May 5, 2006
To the Graduate School:
C TE
D
This thesis entitled “Network Embedded Support for Sensor Network Security” and written by Brijesh Pillai is presented to the Graduate School of Clemson University. I recommend that it be accepted in partial fulfillment of the requirements for the degree of Master of Science with a major in Computer Engineeering.
ht s
IG Al H lr T ig S
We have reviewed this thesis and recommend its acceptance:
re s
PR
er O ve T E d
________________________________ Dr. Richard R. Brooks, Thesis Advisor
C O PY
R
_________________________________ Dr. Ian Walker
__________________________________ Dr. Stanley Birchfield
Accepted for the Graduate School:
___________________________________
NETWORK EMBEDDED SUPPORT FOR SENSOR NETWORK SECURITY
C TE
Presented to
D
A Thesis
the Graduate School of
PR
er O ve T E d
Clemson University
re s
IG Al H lr T ig S
In Partial Fulfillment
ht s
of the Requirements for the Degree Master of Science
C O PY
R
Computer Engineering
by Brijesh Pillai May 2006
Advisor: Dr. Richard R. Brooks
ABSTRACT
Secure sensor network communications is an area of active research [Akyildiz 2002, Carman 2004, Chan 2003a, Iyengar 2005, Tubaishat 2003]. To be viable, approaches
D
must have minimal power and processing needs. Both the ad hoc nature of sensor
C TE
network communications and the need to deploy nodes where physical tampering is possible make the design of secure and efficient communication schemes for distributed
er O ve T E d
sensing difficult. We propose a distributed self-organization approach for establishing and maintaining sensor network security. The approach requires a minimal number of
IG Al H lr T ig S
network.
re s
PR
messages and encryptions at the same time it ensures connectivity and security of the
ht s
The sensor network is initially deployed using random key predistribution (RKP) [Eschenauer 2002]. The initial key pool is used for node authentication. Multicast
R
security regions are created by randomly choosing nodes to act as keyservers. Each
C O PY
keyserver creates a binary tree structure of key-encryption-keys (KEKs) to maintain a multicast region that uses a common key for communications. Multicast communications reduce message and network traffic thus increasing the life of the sensor network. Malicious or cloned nodes are detected by monitoring authentication key usage statistics [Brooks 2006]. Malicious nodes are ostracized from the system as they are detected. We show how to determine the number of keyservers needed and the size of the region (measured in number of hops) each keyserver should serve. This is done by performing a phase change analysis of the network topology. The analysis determines the likelihood that the system has a unique giant component that can adequately perform its task. It also
iii
considers the degree of redundancy required by the system to guard against internal corruption. We show how to bootstrap secure communication between keyservers. The number of packets and encryptions required to establish and maintain multicast regions defines a
C TE
D
trade-off between the number of keyservers and number of hops in an ad hoc sensor network. We provide a security analysis of our approach for threats, including Byzantine
C O PY
R
re s
ht s
IG Al H lr T ig S
PR
er O ve T E d
or Sybil attacks. Simulations are used to verify our theoretical results.
C O PY ht s er O ve T E d
PR
re s
IG Al H lr T ig S
R
C TE
D
DEDICATION
To amma & achhan
ACKNOWLEDGEMENTS
I wish to thank my advisor, Dr. Richard Brooks for his support and guidance along the way, above all for being so patient and understanding with me.
D
I am grateful to Dr. Michele Weigle and Matt Pirretti for their comments and insights into
C TE
my research. Thanks to my committee members for reviewing my thesis. I am especially grateful to Dr. Ian Walker, Dr. Stan Birchfield, and Dr. Caron H. St. John at Clemson
er O ve T E d
University for the education and constant encouragement.
I would also like to thank my colleagues and friends for the wonderful times together.
C O PY
R
re s
ht s
IG Al H lr T ig S
constant source of inspiration.
PR
Above all, thanks to amma & achhan for being always there to listen. They have been my
TABLE OF CONTENTS
Page i
ABSTRACT...............................................................................................................
ii
DEDICATION..........................................................................................................
iv
ACKNOWLEDGEMENTS.......................................................................................
v
LIST OF TABLES.....................................................................................................
viii
LIST OF FIGURES ................................................................................................
viii
er O ve T E d
C TE
D
TITLE PAGE………………………………………………………………………..
re s
1 2
SENSOR NETWORKS.................................................................................
6
An Overview.............................................................................................. Sensor Network Security ........................................................................... Power Consumption Issues ........................................................................ Network Viability ......................................................................................
6 6 10 13
PHASE CHANGE IN RANDOM NETWORKS ..........................................
18
Random Networks ..................................................................................... Ad hoc Network Model ............................................................................. Phase Change Analysis ..............................................................................
18 22 27
MULTICAST COMMUNICATION SCHEME ...........................................
35
Keyserver Selection Scheme...................................................................... Key Distribution Protocol .......................................................................... Group Key Management & Message overhead ......................................... Power consumption.................................................................................... Cluster size estimation ...............................................................................
37 40 50 56 58
ht s
C O PY 3.
4.
1
Motivation.................................................................................................. Overview of Network Embedded Support.................................................
R
2.
INTRODUCTION .........................................................................................
IG Al H lr T ig S
1.
PR
CHAPTER
vii
Table of Contents (Continued) Page 61
Random Key Predistribution...................................................................... Clone Detection using Bloom Filters......................................................... Key Agreement Protocol............................................................................
61 62 64
6.
TRADEOFF BETWEEN KEYSERVERS AND CLUSTER SIZE ..............
69
7.
SECURITY ANALYSIS ...............................................................................
75
Byzantine Attack........................................................................................ Sybil Attack ............................................................................................... Cloning Attacks .........................................................................................
75 76 77
APPLICATION & CONCLUSION ..............................................................
79
BIBLIOGRAPHY......................................................................................................
84
C TE
er O ve T E d
C O PY
R
re s
ht s
IG Al H lr T ig S
8.
D
CLONE DETECTION AND REMOVAL ....................................................
PR
5.
LIST OF TABLES Table
Page
System overhead for membership operations ....................................................
56
2
Power consumption for network initialization...................................................
58
3
Average number of nodes within a multicast ....................................................
60
4
Total messages for a network of 100 nodes.......................................................
70
5
Total messages for a network of 100 nodes.......................................................
73
6
Data transmission requirements [12] for tracking application in ColTraNe......
80
7
Number of encryptions required for secure transmission in ColTraNe.............
8
Power consumption comparison using AES encryption....................................
9
Power consumption for security and communication........................................
C O PY
R
re s
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
1
82 82 82
LIST OF FIGURES
Figure
Page
Flowchart of sensor network security approach presented in this thesis. ..........
4
2
Range limited random graphs ............................................................................
19
3
Example Erdös-Rényi graphs ............................................................................
19
4
Example graph and its connectivity matrix. ......................................................
20
5
Phase change in a random graph........................................................................
21
6
Geometric representation of inequality (xi − x j ) + ( y i − y j ) ≤ r 2 . ................
24
7
Phase change for Ad hoc network with r=0.06..................................................
30
8
Phase change for Ad hoc network with r=0.07..................................................
31
9
Phase change for Ad hoc network with r=0.05..................................................
32
10 Phase change prediction for size of multicast....................................................
33
11 Failure to form a giant component.....................................................................
34
er O ve T E d
C TE
D
1
2
re s
R
ht s
IG Al H lr T ig S
PR
2
36
13 Binary key tree...................................................................................................
41
14 Communication scheme in multicast groups .....................................................
43
15 Initial KEK management tree ............................................................................
45
16 Walkthrough of Key Tree Generation ...............................................................
48
17 Example solutions to the tree generation process ..............................................
50
18 Cluster size estimation .......................................................................................
60
19 Byzantine attack.................................................................................................
65
C O PY
12 Multicast communication topology ...................................................................
x
List of figures (Continued) Figure
Page 72
21 Tradeoff between number of multicasts and size of multicast group ................
72
22 Tradeoff between h & k .....................................................................................
73
C TE
D
20 Tradeoff between h & k ....................................................................................
C O PY
R
re s
ht s
IG Al H lr T ig S
PR
er O ve T E d
23 Tradeoff between number of multicasts and size of multicast group ................
74
Chapter 1
Introduction
1.1
Motivation
In a sensor network, a large number of sensor nodes form an ad hoc wireless network.
