Post on 19-Dec-2015
Security for ad-hoc networks:Cryptography and beyond
David Wagner
U.C. Berkeley
How to think about security
Security goals: Confidentiality Integrity Availability
Threats: Outsiders? Insiders? Ordinary motes?
Motes with superpowers?
Part I:Security against outsiders
The security risk: RF leakage
The outsider threat
Lesson: build in security from the start
Keeping the outsider at bay
networkbase
station
k
k
k
k
k
k
A simple approach:global shared keys
Global shared keys
Advantages– Simple; reasonable performance
Limitations– No security against insider attacks– What if a mote is compromised or stolen?
Part II:Security against insiders
Tolerating compromised motes
Defending against insider attacks
networkbase
station
k4
k5
k1
k3
k2
k1, …, k5
per-mote keying
Per-mote keying
Advantages– Simple; reasonable performance– Lost motes don’t reveal rest of network’s keys
Disadvantages– Motes can’t talk to each other without the help
of the base station
Per-mote keying
Advantages– Simple; reasonable performance– Lost motes don’t reveal rest of network’s keys
Disadvantages– Motes can’t talk to each other without the help
of the base station– Insiders can still falsify sensor readings
An example
networkbase
station
Computing the average temperature
67°
64°69°
71°68°
f(67°, …, 68°)
where f(x1, …, xn) = (x1 + … + xn) / n
An example + an attack
networkbase
station
Computing the average temperature
67°
64°69°
71°68°
f(67°, …, 1,000°)
where f(x1, …, xn) = (x1 + … + xn) / n
1,000°
result is drastically affected
Resilient aggregation
Some theory:– For f : n → , a random variable X on n,
and σ = StdDev[f(X)], define Pow(A) = E[(f(A(X)) – f(X))2]1/2 ⁄ σ
– Say f is (m, α)-resilient if Pow(A) ≤ α for alladversaries A : n → n modifying only m of their inputs
– Example: the “average” is not (m, α)-resilient for any constant α
Relevance of resilience
Intuition– The (m, α)-resilient functions are the ones that
can be meaningfully and securely computed in the presence of m malicious insiders.
Formalism– Theorem. If f isn’t (m, α)-resilient, m insiders
can bias f(...) by at least ± α σ, on average.If f is (m, α)-resilient, it can be computed centrally with bias at most ± α σ, for m insiders.
Examplesf … is (m, α)-resilient, where
average α = ∞
average, discarding 5% outliers
α ≈ 1.65 m/n1/2 for m < 0.05 nα = ∞ for m > 0.05 n
median α ≈ m/n1/2 for m < 0.5 n
max α = ∞
95th percentile “max” α ≈ O(m/n1/2) for m < 0.05 n
count α ≈ m/(p(1–p)n)1/2
(assuming n independent Gaussian/Bernoulli distributions)
Primitives for aggregation (1)
Computing with histograms– Theorem. If f is a (m, α)-resilient, symmetric
function with ∑i |∂f/∂xi| ≤ β, f can be computed securely using a histogram with buckets of width w. With m insiders, the bias will be at most about α σ + 0.5wβ.
Primitives for aggregation (2)
Computing with random sampling– Idea in progress. If f is a (m, α)-resilient,
symmetric function with ∑i |∂f/∂xi| ≤ β, perhaps f can be computed securely by sampling the values at k randomly selected motes.
But: An important caveat!
network
Aggregation in the network introduces new challenges
2
4
1 0 1 1
2
Summary
Crypto helps, but isn’t a total solution– Be aware of the systems tradeoffs
Seek robustness against insider attack– Resilience gives a way to think about insiders– The law of large numbers is your friend
Feedback?