Security for ad-hoc networks:Cryptography and beyond

David Wagner

U.C. Berkeley

How to think about security

Security goals: Confidentiality Integrity Availability

Threats: Outsiders? Insiders? Ordinary motes?

Motes with superpowers?

Part I:Security against outsiders

The security risk: RF leakage

The outsider threat

Lesson: build in security from the start

Keeping the outsider at bay

networkbase

station

k

k

k

k

k

k

A simple approach:global shared keys

Global shared keys

Advantages– Simple; reasonable performance

Limitations– No security against insider attacks– What if a mote is compromised or stolen?

Part II:Security against insiders

Tolerating compromised motes

Defending against insider attacks

networkbase

station

k4

k5

k1

k3

k2

k1, …, k5

per-mote keying

Per-mote keying

Advantages– Simple; reasonable performance– Lost motes don’t reveal rest of network’s keys

Disadvantages– Motes can’t talk to each other without the help

of the base station

Per-mote keying

Advantages– Simple; reasonable performance– Lost motes don’t reveal rest of network’s keys

Disadvantages– Motes can’t talk to each other without the help

of the base station– Insiders can still falsify sensor readings

An example

networkbase

station

Computing the average temperature

67°

64°69°

71°68°

f(67°, …, 68°)

where f(x1, …, xn) = (x1 + … + xn) / n

An example + an attack

networkbase

station

Computing the average temperature

67°

64°69°

71°68°

f(67°, …, 1,000°)

where f(x1, …, xn) = (x1 + … + xn) / n

1,000°

result is drastically affected

Resilient aggregation

Some theory:– For f : n → , a random variable X on n,

and σ = StdDev[f(X)], define Pow(A) = E[(f(A(X)) – f(X))2]1/2 ⁄ σ

– Say f is (m, α)-resilient if Pow(A) ≤ α for alladversaries A : n → n modifying only m of their inputs

– Example: the “average” is not (m, α)-resilient for any constant α

Relevance of resilience

Intuition– The (m, α)-resilient functions are the ones that

can be meaningfully and securely computed in the presence of m malicious insiders.

Formalism– Theorem. If f isn’t (m, α)-resilient, m insiders

can bias f(...) by at least ± α σ, on average.If f is (m, α)-resilient, it can be computed centrally with bias at most ± α σ, for m insiders.

Examplesf … is (m, α)-resilient, where

average α = ∞

average, discarding 5% outliers

α ≈ 1.65 m/n1/2 for m < 0.05 nα = ∞ for m > 0.05 n

median α ≈ m/n1/2 for m < 0.5 n

max α = ∞

95th percentile “max” α ≈ O(m/n1/2) for m < 0.05 n

count α ≈ m/(p(1–p)n)1/2

(assuming n independent Gaussian/Bernoulli distributions)

Primitives for aggregation (1)

Computing with histograms– Theorem. If f is a (m, α)-resilient, symmetric

function with ∑i |∂f/∂xi| ≤ β, f can be computed securely using a histogram with buckets of width w. With m insiders, the bias will be at most about α σ + 0.5wβ.

Primitives for aggregation (2)

Computing with random sampling– Idea in progress. If f is a (m, α)-resilient,

symmetric function with ∑i |∂f/∂xi| ≤ β, perhaps f can be computed securely by sampling the values at k randomly selected motes.

But: An important caveat!

network

Aggregation in the network introduces new challenges

2

4

1 0 1 1

2

Summary

Crypto helps, but isn’t a total solution– Be aware of the systems tradeoffs

Seek robustness against insider attack– Resilience gives a way to think about insiders– The law of large numbers is your friend

Feedback?