D
Sensors nodes work in a distributed and co-operative manner that increases the life of the
C TE
network and maintains sensing capability within the field. Many applications, including military and surveillance uses, require these networks to be secure. [Brooks 2004a]
er O ve T E d
describes the ColTraNe application. Nodes with acoustic, seismic, and passive infrared sensors are scattered in hostile terrain to track the movement of enemy tanks. The sensors
PR
report presence and motion of tanks to a central authority. If this network were to be
re s
IG Al H lr T ig S
compromised, then enemy forces could manipulate the sensors to report incorrect
ht s
information. Among other attacks, adversaries may capture nodes, copy them, make subtle changes, and re-insert these cloned copies into the network. [Slijepcevic 2002,
R
Wood 2002] outline the importance of security in wireless sensor networks. Cloned
C O PY
nodes can disrupt a network by: –
inserting false detections,
–
dropping packets,
–
modifying data,
–
eavesdropping,
and initiating useless processing to drain power from legitimate nodes (“sleep deprivation”). Applications need to guarantee that adversaries cannot subvert the network. The network should be capable of identifying and isolating compromised nodes. The network should
2
not have single points of failure; it must function properly even if a large number of nodes are lost or damaged. In this thesis, we present network embedded support for secure communication in sensor networks. We propose a distributed self-organizing scheme to maintain sensor network
C TE
D
security. The approach has minimal power and processing requirements thus making it suitable for sensor network applications.
Overview of Network Embedded Support
er O ve T E d
1.2
The sensor networks we consider use random key predistribution [Chan 2003] to
PR
authenticate nodes, i.e. each sensor node is preloaded with a subset of keys from a large
re s
IG Al H lr T ig S
key pool. Nodes are deployed by scattering them at random in large numbers in a hostile
ht s
terrain. More structured deployments (see [Iyengar 2005]) that use traditional topologies for sensor deployment could use our approach with minimal changes; random
R
deployment is discussed here as it requires the fewest assumptions and is ad hoc. Any
C O PY
two nodes that share a common key and fall within each other’s communication range can establish a common communications link. Figure 1 provides a flowchart of our approach; authenticated sensor nodes collaborate to create secure multicast regions [Canetti 1999, Poovendran 1999, Dahlman 2001], where all sensor nodes use a common key for communication. This requires less power than current approaches [Carman 2000], where each communications link uses a different key. Instead of each packet being decrypted and re-encrypted at each hop, a packet is reencrypted only when it moves between multicast regions.
3
Keyservers (sensor nodes that manage the keys used for encryption during communication) are selected at random using a secure selection scheme [Pirretti 2005], which guarantees that each node has an equal chance of being chosen. Each keyserver recruits all authenticated nodes within a given number of hops to join its multicast group.
C TE
D
A binary tree structure is created to manage group membership. A common multicast communications key is securely transmitted to each sensor node in the multicast group.
er O ve T E d
The communications key is refreshed periodically. This ensures the sanctity of the keys used for communication by the network at any point of time.
PR
To be viable, a sensor network needs to guarantee connectivity among a quorum of
re s
nodes. It also needs the nodes in the quorum to be positioned so that they can detect
IG Al H lr T ig S
events throughout the sensor field. We show that these viability factors are satisfied if
ht s
and only if the network possesses a unique giant component. The network is said to have a giant component if there exists a single component whose size is in the order of total
C O PY
R
number of nodes in the network.
The distribution of keyservers needs to be defined so as to maintain this giant component without incurring excessive overhead. The tradeoff between the number of multicast regions and the size of each region is vital to maintaining minimum message overhead and power consumption while at the same time ensuring information security. Nodes served by more than one keyserver serve as gateways between multicast regions. [Brooks 2006] describes an efficient way of detecting clones in sensor networks with random key predistribution, which is part of our approach. If keys are used more often than a well-defined threshold, we assume that the sensor node using that key is a clone.
4
Cloned sensor nodes are ostracized from the network by broadcast messages that tell nodes to stop using the subverted key. This ensures integrity and freshness of the keys used for communication in the multicast group
C TE
D
Sensor node initialization RKP to generate a key ring for every node.
Ad-hoc Sensor deployment Random distribution of nodes in the field
Collect bloom filters to monitor key usage statistics in each cluster.
C O PY
R
Solicit membership of nodes h hops away from cluster-head in each cluster.
Figure 1
ht s
IG Al H lr T ig S
Hash based cluster-head selection. Select K cluster-heads to form a giant component.
Periodic key refresh
Group agreement among keyservers to detect misbehaving nodes.
re s
PR
Authentication using random key predistribution, nodes communicate with other nodes within their communication range sharing a common key.
er O ve T E d
Build multicast trees for group key management.
Add New nodes
Ostracize Revocation of nodes with suspect behavior
Ostracize Compromised Keyservers
Flowchart of sensor network security approach presented in this thesis.
This thesis is organized as follows. Chapter 1 introduces the need for secure and efficient communication architecture for sensor networks. It gives an overview of the proposed approach for establishing and maintaining sensor network security. Chapter 2 provides a review of sensor network security work to date. This includes a survey of power
5
consumption issues in sensor networks and an explanation of the viability criteria we use to describe when a surveillance network is functional. This criterion links surveillance applications and our derivation of the keyserver distributions. Chapter 3 derives the phase change analysis we use to determine the number of keyservers and the size of the
C TE
D
multicast regions they should serve. Chapter 4 explains the use of secure multicast regions for protecting sensor network. The secure keyserver selection protocol [Pirretti
er O ve T E d
2005] is reviewed. This chapter also includes the derivation of multicast key management protocols and analyzes their overhead in this application. In chapter 5, we show how
PR
clone detection and removal is integrated into our approach. It also explains the key
re s
agreement protocol. The results from chapter 4 and 5 are used in chapter 6 to find the
IG Al H lr T ig S
keyserver distribution that minimizes system overhead. We analyze the security of this
ht s
approach and show how it can be used to counter Sybil, Byzantine, and cloning attacks in chapter 7. Finally we conclude in chapter 8 with analysis of this approach and future
C O PY
R
directions for research.
Chapter 2
Sensor Networks
2.1
An Overview
Wireless technology has seen a remarkable growth in the past decade. Low cost, low
D
powered sensors with powerful processors have become a reality. There are potential
C TE
applications that include military surveillance, and reliable monitoring of the environment.
er O ve T E d
A sensor network is a dense network of tiny, low cost devices that collect, process, and propagate information to remote users. Sensor networks can be harnessed for both civil
PR
and military purposes. [Tubaishat 2003] describes the scope of sensor network research.
re s
IG Al H lr T ig S
Research challenges often consider the changing nature of the network topology,
ht s
distributed computing issues, and low energy designs to increase the network lifetime. Security is a major issue, since adversaries can potentially manipulate sensors to
C O PY
R
disseminate incorrect information.
2.2
Sensor Network Security
This section provides a brief survey of sensor network security literature for background
information. Another survey is [Perrig 2004]. The final report of the NAI labs DARPA SensIT project [Carman 2000] is probably the first report on sensor network security ([Carman 2004] is a recent update). The report studied key management approaches for sensor networks. It established the power requirements of these protocols when commercially available processors are used. In the report, public key approaches were found to require more energy. Secret key protocols
7
potentially expose the network to security breaches when keys are compromised. Clusterbased key establishment approaches are given in the report. The idea of handling computationally intensive tasks on a subset of nodes with more energy resources is proposed by Carman. These schemes are identity based, with identity tied to the node,
C TE
D
while sensor network implementations are data-centric [Zhao 2004, Iyengar 2004], i.e. the importance of data precedes the exact source of data or identity of the node. Imposing
er O ve T E d
identity constraints on data-centric systems negates many advances achieved by sensor network researchers; see [Zhao 2004, Brooks 2004a].
PR
[Eschenauer 2002] also realized the shortcomings of public key encryption for sensor
re s
networks. In addition to being energy intensive, each node stores the public key of all
IG Al H lr T ig S
communications partners. As the number of nodes grows the amount of local storage
ht s
required is excessive. Symmetric key encryption requires less energy and computation, but using a single key for the network makes the system vulnerable to key disclosure
C O PY
R
when nodes are physically compromised. To solve this problem random key predistribution is proposed: a large pool of keys is generated and each node is provided with a small number of keys randomly chosen from the pool. Nodes with keys in common can communicate. [Eschenauer 2002] derives key pool and sample size using Erdös and Rényi’s random graph results [Bollobás 2001]. Each node is virtually assured to share keys with some neighbors, and compromising a node compromises only a fraction of the keys used by the network. This approach supports self-organization. Deployment strategies can be flexible. [Eschenauer 2002] explains how to revoke keys on compromised nodes, but not how to detect when nodes are compromised.
