Upload
shanon-elliott
View
217
Download
0
Embed Size (px)
Citation preview
1
Key management for wireless sensor networks
Sources: ACM Transactions on Sensor Networks, 2(4), pp. 500-528, 2006.Sources: Computer Communications, 30(9), pp. 1964-1979, 2007.Reporter: Chun-Ta Li (李俊達 )
222
Outline LEAP+: Efficient Security Mechanisms for Large-Scale
Distributed Sensor Networks [ACM Transactions on Sensor Network] Introduction Zhu et al.’s scheme
Key Management for Long-Lived Sensor Networks in Hostile Environments [Computer Communications] Chorzempa et al.’s scheme Comparisons
Comments
3
Introduction Security of wireless sensor networks
BSAFN AFN
AFN
Aggregation and Forwarding Nodes
MSN
MSN
MSN
MSN
MSN
MSN
MSNMSN
MSN
MSN
MSN
MSN
Base Station
Micro Sensor Nodes
MSN BS MSN
BS
AFN MSN
MSN MSN
cluster
// symmetric shared keys
// multiple keying mechanism
4
Introduction (cont.) Dynamic keying in a hierarchical WSN
Establishing individual node keys Establishing pairwise shared keys
The basic scheme The extended scheme
Establishing cluster keys Establishing global key
Clustering and key setup Node addition Key renewal Recovery from multiple MSN
node captures Re-clustering after AFN capture
[Zhu et al.’s scheme] [Chorzempa et al.’s scheme]
5
Zhu et al.’s scheme
BSMSN
MSN
MSN
MSN
MSN
MSN
MSNMSN
MSN
MSN
MSN
// sensors are not mobile
// neighboring nodes of any sensor are not known in advance// BS will not be compromised
Base Station
Micro Sensor Nodes
6
Zhu et al.’s scheme (cont.) Four types of required keys
Individual Key: MSN <-> BS (MSN can compute a MAC for ensuring validity of its sensed readings to BS)
Global Key: all MSNs (BS may broadcast queries or commands to the entire network)
Cluster Key: MSN <-> neighbors (securing locally broadcast message)
Pairwise Shared Key: MSNa <-> MSNb
7
Zhu et al.’s scheme (cont.) Notations
N is the number of nodes in the network. u, v are principals such as communicating nodes. {fk} is a family of pseudo-random function. {s}k means encryption message s with key k. MAC(k,s) is the message authentication code of message s
using a symmetric k. {Tmin, Test} are two types of time interval, where Tmin > Test. KIN is an initial key Ku is a master key belongs to node u such that Ku = fKIN
(u).
8
Zhu et al.’s scheme (cont.) Establishing Individual Node Keys (IKu)
BS u
IKu = fKm(u)
// f is a pseudo-random function
// Km is a master key known only to BS
// Each node has a unique id u
9
Zhu et al.’s scheme (cont.) Establishing Pairwise Shared Keys (Basic)
Key predistribution
Neighbor discovery
Key erasure (when its timer expires after Tmin)
BS uKu = fKIN
(u)
// KIN
is an initial key known to each node
// Each node u derives a master key Ku
u neighbors1.
HELLO(u)vu
2. v, MAC(Kv, u|v)// Kuv = fKv
(u) = fKu(v) = Kvu
u Node u erases KIN and all master keys (Kv) of its neighbors (no erasure Ku)
10
Zhu et al.’s scheme (cont.) Establishing Pairwise Shared Keys (Extended)
Key predistribution
Neighbor discovery
Key erasure
BS u
Kju = fK
j
IN(u), i < j < M
KiIN
u neighbors1. HELLO(u,i)
vu2. v, MAC(Ki
v, u|v)// Kuv = fK
i
v(u) = fK
i
u(v) = Kvu
u Node u erases KiIN and all master keys (Ki
v) of its neighbors (no erasure Kiu
or any other preloaded master keys Kju where i < j < M)
11
Zhu et al.’s scheme (cont.) Establishing Cluster Keys (Kc
i)
vu
w
Kcu
Kcw
Kcv
(Kcv)Kvu
(Kc v) K vw
(Kcu)Kuv
(K cu )
Kuw
(Kc w) K wv(K c
w )K
wu// When node u is revoked, every neighbor node generate a new cluster key and transmits it to all other neighbors
