LOGO

A Public Key Cryptographic Method for Denial of Service Mitigation in

Wireless Sensor Networks

O. Arazi, H. Qi, D. RoseIEEE SECON 2007 proceedings

20082065Myunghan YooAugust 2, 2008

Progress

Problem & background

Solution

Discussion

Public Key Cryptography

Use private and public keys Given public key, easy to compute -> anyone can lock Only those who has private key compute its inverse

-> only those who has it can unlock, vice versa.

P DE() D()

Key

Attacker

P

KeKd

C P

C=E(P, Ke) P=D(C, Kd )

Insecure channel

Key

For Privacy

- Encrypt M with Bob’s public key : C = eK(Bp,M)

- Decrypt C with Bob’s private key : D = dK(Bs,C)

* Anybody can generate C, but only Bob can recover C to M.

Usage of PKC (I)

ek( , ) M

BP

dk( , ) C

M

BS

Public directory

Alice : Ap

Bob : Bp

Chaum : Cp

. .

Usage of PKC (II)

dk( , ) M

As

ek( , ) C M

Ap

Alice : Ap

Bob : Bp

Chaum : Cp

. .

Public directory

- Encrypt M with Alice’s private key : C = dK(As,M)

- Decrypt C with Alice’s public key : D = eK(Ap,C)

* Only Alice can generate C, but anybody can verify C.

For authentication (Digital Signature)

Motivation & Objective

Public Key Cryptography (PKC)

Denial-of-Service Attack in PKC With repeated & meaningless requests to

normal nodes to establish a session key, the adversary causes attacked normal nodes to waste energy resources

Pros Cons

Resilience High computational overhead

Scalability Weak against DoS attacks

Decentralized key management

Objective & Key Idea

Objective Mitigating Denial-of-Service (DoS) attacks

Key Idea Loading heavy computational burden

on the instigator

Progress

Problem & background

Solution

Discussion

Overview of Proposed Scheme

Stage A:Alice proving her validity to Bob

A relatively energy draining procedure on Alice’s part

Stage B:Bob proving her validity to AliceA relatively low energy draining

procedure on Bob’s part

If successful

If successful: both users hold an ephemeral shared secret key

The Instigator Proving Its Validity

Alice Bob

nA

IDA

CRA

(CRA)e mod nCA = H(nA, IDA) If so, generates a message, m, such that: t= me mod nA

ttdA mod nA = m

x: LSB of message m

compares

nA: Alice’s public key, IDA: Alice’s public key ID, CRA: Alice’s certificate signed by CA with its private key,e, nCA : CA’s public key

CRA = [H(nA, IDA)]dca mod nCA

H(nA, IDA) = nA IDA⊕

512 bits or 1024 bits

Message m

x: Significant bits to identify the instigator

y and z: Factors of an ephemeral key

z212bits

y200bits

x100bits

Example of message m where the length of m is 512 bits.

Overview of Proposed Scheme

Stage A:Alice proving her validity to Bob

A relatively energy draining procedure on Alice’s part

Stage B:Bob proving her validity to AliceA relatively low energy draining

procedure on Bob’s part

If successful

If successful: both users hold an ephemeral shared secret key

The Approached Node Proving Its Valid-ity

Key Transport

Elliptic Curve Digital Signature Algorithm (ECDSA)

Self-Certified DH Fixed Key-Generation

Key Transport

Alice Bob

Stage A

If successful

nB, CRB, IDB, SB

Validation of the values: (CRB)e mod nCA = H(nB, IDB),

(SB)e mod nB = y

If successful

KAB-final = z

Stage B:

SB = ydB mod nB

ECDSA

Alice Bob

Stage A

If successful

(C, L)

Calculates h = L-1,

q1 = y · h mod ordG, q2 = C · h mod ordG,

P = q1 · G + q2 · V, and C’ is scalar of P

If C’ = C

KAB-final = z

Stage B:

V = u · GC is scalar of VL = u-1(y + dB · C) mod ordG

Self-Certified DH Fixed Key-Generation

Stage A

If successful

Self-Certified DH Fixed Key-GenerationKAB-temp = KAB (generated by Alice) = nA x [H(IDB, nB) x nB + nCA] = KBA (generated by Bob) = nB x [H(IDA, NA) x nA + nCA]Stage B:

KAB-final = H(KAB-temp, m’)

nB, CRB, IDB

Alice Bob

Implementation Results

Time (msec) Energy (J) Total

Alice Bob Alice Bob Time Energy

Stage A 230 1.02 105.8 0.469 231.02 106.27

Stage B

Key Transport 2.04 230 0.938 105.8 232.04 106.738

ECDSA 100 50 46.32 23.16 150 69.48

Fixed Key 50 50 23.16 23.16 100 46.32

Time (m-sec)

Energy (mJ)

Total consumption Both stages Both stages

Key Transport 463.06 213.01

ECDSA 381.02 175.75

Fixed Key 331.02 152.6Using 1024-Bit RSA and 160-bit ECC on the Intel MOTE

2 Platform from 312 MHz core clock

Progress

Problem & background

Solution

Discussion

Contribution

This paper may be the first try of DoS at-tack mitigation for PKC

Discussion

Unclear environment of implementation communication distance between Alice and

Bob

Yet, unsuitable PKC in the WSN

Incoherent logic Applying to only a suspicious node is needed

DoS attack with incomplete stage A

DoS attack with incomplete stage A

Alice Bob

nA

IDA

CRA

(CRA)e mod nCA = H(nA, IDA) If so, generates a message, m, such that: t= me mod nA

ttdA mod nA = m

x: LSB of message m

compares

nA: Alice’s public key, IDA: Alice’s public key ID, CRA: Alice’s certificate signed by CA with its private key,e, nCA : CA’s public key

CRA = [H(nA, IDA)]dca mod nCA

H(nA, IDA) = nA IDA⊕

512 bits or 1024 bits

Completed part

Incompleted part

THANK YOUQ&A