8
[Chan 2003] extends [Eschenauer 2002] in three ways. In the first extension, nodes must share at least q keys to establish communications. A new key for communications is computed from a hash function of the q common keys. The network is less vulnerable to eavesdropping when a small number of nodes are captured. The initialization phase
C TE
D
requires a greater number of rounds and the key pool size must be small. Capture of any node discloses a larger percentage of the original key pool. [Chan 2003] provides an in
er O ve T E d
depth analysis of how this approach scales based on Erdös-Rényi random graph models. [Chan 2003] uses random key predistribution to bootstrap network security. After links
PR
are established, nodes use multiple disjoint communications paths to negotiate new point-
re s
to-point keys. Portions of keys are sent over disjoint paths. The real key is the exclusive-
IG Al H lr T ig S
or product of the portions. Keys can be modified securely, with a number of drawbacks:
ht s
(i) the number of communications required seems excessive and (ii) as with public key
C O PY
approach.
R
systems each node has a key for each partner. Both issues limit the scalability of the
Finally, [Chan 2003] gives each node a unique identity and randomly associates it with m other nodes. A key is generated for each associated pair of nodes. If a node is captured, eavesdropping is only possible on communications with the captured node. Since there is no guarantee that any of the m nodes sharing keys are physical neighbors of a node, multi-hop communications may be needed. Advantages include the ability to detect node cloning by analyzing the number of nodes a sensor node communicates with. A distributed voting scheme using the node id supports ostracizing nodes from the network. Drawbacks include: (i) dependence on node id, (ii) use of an Erdös-Rényi network
9
topology in the analysis, (iii) amount of communications needed for initialization, and (iv) difficulty of mapping collaborative sensing applications to the resulting connectivity graph (a random network embedded on a random geographic distribution of nodes). Others have proposed identity based random key predistribution (IBRKP) [Zhu 2003, Di
C TE
D
Pietro 2003]. Key assignment to node keyrings is a function of the node id. Initialization is done by exchanging node IDs. As with [Chan 2003], unique point-to-point keys are the
er O ve T E d
exclusive-or of the q common keys. [Carman 2004a] does a security and energy cost analysis of these approaches. The initialization cost is less than for [Chan 2003], but
PR
required storage space is from hundreds of kilobytes to megabytes.
re s
The work here builds on many of these results. We use different models for the network
IG Al H lr T ig S
topology. In the Erdös-Rényi model, the probability p a connection exists between two
ht s
nodes is the same for all pairs of nodes. However, in a network of sensors deployed in hostile terrain, the chance of connection between any two nodes does not remain the
C O PY
R
same. The probability of a connection is usually dependent on the range of the sensor node. We use a more appropriate model that randomly distributes nodes in a region and allows links only between nodes within a given range [Krishnamachari 2001]. We use different methods to identify and remove cloned nodes. We differ from [Chan 2003] by considering the number of times a key is used and detecting statistical deviations from expected behavior. A centralized protocol for removing clones is given in [Brooks 2006]. In this paper, we give a distributed protocol for the same task. Limits on the number of clones that can be inserted without being detected are given in [Brooks
10
2006], as are the false positive rate needed to effectively remove clones from the network. Our methods are more easily mapped to sensor network applications. Like [Chan 2003], random key predistribution bootstraps network security. Keys are refreshed periodically.
C TE
D
Unlike identity-based approaches, geographic regions have local multicast keys. Local key sharing allows applications to support data-centric concepts and reduces
er O ve T E d
communications overhead.
Other notable articles on sensor network security include:
[Perrig 2002] presents security solutions for resource constrained
PR
–
re s
Berkeley mote nodes. Unlike [Perrig 2002], we avoid creating new
IG Al H lr T ig S
encryption algorithms. We use standard encryption algorithms, to
ht s
allow the insertion of military grade algorithms.
–
[Przydatek 2003] looks at secure information aggregation. We
C O PY
R
consider these application design issues that are outside the scope of this work.
2.3
Power Consumption Issues
Sensor networks rely on battery power. [Roundy 2004] researches the use of ambient energy sources for sensor networks and comes to the unfortunate conclusion that this is not currently feasible. Reliance on limited, non-renewable battery energy resources means that all aspects of sensor networks need to be as energy efficient as possible. Many publications claim wireless communications dominate energy consumption in sensor networks [Pottie 2000, Akyilidz 2002]. [Pottie 2000] is the source of this claim. It
11
posits that Moore’s law implies the power needs for computation will decrease until negligible. Moore’s law states that feature sizes halve every 18 months. As feature size shrinks power requirements decrease as well. This ignores important factors: (i) leakage energy consumption grows as feature size decreases, and (ii) Moore’s law also states that
must consider all aspects of node behavior.
C TE
D
clock rates increase requiring more energy. Realistic energy models for sensor networks
–
er O ve T E d
From the empirical analysis of sensor node power consumption in [Doherty 2001]: For most commercial ARM8 processor instructions, the energy
joules per bit.
re s
The Berkeley smart dust prototypes consume ~ 0.05 * 10-9 joules per
IG Al H lr T ig S
–
PR
required is 4.3 * 10-9 joules per bit. Multiplication requires 31.9 *10-9
ht s
bit for most instructions (multiplication is not supported).
–
Radio frequency ground communications require 10-7 joules per bit for
C O PY
R
0-50 meters, and 50 * 10-6 joules per bit for 1-10 kilometers.
The mote and radio figures are lower bounds, based on ongoing research programs. Commercial products are unlikely to reach these levels of efficiency in the near future: –
Per bit energy consumption for multiply instructions on commercial processors is in the range 48 (MC68328 DragonBall) to 0.84 (SA-110 StrongARM) * 10-9 joules per bit [Carman 2000].
–
Communications require from ~ 40 * 10-6 joules (GSM cellular phone) to 1 * 10-7 joules (Bluetooth for 10s of meters) per bit [Doherty 2001].
12
–
Reception energy needs for GSM are 2*10-6 joules per bit and 10-7 joules per bit for Bluetooth. [Doherty 2001].
Energy requirements for communications are proportional to r-α where r is
D
communication range in meters. The α exponent is between 2 and 5. A value of 3 is
C TE
reasonable for many applications [Zhao 2004]. For commercial and prototype systems, transmitting one bit for one hop is on the order 102 times more expensive than computing
er O ve T E d
one instruction on one bit.
[Doherty 2001] and [Rabaey 2002] claim transmission energy is the dominant drain on
PR
sensor networks when per hop communication is over 10 meters. This claim is based on
re s
three applications that have minimal on-board computation. Two examples in [Doherty
ht s
IG Al H lr T ig S
2001] only sample data, do an analog-to-digital conversion, execute a filter and transmit data. The other example does a least squares estimate of vehicle velocity from five data samples. This amounts to executing one very small matrix multiplication. For nodes that
C O PY
R
perform minimal to no local data processing, communications energy consumption is certain to be greater than the computation energy requirements. Our empirical tests indicate that, for many classes of sensor network applications, computation dominates energy consumption. Beamforming [Slavin 2002, Chen 2004, Phoha 2002, Phoha 2003] and Closest Point of Approach (CPA) based tracking approaches [Brooks 2002, Brooks 2003, Brooks 2003a, Brooks 2004a] are compared. Beamforming is a form of spatial filter that aggregates output from a group of sensor nodes placed locally whereas CPA approaches involve using the output from a single sensor node, usually the node closest to the event. The beamforming approach was found
13
to be more accurate, while requiring ~ 103 times more energy. Communications energy requirements were calculated from the Bluetooth energy per bit. Computation energy was measured on an AMD Athlon 4 mobile processor. Communication was responsible for less than 20% of the total energy drain. Both applications used embedded Linux.
C TE
D
Beamforming is computation intensive, performing cross-correlation over multiple time series to estimate signal direction of arrival. The CPA based approach requires minimal
er O ve T E d
computation. This study of representative sensor network applications supports our claim that power awareness must consider both computation and communication.