one-way key chain HCv
one-way key chain HCw
one-way key chain HCu
12
Zhu et al.’s scheme (cont.) Rekeying the Global Key k’g (when a compromised node
is detected) Authenticated Node Revocation
Secure Key Distribution
BS
w
v
ut
x
Broadcast M
M = u, fk’g(0), kT
i, MAC(kTi, u | fk’g
(0))
• v and w will remove its pairwise key shared with u• v and w will update its cluster key
BS (k’g)KcBS
(k’g)Kci
// If verification is successful,
The value of hash chain
• v and w will store fk’g(0) temporarily
13
Zhu et al.’s scheme (cont.) Integration of the pairwise key establishment
phase with the cluster establishment phase
vu
1. HELLO(u)
2. v, {Kcv}Kv
, MAC(Kv, u | v | {Kcv}Kv
)
3. u, {Kcu}Kuv
, MAC(Ku, u | {Kcu}Kuv
)
14
Chorzempa et al.’s scheme
BSAFN
AFN
AFN
Aggregation and Forwarding Nodes
MSN
MSN
MSN
MSN
MSN
MSN
MSNMSN
MSN
MSN
MSN
MSN
Base Station
Micro Sensor Nodes
15
Chorzempa et al.’s scheme (cont.) Location training
• MSNs have completed neighbor discovery
• AFN is aware of one-hop MSNs
=>
ID1 ID2IDAFN1
=>CEM
neighbors
Coordinate Establishment Message (CEM)
• hopcountNj+1 < hopcountNi
(IDAFN2) (IDAFN1
) Reassign to AFN2
• hopcountNj+1 > hopcountNi
(IDAFN1)(IDAFN1
)
= Discard CEM
• hopcountNj+1 > hopcountNi
(IDAFN2) (IDAFN1
) Unicast CEM to its primary AFN1
16
Chorzempa et al.’s scheme (cont.) Three types of required keys
Administrative key set (k+m), EBS(n,k,m) Pairwise secret key Kpi (BS<->MSN)
Tree administrative key Kti
Number of MSN nodes in a cluster hold
not hold
AFNM1
M3
M4M2
Kt1
Kt1
Kt2
Kt2
An example of EBS(10,3,2)
A cluster view
Kp1
Kp2
Kp3 Kp4
Update a session key Kg with Kg’
(k + m broadcasts)
(EBS; Exclusion Basis System)
17
Chorzempa et al.’s scheme (cont.) If N1 is captured (replace administrative keys
and session keys known to N1)
(m broadcasts)
• Non-colluding node captures (|y|=2; N1, N6)
(my broadcasts)
IDAFN||EKa4(EKa2(Ka1’~Ka5’))
IDAFN||EKa5(EKa2(Ka1’~Ka5’))
IDAFN||EKa4(EKa3(Ka1’~Ka5’))
IDAFN||EKa5(EKa3(Ka1’~Ka5’))
18
Chorzempa et al.’s scheme (cont.) Colluding node captures (Administrative key
recovery) (EBS(6,2,1))
K1
K2
K3
M1 M2 M3 M4 M5 M6
1
1
0
1
0
1
0
1
1
1
1
0
1
0
1
0
1
1
AFNM1
M4
M5M2
tree1
tree1
M3
tree1
tree2
tree2
M6
tree2
Sc
Sut
EKt2(EK1
(K1’)||EK2(K2’)||EK3
(K3’))
Kt2
Kt2
Kt2
19
Chorzempa et al.’s scheme (cont.) Reactive re-clustering after AFN capture
membership list
(location training)BS
AFNa
MSN
AFNb
MSN MSNMSN… …
capture
absorption
BS
Ni
AFNb
EKAFNb(KAFNb-Ni || IDNi) || TicketNi ,
TicketNi = EKpi(KAFNb-Ni || IDAFNb || IDNi || routeNi-AFNb || nonce)
AFNb
IDNi || IDAFNb || EKAFNb-Ni( administrative keys)) || TicketNi
20
Chorzempa et al.’s scheme (cont.) MSN addition
AFNb
OldOld …
AFNa
OldOld …
OldOld New Old OldOld
hellohello
OldNew => neighborshello
Old Newneighbors
IDNi || IDAFNp || hopcountNi
OldNew AFNa
(IDNnew || IDAFNa || nonce) || MACKpi
BS
AFNa BS
(IDNnew || IDAFNa || nonce) || MACKpi || MACKAFNa
1.
2.
3.
4.
5. BS New
TicketNnew = EKpi(KAFNa-Nnew || IDAFNa || IDNnew || nonce)
21
ComparisonsZhu et al.’s scheme Chorzempa et al.’s scheme
Mutual authentication Yes No
Forward secrecy No No mentioned
Dynamic keying Yes Yes
S2S key establishment Yes No mentioned
Recovery from compromised attack
Yes Yes
Required key 1+1+2n 1+1+k
n: the number of neighbors
22
Comments In Zhu et al.’s scheme, an old node is unable
to establish a pairwise key with a new node. In Chorzempa et al.’s scheme, it lacks the
mechanism of pairwise key establishment for any two sensors.