Queensland University of Technology
CRICOS No. 00213J
Mitigating Sandwich Attacks against a Secure Key Management
in WSNs for PCS/SCADA
Hani Alzaid, DongGook Park, Juan Gonzalez, and Ernest Foo
CRICOS No. 00213Ja university for the worldreal R
Key Management in WSNs for PCS/SCADA• Introduction.
– WSNs & SCADA.• Related Work.
– Nilsson et al.’s & Alzaid et al.’s schemes.• Sandwich Attack.• Performance Analysis
– Memory overhead, communication cost, & computation cost.
• Conclusion
2
CRICOS No. 00213Ja university for the worldreal R
Introduction: WSNs
EmbeddedProcessor
Transceiver
Memory
SensorsBattery
3
Limited Storage
Limited Lifetime
Slow Computations
1Kbps - 1Mbps, 3-100 Meters,
CRICOS No. 00213Ja university for the worldreal R
Introduction: SCADA
4
Master Center
Historian
Communication Systems
Remote field
Network Manager
Human Interaction
Database Storage
Processing Servers
Separate Subnet
Fiber Optics
Radio
Satellite
Gateways
IEDs
Sensors
CRICOS No. 00213Ja university for the worldreal R
Related Work
• Several papers proposed key management designs for SCADA.– They use heavy cryptographic mechanisms.– Do not consider the integration of WSNs with SCADA.
• The works that consider the integration, proposed by Nilsson et al. and Alzaid et al..
5
CRICOS No. 00213Ja university for the worldreal R
Related Work – Nilsson et al.
• Nilsson et al. designed two key update protocols:– The 1st protocol updates the pairwise symmetric key
between and .– The 2nd protocol updates the global or group key
among and .• They claimed that these protocols provide both
forward and backward secrecy (past and future key secrecy). It is not the case!
6
CRICOS No. 00213Ja university for the worldreal R
Related Work – Nilsson et al.
• Node compromise attacks was not considered in Nilsson et al..
• The new group key is directly carried by the protocols messages, encrypted under the pairwise key.
• The value of new pairwise key is determined by the sensor node.
• etc.• Alzaid et al.’s addressed these weaknesses.
7
CRICOS No. 00213Ja university for the worldreal R
Related Work – Alzaid et al.
• The adversary can launch node compromise – All the credentials stored in sensors.– All the software code installed within the sensors,
especially random number generation functions.• It cannot compromise the network manager.
8
Adversary Model
CRICOS No. 00213Ja university for the worldreal R
Related Work – Alzaid et al.
• Past key secrecy: the past keys should not be compromised.
• Future key secrecy: the future keys should not be compromised.
Security Requirements
9
CRICOS No. 00213Ja university for the worldreal R
The Proposed Key Management
0t 0s 10( )h s 0( )ih s0( )ih t 1
0( )h t
1GK
iGK
0GK
Forward hash chainReverse hash chain
Pastkey secrecy
Future key secrecy
The Group Key Update Protocol
10
CRICOS No. 00213Ja university for the worldreal R
The Proposed Key Management
The Group Key Update Protocol (Protocol-1)
11
CRICOS No. 00213Ja university for the worldreal R
The Proposed Key Management
The Pairwise Key Update Protocol (Protocol-2)
12
CRICOS No. 00213Ja university for the worldreal R
Sandwich Attack
The Problem• Alzaid et al.’s scheme suffers from a new kind of
attack called “Sandwich Attack”.• Suppose an attacker captures a node at
• are revealed.• All the subsequent hash images of the forward hash
chain (but not the reverse hash chain) can be computed.
13
CRICOS No. 00213Ja university for the worldreal R
Sandwich Attack
The Problem• When the attacker captures another node at
where .• The adversary is able to compute all the preimages of
the reverse hash chain between .• Then, the attacker can compute all the group
keys from to by computing:
14
CRICOS No. 00213Ja university for the worldreal R
Sandwich AttackForward hash chainReverse hash chain
15
unknown
unknown
unknownunknown unknown
CRICOS No. 00213Ja university for the worldreal R
Sandwich AttackForward hash chainReverse hash chain
16
unknown
known
knownunknown
CRICOS No. 00213Ja university for the worldreal R
Sandwich Attack
The Solution (Protocol-3)• Break the reverse hash chain into smaller ones.
17
CRICOS No. 00213Ja university for the worldreal R
Sandwich Attack
• can play two strategies:• Replace Protocol-1 completely with Protocol-3.
• rerun Protocol-3 until receives 2nd message of the protocol from to ensure the reestablishment of the reverse hash chain.
• Switch between Protocol-1 and Protocol-3 whenever it is needed.
• The choice between these two strategies depends on how much the Sandwich attack concerns the network designers.
18
CRICOS No. 00213Ja university for the worldreal R
Performance AnalysisMemory Overhead
19
Stored information per sensorNilsson et al. [2] Alzaid et al. [1] Our proposal
Qty Size (bits) Qty Size
(bits) Qty Size (bits)
Pairwise key shared with M . 2 256 1 256 1 256Key used for random number generation 1 128 - - - -M’s public key 1 256 - - - -Group key . 1 128 1 128 1 128Secret data . - - 2 128 2 128Indexes . - - 2 16 2 16Hashed value of the old pairwise key - - 1 128 1 128
Total 1024 800 800
CRICOS No. 00213Ja university for the worldreal R
Performance AnalysisCommunication Cost
20
Protocol Step
Nilsson et al. [2]
Alzaid et al. [1] Our proposal
# of bits Energy (J)# of bits Energy (J) # of bits Energy (J)
Pairwise
key
1. M → N - - 272 13.6 272 13.62. M ← N 256 19.2 256 19.2 256 19.2
Total 256 19.2 528 32.8 528 32.8
Group key
1. M → N 256 12.8 144 7.2 272 13.62. M ← N 128 9.6 128 9.6 128 9.6
Total 384 22.4 272 16.8 400 23.2
CRICOS No. 00213Ja university for the worldreal R
Performance AnalysisComputation Cost
21
Protocol Step
Consumed energy (J)Nilsson et
al. [2]Alzaid et
al. [1]Our
proposal
Pairwise
key
1. M→ N - 304 304 2. Compute the new key 154 52000 52000 3. M← N 52154 278 278
Total 52308 52582 52582
Group key
1. M→ N 150 278 304 2. Compute the new key - 154 154 3. M← N 154 154 154
Total 304 586 612
CRICOS No. 00213Ja university for the worldreal R
Conclusion
• Lamport’s reverse hash chain as well as usual hash chain are employed to ensure past and future key secrecy against node compromise.
• No delivery for the whole value of the new group key for group key update.
• Sandwich Attack is mitigated by breaking the reverse hash chain into shorter ones.
22
CRICOS No. 00213Ja university for the worldreal R
References
[1] Alzaid, Hani and Park, DongGook and Gonzalez Nieto, Juan and Boyd, Colin and Foo, Ernest. A Forward & Backward Secure Key Management in Wireless Sensor Networks for PCS/SCADA.
[2] Nilsson, Dennis K. and Roosta, Tanya and Lindqvist, Ulf and Valdes, Alfonso. Key management and secure software updates in wireless process control environments.
23
Queensland University of Technology
CRICOS No. 00213J
Mitigating Sandwich Attacks against a Secure Key Management
in WSNs for PCS/SCADA
Questions
Top Related