PR
In the security domain, both [Carman 2000] and [Potlapally 2003] show that encryption,
re s
decryption, and secure hashing are computation intensive, with a large energy overhead.
communications.
Network Viability
R
2.4
ht s
IG Al H lr T ig S
[Carman 2000] and [Carman 2004] measure the energy drain of key initialization
C O PY
Consider a surveillance network charged with reporting when a member of a class of objects (targets) traverses a given surveillance domain (terrain). Reports are sent to a user community that we assume, for the sake of discussion, is external to the terrain. The network will be viable as long as it assures that: (i) an object traversing the terrain is detected (with acceptable error rates), and (ii) the user community is alerted.
This criterion is a tautology: the network is viable as long as it performs its mission. To date, the implications of this tautology have been overlooked. For example, the following methods of determining network viability do not fit the criterion []:
14
–
Network connectivity – If full network connectivity is needed, the sensor network is a giant serial system. Network availability will fall exponentially with the number of sensor nodes (n), and thus large networks will have an unacceptable mean time to failure.
For
C TE
D
networks with any redundancy, some nodes can be isolated from the network without compromising its application.
Sensing coverage refers to placing nodes so that sensor detection
er O ve T E d
–
regions have little overlap at the same time the system monitors the
PR
entire terrain. Since sensing ranges and coverage regions are
re s
unpredictable, problems with this “cookie cutter” approach are well
IG Al H lr T ig S
known [Washburn 2002], and often due to environmental influence 2005].
Real-world
ht s
[Swanson
approaches
consider
distributed
surveillance as a tracking problem using sensors with finite space and
C O PY
R
time sampling rates [Brooks 2003, Brooks 2004a]. Coverage approaches ignore sensor errors, background noise, and occlusion. In addition, coverage analysis creates a serial system, which fails when any component fails. Once again, we have a serial system where dependability falls exponentially with network size.
Network connectivity ignores sensing issues. Sensing coverage ignores wireless communications issues. We propose a network viability criterion in chapter 3 for network connectivity and sensing coverage that is a direct consequence of the network model in [Krishnamachari
15
2001], where nodes with a fixed communications range are placed at random in the terrain. Simulations show that ad hoc networks with range limited communications exhibit phase change phenomena like those found in random graph [Bollobás 2001] and percolation [Stauffer 2001] theories. Random graph theory is a branch of graph theory
C TE
D
that assigns probability distributions to the existence of edges between vertices. Percolation theory, a branch of physics, studies fluid flows in random media. Random
er O ve T E d
media are modeled as tessellations of a terrain with probability distributions for the existence of edges between neighboring vertices. [Brooks 2005] discusses their common
PR
basis.
re s
In these models, network behavior has two phases. In the first phase, the probability of
IG Al H lr T ig S
connection between nodes is small and the network has a large number of isolated
ht s
components. As connection probability grows, the expected size of the largest component grows logarithmically. In the second phase, the network is dominated by a unique giant
C O PY
R
component that contains most of the system nodes. There are still isolated holes in the network. The size of the largest hole shrinks logarithmically as connection probability increases. The transition between these two phases is extremely steep. For random graphs, the curve of the maximum component size versus edge probability takes the −c
form e − e . In percolation theory, the inflection point of this curve is referred to as the percolation threshold. Percolation theory has established these properties for systems with a giant component [Stauffer 2001]:
16
1
For systems above the percolation threshold, a path exists that connects the
terrain’s external boundaries. 2
At the percolation threshold, property 1 is self-similar over scales.
Consider sensor networks with nodes either randomly placed [Krishnamachari 2001], in a
C TE
D
regular tessellation [Stauffer 2001], or a weighted combination of the two. Sensor nodes are vertices in a random graph structure. Edges between vertices represent either an
er O ve T E d
active communications link, or detection of a target passing between nodes. In practice the edge probability distribution is the minimum of the two likelihoods, which is often
PR
the communications range.
re s
Above the phase change (percolation threshold) a single giant component of order n
IG Al H lr T ig S
(O(n)) connects most of the sensor nodes [Stauffer 2001]. It has at least one path
ht s
connecting all the terrain’s external boundaries (property 1). This property is true for subsets of the system across scales (property 2). Thus, for a sensor network with a giant
C O PY
R
component, targets traversing the network will be detected by at least one node that can report the detection to the user community. Therefore, the network fulfills our viability criterion.
This shows the network is viable while it has a giant component. In our simulation, we infer the loss of the giant component from the loss of property 1. When there is no path between the terrain’s external boundaries, the giant component is fractured. Consider the worst-case scenarios for networks with initial configurations above the percolation threshold:
17
–
A target entering the network cannot be detected and/or reported while in a hole. Since the largest hole above the percolation threshold is O(log n) [Bollobás 2001, Stauffer 2001], this is the upper limit of the target’s ability to avoid detection in the initial network configuration.
D
As nodes lose power: (i) maximum hole size grows logarithmically,
C TE
–
(ii) the network becomes sparse, and (iii) the network approaches the
er O ve T E d
percolation threshold. As long as we are above the percolation threshold property 1 holds and a target has to pass through a graph
PR
edge to traverse the terrain. Once it does so, a node connected to the
re s
giant component detects the target and notifies the user community.
IG Al H lr T ig S
Property 2 says that property 1 holds for regions inside the terrain up
ht s
to the percolation threshold.
A fuller treatment of these issues and how to predict the percolation threshold for systems
C O PY
R
is in [Brooks 2005].
Chapter 3 3.1
Phase Change in Random Networks Random Networks
In section 2.4, we describe the relationship between surveillance network viability and
D
the existence of a giant component in random graphs. The existence of the giant
C TE
component in random graphs shows an abrupt phase change [Iyengar 2005, Bollobás
graph attribute as shown in figure 5.
er O ve T E d
2001, Erdös 1960, Krishnamachari 2001] when mapped against values of any relevant
We model the sensor network as a random graph G = (V, E). The set of vertices V
PR
corresponds to the set of sensor nodes and elements of the set of edges E are
re s
IG Al H lr T ig S
communications links between the sensor nodes. To analyze the graph we use a
ht s
probabilistic connectivity matrix where each element (i,j) is the probability of a connection between nodes i and j. For this paper we assume the graph is undirected, i.e.
R
the probability of connection between nodes i and j is same as the probability of
C O PY
connection between nodes j and i. If there is an edge between nodes i and j there is also an edge between nodes j and i.
The analysis in this section considers two classes of random graph topologies [Iyengar 2004]: (i)
range-limited ad hoc graphs where nodes are placed at random in a field and edges exist only between nodes separated by a distance less than a given threshold [Krishnamachari 2001], and
Figure 2
Range limited random graphs
C TE
D
19
er O ve T E d
40 nodes are positioned at random in a unit square region. The distance threshold was set as 0.25, and within that range edges exist with a
re s
Erdös-Rényi graphs where there is an equal probability an edge exists
ht s
(ii)
IG Al H lr T ig S
PR
probability of one.
C O PY
R
between any two vertices [Erdös 1960].
Figure 3
Example Erdös-Rényi graphs Number of nodes n equal to 23 nodes and the probability p equal to 0.2. Clockwise from upper left: nodes in a circle, radial embedding
20
⎡0 ⎢0 ⎢ ⎢1 ⎢ ⎢0 ⎢1 ⎢ ⎢⎣0
1 2
3 4
5
D C TE
Figure 4
6
0 0 0 1 0⎤ 0 1 0 0 0⎥⎥ 0 0 1 0 0⎥ ⎥ 0 1 0 0 1⎥ 0 0 0 0 0⎥ ⎥ 0 0 1 0 0⎥⎦
Example graph and its connectivity matrix.
We use a
er O ve T E d
A ‘1’ indicates the existence of a path from node i to j. convention where diagonal elements are set to 0.
