[4]
Nodes and base station share a master key pre-deployment Other keys are bootstrapped from the master key
Encryption key
Message Authentication code key
Random number generator key
Counter
RC5 BlockCipherKey Master KeyMAC
KeyEncryption
Keyrandom
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Building blocks SNEP[1]Building blocks SNEP[1]
Sensor Network Encryption Protocol (SNEP)
A B encKencC(data) | macKmac(C|encKencC(data))
where
ndash encKencC is encryption in CTR mode with key Kenc and counter C
ndash macKmac is CBC-MAC computation with key Kmac
ndash MAC is computed over the encrypted data and counter C
ndash MAC length is 64 bits
ndash Kenc and Kmac is derived from the master key K (shared by the node and the base station) through a one way function
Kenc = macK(1)
Kmac = macK(2)
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Authentication Confidentiality[1] Authentication Confidentiality[1]
Without encryption can have only authentication For encrypted messages the counter is included in the MAC Base station keeps current counter for every node
Node A
M MAC(Kmac M)
MltKencr CAgt MAC(Kmac CA|| MltKencr CAgt)
Node B
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
SNEP with strong freshness[1]SNEP with strong freshness[1]
A B NA request
B A encKencC(response) | macKmac(NA|C|encKencC(response))
where
ndash the request can use plain SNEP for confidentiality and authentication
ndash NA is an unpredictable random number computed as
NA = macKrnd(S)ndash after generating a random number S is incremented by one
ndash Krnd is a key derived from the master key K (shared by the node and the base station) through a one way function
Krnd = macK(3)and regenerated from time to time
Krndrsquo = macK (Krnd)
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Strong Freshness[1]Strong Freshness[1]
bull Nonce generated randomlybull Sender includes Nonce with requestbull Responder include nonce in MAC but not in reply
Node A
Request NA
ResponseltKencr CB) MAC(Kmac NA || CB|| Responseltencr CBgt)
Node B
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Counter Exchange Protocol[1]Counter Exchange Protocol[1]Bootstrapping counter values
Node A
CA
CB MAC(Kmac CA||CB)
Node B
To synchronizeA rarrB CA
B rarrA CB MAC(KmacCA || CB)
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Code re-use in SNEP[2]Code re-use in SNEP[2]
Only encryption part of RC5 is implemented This is used
ndash to encrypt and to decrypt (due to CTR mode) data
ndash to implement the MAC function
ndash to generate encryption and MAC keys from the master key
ndash to generate random numbers
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Building block Building block TESLA Authenticated BroadcastTESLA Authenticated Broadcast
Main idea asymmetry through delayed disclosure of authentication keys
ndash base station computes a MAC with a key unknown to the sensors
ndash base station sends and sensors receive the message with the MAC
ndash later the base station discloses the key used to compute the MAC
Assumptions
ndash loose time synchronization between the base station and the sensors
ndash each sensor knows an upper bound on the maximum synchronization error
ndash initial secret between the base station and each sensor to bootstrap the whole mechanism
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Key Setup[1]Key Setup[1]
Main idea One-way key chainsK0 is initial commitment to chainBase station gives K0 to all nodes
Kn Kn-1 K1 K0
X
helliphellipF(Kn) F(K1)F(K2)
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Broadcast[1]Broadcast[1]
Divide time into intervalsAssociate Ki with interval iMessages sent in interval i use Ki in MACKi is revealed at time i + Nodes authenticate Ki and messages using Ki
K0 K1 K2 K3 hellip
0 1 2 3 4 time
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Broadcasting Authenticated Packets[1]Broadcasting Authenticated Packets[1]
In interval j base station broadcasts Msg Node verifies that key Kj has not been disclosed yet Node stores Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Node authenticating packets[1]Node authenticating packets[1]
After disclosure interval base station broadcasts Kj
Node verifies that F(Kj) = Kj-1 or F(F(Kj)) = Kj-2 etc Node verifies MAC of Msg Node delivers Msg
Node A Base Station
Tnow Ki Ti Tint MAC(Kmaster Nonce | Tnow | hellip)
Nonce
Msg MAC(Kj Msg)
Kj
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Perfect robustness to packet loss[1]Perfect robustness to packet loss[1]
K2 K3 K4 K5
tTime 2 Time 3 Time 4 Time 5
K1
P5
K3
P3
K1
P2
K0
P1
K0
Verify MACs
P4
K2
FF
Authenticate K3
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
TESLA PropertiesTESLA Properties Asymmetry from delayed key disclosure[1]
Self-authenticating keys[1]
Requires loose time synchronization[3]
Low overhead (1 MAC)
- Communication (same as SNEP)
- Computation (~ 2 MAC computations) Independent of number of receivers
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Applications[1]Applications[1]
Authenticated RoutingNode to Node Agreement
A B NA A
B S NANB A B MAC(KrsquoBS NA || NB || A || B)
S A SKABKSA MAC(KrsquoSANA || A || SKABKSA )
S B SKABKSB MAC(KrsquoSBNB || B || SKABKSB )
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Discussion DrawbacksDiscussion Drawbacks The TESLA protocol lacks scalability[1]
- require initial key commitment with each nodes which is very communication intensive
SPINS uses source routing so vulnerable to traffic analysis[23]
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Conclusion[13]Conclusion[13]
Strong security protocols affordable
- First broadcast authentication
Low security overhead
- Computation memory communication
Apply to future sensor networks
-Energy limitations persist
-Tendency to use minimal hardware
Base protocol for more sophisticated security services
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
ReferencesReferences[1] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D
TygarrdquoSPINS Security Protocols for Sensor Networksrdquo
[2] International Journal of Advanced Research in Computer Science andSoftware Engineering[Volume- 3 Issue-8 August- 2013] ldquoEmerging Trends in Cryptographyrdquo
[3] Pritam Gajkumar Shah Lecturer Telecom Engineering Department RV College of Engineering Bangalore rdquo Network Security Protocols for Wireless Sensor Networks-A Survey rdquo
[4] Ali Modirkhazeni Norafida Ithnin Mohammadjavad Abbasirdquo Secure Hierarchal Routing Protocols in Wireless Sensor Networks Security Survey Analysis rdquo
Thank youThank you
Thank youThank you