EE 418 Project 2: Key Distribution in Wireless Sensor

NetworksProfessor Radha Poovendran

Andrew Clark

Project Guidelines

• Groups of up to 4 are allowed• Due December 15 during the exam• Four parts

– Key distribution problems– Node Capture Attack Simulation– Analysis of Node Capture Attack– Route Capture Attack Simulation

• Groups are required to complete three of the four parts

Outline

• Sensor networks and their applications• The key distribution problem• The Eschenauer-Gligor scheme• Non-cryptographic attacks:

– Node capture– Link capture– Route capture

• Modifications of the EG scheme• Conclusion

Wireless Sensor Networks

• Emerging technology with many potential applications

Inventory Tracking Fire Detection

Patient Monitoring Battlefield Surveillance

Network Model

1 2

34

5

6

7

• Network of N sensor nodes, indexed {1,…,N}

• Two nodes can communicate if they are within radio range

• May lack supporting infrastructure (e.g. base station)

• Computing power, battery lifetime of nodes limit range of protocols used

• In some applications, no public key crypto!

1 2

34

5

6

7

Key Distribution

1 2

34

5

6

7

• In order to communicate, two sensor nodes must share a key

• Moreover, if two nodes communicate via multiple hops, then each pair of nodes along the path must share a key

• How do we guarantee that the network is connected if the network topology is not known in advance?

1 2

34

5

6

7

Naïve Approach

• Every node is preloaded with a secret key for every other node

• Problems:– Storage constraints in individual nodes and

the network as a whole • If you have 1000 nodes, each node needs to store

999 long keys, and the total number of keys is ~1000000

– Updating the network becomes difficult

• Not practical for large networks!

Random Predistribution

• Eschenauer and Gligor (2002) proposed a novel and straightforward scheme.

• A pool of P keys is generated randomly.

• Each node is preloaded with a random collection of k keys from the pool.

• The number of keys per node is a design parameter.

1 2

3

4

5

6

7

1

3

5

6

7

P = 8

k = 3

{k1, k2, k4}

{k2, k3, k5}

{k1, k5, k6}

{k2, k5, k8}

{k3, k6, k8}

{k6, k7, k8}

{k3, k4, k8}

Ensuring Connectivity

• How do we choose k and P?

• First, find p according to the equation:

• Pc is the probability that a network of n nodes is connected, assuming that each

pair of nodes share a link with probability p.

•E.g. suppose we want a network of size n=10000 to be connected with probability 0.99. Then we have exp{-e-c} = 0.99, so c = -log(-log(0.99)) = 4.6 and p = log(10000)/10000 + 4.6/10000 = 0.0014

• Hence in this example, if two nodes share an edge with probability 0.0014, then the network is connected (assuming each node’s radio range is infinite)

Ensuring Connectivity

• Using p, we can find d, the expected degree of each node in the network to ensure connectivity:

d = p*(n-1)

• We can use d (rather than p) to characterize the network

• One problem: so far, we have neglected to take radio range into account!

Ensuring Connectivity

• Suppose that, due to range constraints, each node can only connect to n’ of its neighbors.

• In this case, we want the probability of connectivity to be p’ = d/(n’-1) to ensure that the whole graph is connected.

Ensuring Connectivity

• Given p’, we can then find values of P and k using the equations on page 5 of [1]:

Ensuring Connectivity

• In summary, we have the following approach:

• Given n (number of nodes) and Pc (design constraint), find c and p using Erdos’s formula

• Calculate d = p*(n-1)• If the neighborhood size is n’ (due to radio

range), find p’ = d/(n’-1)• Choose P and k so that Pr(two nodes share a

key) = p’

Random Key Distribution

From a security standpoint, can you think of a problem with assigning keys in this way?

Node Capture Attacks

• The adversary may have a hard time attacking security through cryptanalysis

• However, recall that the network is unmonitored for extended periods

• We consider “node capture attacks”, in which the adversary steals the key by physically capturing a node

• The EG scheme is especially vulnerable because many different nodes may share the same key

Node Capture Attacks

• The first type of attack is the seed cover attack, in which the adversary attempts to recover the entire key pool (or at least a large subset of it).

• This is equivalent to the set-covering problem

– Can use efficient “greedy” heuristic

– At every iteration, capture the node with the most unknown keys

1 2

3

4

5

6

7

1

3

5

6

7

P = 8

k = 3

{k1, k2, k4}

{k2, k3, k5}

{k1, k5, k6}

{k2, k5, k8}

{k3, k6, k8}

{k6, k7, k8}

{k5, k7, k8}

P’ = {k1, k2, k4, k3, k6, k8, k5, k7}

Node Capture Attacks

• The second type of attack is the link cover attack.

• Note that it may not be necessary for the adversary to capture all the secret keys; he may only have to capture enough to compromise all the links

• This is another set-covering problem

Link Cover Example

Performance

The q-composite Scheme

• In [2], the authors proposed different methods for mitigating the node capture problem

• In the q-composite scheme, q shared keys between nodes to are needed to communicate.

• The shared key between two nodes is then K = hash(k1||…kq)

• The adversary must therefore capture all q keys to break the link

1 2

3

4

5

6

7

1

3

5

6

7

P = 8

k = 3

{k1, k2, k3}

{k2, k3, k5}

{k1, k5, k6}

{k2, k5, k8}

{k5, k6, k8}

{k6, k7, k8}

{k5, k7, k8}{k2, k5}

{k7, k8}{k2, k3} {k5, k8}

{k6, k8}

The q-Composite Scheme

• Under the q-Composite scheme, the probability that Eve can compromise the link between two nodes by capturing random nodes is the top equation, where:

– |S| is the key pool size, m is the number of keys per node

– p(i) is the probability that two nodes share exactly i keys

– p is the probability that two nodes share at least q keys

– x is the number of nodes Eve will capture

Multipath Reinforcement

• Suppose A and B have a secure link between them (i.e., they share a key k)

• We can improve the security of the link by updating its key after the initial setup.

• If there are m disjoint routes between A and B, then A can generate random numbers v_1, …, v_m and send each number (encrypted, of course) along a different route

• The shared key will then be k’ = k xor v1 xor … xor vm

Example

Route Capture Attacks

• The final kind of attack we will consider is the route capture attack [4].

• Route capture attacks take advantage of the fact that traffic in a WSN has to be routed between nodes that are far apart.

• Thus if we capture certain “bottleneck” nodes, we can observe a lot of the network traffic.

Node Capture Attacks

• We want to define a way to quantify how vulnerable a route is after a certain number of keys is captured.

• For a route between source node s and destination d, we define a function Vsd

• Let C be a set of nodes that we can capture. Then we want:– Vsd(C) = 0 if C is empty– Vsd(C) between 0 and 1 if there is still some security

to the route– Vsd(C) = 1 if the route has been compromised.

Node Capture Attacks

• Suppose we have such a function Vsd. Then, given a set of pairs (s,d) and a set of routes Rsd between them, define the incremental node value by

• Now, we can implement a greedy algorithm not unlike that from the previous section

• At each iteration, we capture the node with the largest incremental node value.

Node Capture Attacks

• The adversary can choose Vsd in order to reflect his or her goals.

• An example in [4] is

Explanation of Terminology

Summary

• By using random key distribution, we can develop secure communication in a sensor network with limited storage

• This distribution scheme is vulnerable to attack:– Seed cover– Link cover– Route cover

• There are techniques for mitigating these vulnerabilities.

Questions?