PR
To maintain security, nodes are authenticated when they join the network. Cryptographic keys serve as de facto authentication credentials. In chapter 2, we provide justification for
re s
IG Al H lr T ig S
our use of random key pre-distribution to authorize sensor nodes, and a description of
ht s
how random key pre-distribution works. The graph formed by connections between nodes is a range-limited graph with significant clustering. As discussed in section 2.4, the
R
surveillance network will be viable only above the phase change, when this network has a
C O PY
single giant component. Section 4.1 describes a protocol for choosing keyservers. The local keyserver establishes session keys and manages group communication within the multicast group. Each of the k keyservers forms a multi-cast region by soliciting the membership of all nodes within h hops. Nodes served by more than one keyserver act as gateways between multicast regions. Therefore, keyservers of neighboring multicast regions are separated by at most 2h hops. In this section, we provide theorems that map the connectivity graph for
21
multicast regions to an Erdös-Rényi topology. In many ways, the network of keyservers is an Erdös-Rényi graph overlaid on an Ad hoc graph. Random networks exhibit sudden phase changes in connectivity. Depending on the parameters defining the graph, they are either sparsely connected or possess a unique
C TE
D
giant component. This change is with respect to any property of the network that has a monotone increasing relation to connectivity, such as number of nodes n, or
e −e
−c
er O ve T E d
communication radius r. We refer to the critical point as the inflection on the curve of function describing the largest component size in the network [Bollobás 2001, Jensen
re s
C O PY
R
ht s
IG Al H lr T ig S
PR
2000]. Figure 4 illustrates an example.
Figure 5
Phase change in a random graph
22
The percent of nodes in the largest component is around 35% until 6 keyservers are chosen. This region is where the network does not form a giant component. A sudden change in network connectivity occurs at that point. Above the inflection point, almost all nodes belong to the giant
C TE
D
component.
A random process in range-limited graphs defines node placement. Further, an edge is
er O ve T E d
determined between any two nodes if they fall within the communication range and they share a common key from their key pool. Hence, although range-limited graphs are
PR
defined by a random process, this process determines edge creation indirectly, which
re s
makes formal mathematical analysis difficult, if not impossible. Instead of formally
IG Al H lr T ig S
decomposing the graph definition into a set of Bernoulli probabilities to model the
ht s
random process, we work using the tools of statistical physics [Stauffer 1992] to derive a
C O PY
R
model that approximates system behavior.
3.2
Ad hoc Network Model
For range limited graphs, [Brooks 2005] shows that element (i,j) of the probabilistic connectivity matrix (probability of an edge connecting node j to node i) has value:
( 2c − c ) 2
(1)
where c is a constant defined as: 2 ⎧ 2 ⎛ i j ⎞ − ⎪r − ⎜ ⎟ c=⎨ ⎝ n +1 n +1 ⎠ ⎪0 ⎩
j ⎞ ⎛ i ;r ≥ ⎜ − ⎟ ⎝ n +1 n +1⎠ ; otherwise 2
2
23
Model Derivation: Consider a range-limited graph of n nodes in an x by y region, the communications radius for a node is r, and the probability of a link between two nodes given that they are within communication radius r is p. We normalize the values for x, y and r to [0..1]. To compute
C TE
D
the range limited probabilistic connectivity matrix [Iyengar 2004], we sort all nodes by their x position and label the nodes by their order in this sorted list. The expected value of
er O ve T E d
the x coordinate of node l is defined by rank statistics to be l/(n+1). (The choice of x is arbitrary.)
PR
Consider two nodes with ranks i and j. An edge exists between nodes i and j with probability p when 2
2
(2)
ht s
i
re s
− x j ) + (yi − y j ) ≤ r 2
IG Al H lr T ig S
(x
The expected values for the x coordinate of nodes i and j are i/(n+1) and j/(n+1)
C O PY
R
respectively. Which makes the expected value of ‘c’ as in equation (1),
(y
− yj )
2
i
j ⎞ ⎛ i ≤ r −⎜ − ⎟ ⎝ n +1 n +1⎠
2
2
(3)
Since the x and y coordinates are uniformly distributed and uncorrelated, the probability (3) is true is the probability that the square of the difference of two normalized uniform 2
j ⎞ ⎛ i − random variables is less than the constant c = r 2 − ⎜ ⎟ . ⎝ n + 1 n + 1⎠ These two uniform random variables describe a square region where every point is equally likely. The probability of the entire square is by definition one. The regions that
24
do not satisfy (3) are the ones in white in Figure 6. The area of the shaded region is the probability (3) is satisfied, i.e.:
pij = 1 − (1 − c) 2 = 2c − c 2
(4)
C TE
D
1-c
c
PR
er O ve T E d
yi
Geometric representation of inequality (xi − x j ) + ( y i − y j ) ≤ r 2 . 2
2
ht s
IG Al H lr T ig S
Figure 6
c
re s
yj
1-c
R
The regions that will not satisfy the inequality are unshaded.
C O PY
We now create a probabilistic connectivity matrix M for a range limited graph by making an n x n matrix with each element Mij = pij. Recall that each element (i,j) of the matrix is the likelihood that an edge exists between nodes i and j. Let Mh denote the probabilistic connectivity matrix for walks of h hops between nodes. So, M1 denotes the probabilistic connectivity matrix for walks of 1 hops between nodes, i.e. matrix M M1 = M The probability of a walk of 2 hops between nodes i and j through any other node l is the product of pil(1) and plj(1). In a network of n sensor nodes, probability of a walk of 2 hops
25
between nodes i and j is the sum of (n-2) such product terms where (n-2) is the number of sensor nodes in the network other than nodes i and j. This counting is a classical case of inclusion-exclusion problem in combinatorial
pij(2) = 1 − ∏ (1 − pil(1) ∗ plj(1) ) n
(5)
er O ve T E d
l =1 l ≠i l≠ j
C TE
set. The union of the probabilities can be expressed as
D
mathematics where probability of a walk of 1 hop for each set of nodes defines a finite
where pij(2) is the probability a walk of two hops exists edge
PR
between nodes i and j ;
re s
IG Al H lr T ig S
pil(1) is the probability an edge exists between nodes i and l;
ht s
plj(1) is the probability an edge exists between nodes l and j.
The probabilistic connectivity matrix for walks of 2 hops between nodes M2 is the union
C O PY
R
of probabilities from matrix M1.
M2 = M1 .* M1
In general,
Mh = Mh-1 .* M1
(6)
where .* denotes operation as shown in equation (5) on every element in the probabilistic connectivity matrix Mh.
Matrix characteristics Recall that in section 2.4, we established that the sensor network is only viable above the phase change.
26
Before the phase change, the distribution of component sizes is such that most nodes are isolated and a small number of components of size up to O(log n) exist [Bollobás 2001]. The magnitude of elements of Mh will therefore decrease as h increases After the phase change, the number of isolated nodes and small components decreases
C TE
D
dramatically. The single giant component of size O(n) emerges. Given the distribution of component sizes, on the average, before (after) the phase change the number of nodes
er O ve T E d
reachable within h hops will decrease (increase) with h. The likelihood of a walk connecting two nodes changes accordingly. This implies that the phase change should
PR
occur when pij( h ) = pij( h +1) , i.e. there exists an equal likelihood of a path between two nodes
re s
in h walks and a path between same two nodes in h+1 walks.
ht s
IG Al H lr T ig S
As explained in [Iyengar 2005], we constrain all p (jjh ) to zero. Equation (5) looks for paths from node i to node j by considering paths passing through all possible intermediate
R
nodes. Constraining diagonals to zero removes consideration of a node as its own
C O PY
intermediate node.
⎢n⎥ ⎢n⎥ To avoid edge effects, we consider nodes i= ⎢ ⎥ and j= ⎢ ⎥ + 1 to find the phase change. ⎣2⎦ ⎣2⎦ We now pick keyservers at random from an ad hoc network of n nodes. Each keyserver
sets up a multicast region by constructing a secure multicast tree for all nodes it can communicate with in h hops or less. As explained in chapter 4, communications between multicast regions are possible by using nodes that are in both multicast regions to reencrypt packet contents.
27
Communications is therefore possible between any two multicast regions, when their keyservers are separated by 2h-1 or fewer hops. To have a viable secure network, we need the network of communicating secure multicast regions to form a secure giant component overlaying the physical range-limited giant component.
C TE
D
Keyservers are chosen at random. The likelihood a path of 2h-1 hops exists between any two nodes chosen at random on the range-limited graph will be the same. We can
er O ve T E d
therefore consider the keyserver connectivity graph as an Erdös-Rényi graph of k nodes where k is the number of keyservers. This network of keyservers is modeled as an Erdös-
re s
Phase Change Analysis
ht s
3.3
IG Al H lr T ig S
PR
Rényi graph overlaid on the Ad hoc network.
C O PY
R
The phase change for the secure communications network occurs when: k = 2+
log (1 − pij(2 h −1) )
(
log 1 − ( pij(2 h − 2) )
2
)
(7)
where k is the number of keyservers, the keyserver serves all nodes with h hops, and ph is the probability of a walk of h or ⎢n⎥ fewer hops existing between nodes with the labels i= ⎢ ⎥ ⎣2⎦ ⎢n⎥ and j= ⎢ ⎥ + 1 from the ad hoc network model. ⎣2⎦
Proof:
28
As shown in the model derivation, the phase change occurs when ph+1=ph. By applying equation (5) recursively, we find the likelihood of a walk of 2h-1 hops between nodes i and j: pij(2 h −1) = 1 − ∏ (1 − pil(2 h − 2) ∗ plj(1) ) n
(8)
C TE
D
l =1 l ≠i l≠ j
Two keyservers can communicate if there is a walk of length 2h-1 or less between them.
er O ve T E d
Since keyservers are placed at random on the ad hoc network, we have an Erdös-Rényi graph where any two keyservers can communicate with the probability defined in (8).
PR
The probability that any two multicast regions with keyservers k1 and k2 can
= 1−
∏ (1 − p k
(2 h −1) ij
ht s
p
(2) k1k2
re s
IG Al H lr T ig S
communicate using an intermediary is therefore:
i , j =1 i , j ≠ k1 i , j ≠ k2
∗ pij(2 h −1) )
(9)
C O PY
R
which simplifies to:
(
pk(2) = 1 − 1 − ( pij(2 h −1) ) 1k 2
)
2 k −2
(10)
so that the phase change occurs when:
(
pij(2 h −1) = pk(2) = 1 − 1 − ( pij(2 h −1) ) 1k 2
)
2 k −2
(11)
Taking the log of both sides and rearranging terms yields equation (7), which was the item to be proved. Q.E.D. Simulations:
29
Simulations of our ad hoc model were run using MATLAB to verify these analytical predictions. The phase change predictions are shown in Figures 7 through 10. Simulations with number of sensor nodes n being 100, 200, 500, 1000 and 3000 yielded similar results. For each simulation, the normalized value for the radius of
C TE
D
communication r varied from 0.04 to 0.20. The radius r is normalized with respect to the dimensions of the area where the sensor network is laid. The approximation is achieved
er O ve T E d
by this model is good, but not perfect. One reason for the deviations is the use of expected values in the derivation of the ad hoc network model. For graph instances with a
PR
small number of nodes the variance of the node positions is greater; and second order
re s
effects are possible. Using expected values also assumes independence between random
IG Al H lr T ig S
variables. Independence may not strictly hold throughout the range limited graph
ht s
construction process. On the other hand, the predicted inflection point is close to the value found by the simulations.
R
For Erdös-Rényi graphs, mathematicians have determined that the phase change occurs
C O PY
when the number of edges is E= n/2 +O(n2/3) [Jensen 2000]. Note that these results are
asymptotes as graph size approaches infinity and constant offsets are not considered in the O notation. Results from our approach are therefore consistent with the analysis in [Jensen 2000] and [Bollobás 2001]. Fig.’s 7, 8, and 9 plot percent of keyservers in the largest single component vs. number of keyservers. The red dot is the predicted inflection point. Error bars for 95% confidence intervals are shown. The graphs show the mean of 35 repetitions.
re s
C O PY
R
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
30
Figure 7
Phase change for Ad hoc network with r=0.06
Fig. 7 shows an ad hoc network of 1000 nodes with a communication range r = 0.06. Keyservers serve all nodes within 2 hops. Our approach predicts that 82 keyservers are
31
needed to form a giant component. At that point 80% of the keyservers are in the same
re s
C O PY
R
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
component.
Figure 8
Phase change for Ad hoc network with r=0.07
The approach now predicts that 42 keyservers. At which point, 88% of the keyservers are in the same component.
C O PY
re s
R
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
32
Figure 9
Phase change for Ad hoc network with r=0.05
At the predicted inflection point (k=151), 90% of the keyservers are in the same component.
re s
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
33
Figure 10
Phase change prediction for size of multicast
C O PY
R
Fig. 10. The number of hops a keyserver must serve if only 5 keyservers are used. This network has 500 nodes with communications range 0.1. The predicted value is 4.
re s
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
34
Figure 11
Failure to form a giant component
C O PY
R
Figure 11 shows failure to form a giant component. An ad hoc network of 1000 nodes with a range of 0.02 was simulated. The network viability criterion fails in this case. The size of the largest component keeps decreasing as more keyservers are added. With these conditions, 1236 keyservers would be needed to form a giant component from the analytical equation (7). Since this is more than the number of nodes (1000), the giant component cannot form and the network breaks. This agrees with the predictions made by our phase change analysis.
Chapter 4
Multicast Communication Scheme
Secure information exchange between two nodes requires a secure communications pipe between the nodes. Point-to-point communication schemes use a separate encryption key
D
for every pair of nodes. The encryption keys are used to create secure links between
C TE
nodes. Each node either maintains a minimum of (n-1) encryption keys to securely communicate with n nodes, or uses a secure index structure for key discovery. When
er O ve T E d
packet is forwarded from one node to another, it has to be decrypted and re-encrypted. If a message has multiple recipients, which is typical for sensor networks, it must be
re s
IG Al H lr T ig S
drains node power reserves.
PR
encrypted once for each recipient. This large number of encryptions and decryptions
ht s
Multicast is one to many communications. A node transmits messages securely within a local multicast group by encrypting using a shared key. Each member of the multicast
R
group reads the message by decrypting it locally. A packet is re-encrypted only when
C O PY
moving between different multicasts. When data is shared within regions, multicast communications approaches require fewer encryptions for secure message exchange, resulting in net power savings. Consider a message from node A that is forwarded to node C via node B. In the random key predistribution scheme from [Eschenauer 2002] with point-to-point communications, node A encrypts the message using its shared key with B. On receipt of the message B decrypts the message and then re-encrypts it using the key B shares with node C. If the message travels over multiple hops the message is encrypted and decrypted at every node.
36
Alternatively, using the scheme in [Chan 2003], a packet would have to be encrypted once for every recipient and decrypted locally by each recipient. This assumes that routing information is kept as plain text. It also implies the local node needs to store one key for each communications partner, which scales poorly.
C TE
D
In a multicast scheme, all nodes in a local multicast group share a common session key. The message is encrypted once by the sender using this key. Each member of the
er O ve T E d
multicast group can simply forward the encrypted packet without re-encrypting it. The message is re-encrypted only when moving between different multicasts.
PR
The rest of this chapter explains how to design ad hoc multicast encryption
re s
infrastructures for sensor networks. We also provide a security analysis in chapter 7
C O PY
R
ht s
IG Al H lr T ig S
showing how this approach can foil a number of attacks.
Figure 12
Multicast communication topology For a sensor network of randomly deployed node, circles show the multicast groups. The larger black dots are sensor nodes acting as
37
keyservers. Nodes located in overlaps between two multicast regions act as gateways.
Keyserver Selection Scheme
D
4.1
C TE
Keyservers maintain the security of the multicast region by controlling group formation and membership. Using our approach, there is the threat that network security could be
er O ve T E d
compromised if malicious nodes collude to be chosen as keyservers. They could then undermine the keyserver election scheme and skew the process to favor the election of
IG Al H lr T ig S
secure selection scheme [Pirretti 2005].
re s
PR
malicious nodes. In this section, we describe how we avert this possibility by using a
ht s
The selection scheme ensures that all nodes have an equal chance of becoming keyserver. When selecting the keyservers (cluster head in [Pirretti 2005]), each node:
R
– Generates a random number n.
C O PY
– Calculates a hash value from the number h(n). Any hashing algorithm ranging from modulo arithmetic to SHA1 could be used.
– Broadcasts the hash value to participating nodes. This commits the node to its number without revealing its value. – Waits an agreed upon time-out period for every participating node to broadcast its hash value. – Broadcasts a list of all nodes that have transmitted hash values. – Matches the lists it receives to its local list and requests a hash value from any missing node.
38
– Waits an agreed upon time-out period, then broadcasts its random number. – Verifies random numbers against pre-committed hash values to ensure integrity.
C TE
D
The keyserver is then chosen using agreed-upon criteria based on these random numbers. For example, the node whose id satisfies (1) becomes the keyserver.
er O ve T E d
⎛⎛ n ⎞ ⎞ Mod ⎜ ⎜ ∑ ri ⎟ , n ⎟ + 1 ⎝ ⎝ i =1 ⎠ ⎠
(12)
PR
where ri is the pseudo random number generated by node i of the n nodes participating in the selection process.
re s
IG Al H lr T ig S
Note that collusion to foil this approach to favor any given node effectively requires the
ht s
cooperation of all participating nodes.
To find the overhead incurred by this approach, consider a network of n nodes, c of
R
which are clones. The scheme requires three rounds of message exchanges: the message containing the hash code,
(ii)
lists of participating nodes, and
(iii)
the message revealing the random number.
C O PY
(i)
For round (i) there are n messages. If pe is the probability that a given message is not received by one of the (n-1) other nodes, the average number of retransmissions is: ∞
1 + ∑ i. pe = 1 + i =1
i
pe
( pe − 1)2
making the total number of commit messages:
(13)
39
⎛ ⎞ p n * ⎜⎜1 + e 2⎟ ( pe − 1) ⎟⎠ ⎝
(14)
Assuming the list of participants is fairly consistent across nodes, retransmissions will be unnecessary for round (ii) and the total number of messages will be n. The overhead for
(15)
PR
If we take into account packet sizes,
C TE
⎛ 2 pe ⎞ n ∗⎜5 + ⎟ 2 ⎜ ( pe − 1) ⎟⎠ ⎝
er O ve T E d
required for keyserver selection is therefore:
D
round (iii) is the same as for round (i) and is given by (14). The total number of messages
Rounds (i) and (iii) transmit one number along with routing information.
re s
ht s
hash value.
IG Al H lr T ig S
Round (ii) requires a payload of approximately 2n values to associate each node with its
C O PY
R
This makes the total volume of traffic required by this process about: ⎛ pe ⎞ 2n ∗ ⎜ 3 + n + ⎟ 2 ⎜ ⎟ − p 1 ( ) e ⎝ ⎠
(16)
Compromised nodes have the same likelihood of becoming a keyserver as any other node in the multicast group. For a network containing k keyservers and n nodes c of which are
compromised (cloned), the likelihood that any node chosen to be a keyserver is cloned is
c . The likelihood that exactly i compromised nodes are keyservers follows a binomial n distribution:
( )(
⎛k⎞ c ⎜i⎟ n ⎝ ⎠
i
1− c
n
)
k −i
(17)
40
with mean k ∗ c
n
and variance k ∗ c (1 − c ) . This allows us to predict the effect of n n
cloned nodes on our multicast security approach. Although the presence of more clones in the network will increase the number of subversive keyservers, we can leverage two
D
known results to counteract this. The first result is that increasing the number of cloned
C TE
nodes in the network increases the system’s ability to detect clones and remove them from the network [Brooks 2006]. The second result is that Byzantine agreement protocols
er O ve T E d
can infer the correct answer in spite of internal system subversion as long as fewer than 1/3 of the participants are malicious [Barborak 1993]. In chapter 7, we explain these
re s
Key Distribution Protocol
IG Al H lr T ig S
4.2
PR
issues in detail.
ht s
In the seminal document on sensor network security [Carman 2000], NAI labs studied many key management protocols for sensor networks. They found traditional secret key
C O PY
R
protocols lacking in flexibility for managing group membership and refreshing cryptographic keys. In this section we present a group key management protocol that can periodically refresh keys and modify network membership without compromising network security. We quantify the overhead of this approach to show its viability. Overhead is studied in terms of both the number of encryptions and the number of packet exchanges required. The work presented here builds on results [Zhu 2002] that provide optimizations for group re-keying in multicast environments. In this approach, multicast keys are managed using a rooted multicast key tree [Poovendran 1999, Dahlman 2001 Each sensor node is
41
associated with a leaf node on the key tree. All nodes attached to the key tree share a common symmetric key for encrypting/decrypting data. The data encryption key and a set of key encryption keys are managed by a unique keyserver node. Each of the n sensor nodes in the key tree has a unique Key Encryption Key (KEK) and a set of approximately
C TE
D
log n Shared Key Encryption Keys (SKEKs). A binary key tree is used to manage the SKEKs to minimize both the number of keys stored on end nodes and the number of
er O ve T E d
messages sent over the communications tree to refresh and/or revoke keys. Figure 13 shows an example of such a binary key tree.
K 3.1
K 3.2
K 3.3
K 3.4
Level 1
K2.3
K 2.2
K 3.5
Level 0
K 3.6
K 3.7
Level (log nc)
C O PY
R
K 3.0
K 2.1
K 1.1
ht s
K 2.0
IG Al H lr T ig S
K 1.0
re s
PR
K 0.0
Figure 13
Binary key tree
A binary tree contains two nodes at each level. It has log n levels (where n is the number of nodes in the tree) and 2l nodes at level l. In the approach presented, the keyserver node
is the root. Every other physical sensor node is associated with a leaf node. A Key Encryption Key (KEK) is associated with each node in the key tree. Figure 13 shows a tree for a multicast of 9 sensor nodes represented by leaf nodes K3.0, K3.1, …, K3.7 and root node K0.0. Node K0,0 is associated with the multicast region keyserver. We denote the key associated with the jth node on ith level of the binary key tree as Ki,j. The keyserver is
42
selected at random. As shown in previous section, each node has an equal chance of becoming the keyserver. The keyserver solicits every node within h hops to join its multicast region. To reduce unnecessary multi-hop data transmissions, during initialization the keyserver constructs a
C TE
D
communications tree which groups the nodes it successfully recruits by geographic proximity. The keyserver constructs and securely transmits a unique KEK to each node.
er O ve T E d
This can be done using Shamir’s no-key protocol, which requires three messages [Menezes 1996]. The keyserver then constructs, encrypts, and securely transmits the
PR
appropriate SKEKs to the sensor nodes. There is one SKEK for each non-leaf node of the
re s
key tree, forcing each sensor node to store approximately log n SKEKs. Given this key
IG Al H lr T ig S
structure, the keyserver can securely communicate with any possible subset of nodes that
ht s
are members of its group by choosing the minimal set of KEKs and SKEKs. The first step in our process is determining the membership of each multicast region. This
C O PY
R
is done by choosing the keyserver, using the technique in Section 4.1 and associating all of the nodes within h hops with the keyserver. The values needed for the number of keyservers k and number of hops h is determined using the techniques in chapter 3. The second step of the process is creating a balanced key tree structure rooted at the keyserver. We use this binary tree structure to manage a set of KEKs that are used when refreshing keys to guarantee the security of the new keys. Let nc be the number of nodes in a given multicast group, or cluster. Each node is a member of the set
{
}
S = m0 , m1 ,… , mnc −1 . The keyserver is node mk. We construct a binary tree Tb where each member mi is associated with the leaf nodes of Tb. Every node in Tb represents a key
43
Kij where i is the level of the node and j indicates the number of the node (jth node on level i). The key acts as a KEK for all nodes within its sub-tree. Each sensor node in the multicast group stores log nc KEKs and a session key. Each KEK represents a group of
D
sensor nodes that are associated with the leaf nodes of the KEK in the key tree.
n4
C TE
n5
k1
n3
n8
n6
n7
PR
n2
n1 n4 n2 n6 n3 n7 n5 n8
Binary Key Tree
ht s
Figure 14
IG Al H lr T ig S
Physical layout of a multicast
re s
k1
er O ve T E d
n1
Communication scheme in multicast groups
R
Figure 14 shows a physical layout of a multicast consisting of 9 nodes. k1 gets elected as
C O PY
the keyserver by the election scheme explained in section 4.2. It solicits membership of nodes within distance 2 message hops. n1, n2 and n3 join the multicast in the first round
and n4,…, n8 join in the second round. k1 establishes a secure private key over the
untrusted channel using Shamir’s no-key protocol with each of the eight members n1,…, n8. They denote keys at level 3 on the Binary key tree. It generates a KEK for n1-n4 encrypts with their respective private keys and transmits over the network as two separate packets. This KEK is the leftmost key on level 2 of the binary key tree in figure 14. Similarly, it establishes all keys at level 2. At level 1, the generated KEK is now
44
encrypted with the respective level 2 KEK. Now, k1 to n1 requires 1 hop and k1 to n4 requires 2 hops. When the KEK at level 1 is transmitted, the overlap in path results in only 2 message hops instead of 3 had there been no overlap. Finally the session key at level 0 is transmitted to all nodes in 9 message hops. (4 to reach n1, n4, n2, n6 and 5 to
C TE
D
reach n3, n7, n5, n8). This outlines the need for an optimal binary tree that yields minimum message hops.
er O ve T E d
Theorem:
The problem of finding the optimal tree with a minimal number of minimum message
Proof:
re s
PR
hops is NP complete.
IG Al H lr T ig S
Given tree T, with nc members, sensor nodes must be grouped so that messages to
ht s
multiple sensor nodes share common physical paths whenever possible, i.e. the number of message hops is minimized. This optimal tree occurs when at every level of the binary
C O PY
R
key tree children are connected to the parent directly by a single hop mapped on the physical graph. Consider the tree in Figure 15, which is a key management tree for a cluster of six sensor nodes. Let’s label the physical sensor nodes ni for i ranging from 0 to
5. The root is n0.
45
n0 n2
a
n1
h
e i
f n3 n4
n3
n5
n2 Binary Key Tree
Physical layout of sensor nodes
er O ve T E d
(a)
Figure 15
n4
n0
g n5
D
d
c
C TE
b
n1
(b)
Initial KEK management tree
PR
The optimal tree will have an edge between physical sensor nodes corresponding to leaf
re s
IG Al H lr T ig S
node pairs. The justification for this constraint is that transmission of key d, for example,
ht s
will only require sending a single packet to the nearest of the two sensor nodes n1 or n2 (here n1) and one additional hop to send the key to the other sensor node (here n2).
R
Similarly, for key b to be sent to nodes e, h, and i with a minimal number of packet hops,
C O PY
one of the following sets of edges need to exist: (e,i), (e,h), (h,e), (i,e), or ((a,e) and (a,i)). Note that node n0 will be constrained to being assigned to node a. To find the optimal tree, a mapping must be found of sensor nodes in the physical graph (i.e. n0, n1, …, n5) to
nodes in the key tree a ,e ,f, g, h, and i that satisfies the following Boolean expression:
( f , g ) ∧ ( h, i ) ∧ ( ( e, h ) ∨ ( e, i ) ∨ ( ( a, e ) ∧ ( ( a, h ) ∨ ( a, i ) ) ) ) ∧
(( e, f ) ∨ ( e, g ) ∨ ( f , h ) ∨ ( f , i ) ∨ ( g , h ) ∨ ( g , i ) ∨ ((( a, f ) ∨ ( a, g ) ) ∨ (( a, e ) ∨ ( a, h ) ∨ ( a, i )))) (18) where an atomic element of the expression is true if an edge between the corresponding physical nodes (i.e. if node n1 is mapped to h and node n2 is mapped to i, (h,i) is true iff
46
there exists an edge (n1,n2). The approach used to construct this from Figure 15 is easily generalized to create a Boolean expression for any binary key tree. Finding a mapping that satisfies this expression is a Boolean Satisfiability Problem. The Boolean Satisfiability problem is the first known NP Complete Problem. Therefore
C TE
D
finding the optimal tree for our problem is equivalent to solving the associated Boolean Satisfiability Problem. Since finding the optimal tree is equivalent to solving an NP
er O ve T E d
complete problem, it is NP complete and no tractable polynomial time algorithm exists for solving this problem unless NP is in P. QED.
PR
We construct the key tree by using a two-pass protocol, where phase (i) creates an initial
re s
tree and phase (ii) groups nodes to assign tree nodes to sets of physical sensor nodes.
IG Al H lr T ig S
Phase (i) constructs initial tree Tbd which is used to construct Tb in Phase (ii)
ht s
1. Initialize Tbd by making the keyserver the root node. It is both root and leaf at this point.
C O PY
R
2. Each node not in the tree Tbd, that is one hop from a leaf node, becomes its child. 3. Repeat step 2, (h-1) times where h is the maximum number of hops from the keyserver to any sensor node in the multicast group. Techniques for computing the parameter h are given in chapter 3.
Phase (ii) construct binary key tree Tb from initial tree Tbd. (We will illustrate this phase with an example shown in Figure 16.) 1. Assign any leaf node of the tree Tbd as nt. (Let nt be node 5 as shown in Figure 16b.)
47
2. Count number of siblings of nt (child nodes of its parent node). (Node 5 has 2 siblings: nodes 6 & 7.) (a) if (even)
group parent with nt (node 1 gets grouped with node 5) group all siblings into pairs (nodes 6 & 7 are grouped
C TE
(b) if (odd)
D
together) do not group parent node
er O ve T E d
group all siblings and nt into pairs.
3. Remove nodes that were grouped in step 2 from consideration and repeat steps 1
2 & 4 as shown in figure 16c).
re s
PR
and 2 until all nodes are grouped. (The iterations group nodes 8 & 9, 10 & 11 and
IG Al H lr T ig S
4. Fuse grouped nodes into single nodes, reconstruct a balanced tree of the fused
ht s
nodes and repeat steps 1, 2 and 3. (Figure 16d shows how nodes 5, 1, 6, 7 get grouped.)
C O PY
R
5. Repeat step 4 until only one node exists in the initial tree. Construct the key tree according to the grouping of nodes at every iteration in step 4. (Further iterations group nodes 8, 9, 10, 3 into one group and 11, 12, 2, 4 into another finally to form binary tree as shown in figure 16e).
Figure 16 shows how to construct a key tree from the ad hoc network cluster.
48
5 6
Ad hoc cluster of sensor nodes 4
Balanced Key Tree Tbd
5, 1 6, 7
12 Keyser ver
11
8, 9
1 1 7
Keyser ver
5
6
7
3
8
9
10, 3
4
10
3
2, 4
12
8 9
10
(b)
(c)
C TE
(a)
11, 12
11
D
2
2
6
7
8
(e)
Figure 16
9
3
10
11
Binary Key Tree Tb
6, 7
11, 12 8, 9
10, 3
2, 4
(d)
12
2
4
ht s
5
IG Al H lr T ig S
1
5, 1
re s
PR
er O ve T E d
Grouping of nodes in the key tree
Walkthrough of Key Tree Generation
C O PY
R
From the ad hoc network (a), we create an initial tree (b). We group nodes (c & d). The result is a binary tree (e) that groups nodes by the keys they will have in common.
This protocol creates an efficient tree for key management within the multicast group. An n-ary tree with N nodes will contain (lognN + 1) levels. A binary tree is used, since binary search trees require a minimal number of operations to distinguish subsets of nodes [Baase 1988]. To minimize the amount of network traffic using this approach, nodes need to be grouped in a manner that reflects the physical layout of the multicast communications tree. One message hop is the transmission of one message over one hop
49
in the network. When physical neighbors are leaves on the same key sub-tree, the number of message hops needed to transmit a new key to those nodes is minimal. If msg(a,b) indicates the number of hops to nodes a and b, then
D
msg ( a, b) = msg ( a) + msg (b) − msg (a∩ b)
min ( msg (a, b) ) = max ( msg (a ), msg (b) ) + 1
C TE
Grouping of two nodes a and b is optimal, when msg(a,b) is minimum.
er O ve T E d
For example, consider two leftmost leaf nodes on the binary key tree Tb in Figure 16e. They correspond to nodes 1 and 5 in the communications tree. To change the KEK for
PR
the key tree node that has nodes 1 and 5 as children takes a total of two message hops. If
re s
IG Al H lr T ig S
the same tree nodes had been mapped to physical nodes 6 and 12, the same operation
ht s
would require 3 hops to node 12 and 2 hops to node 6 or 5 message hops total. This shows the advantage of having a key tree with maximum overlap to reduce the number of
R
messages required to establish and maintain a secure network.
C O PY
Our protocol is a heuristic that provides good results in most cases. Some simulations we have run found multiple trees with equal numbers of message hops to every node. For example, consider a cluster of 10 nodes as in Figure 17a. Our protocol gives a binary tree
as shown in Figure 17b. Another possible configuration of nodes is in Figure 17c. However, Figure 17b and Figure 17c both require 46 message hops.
50
1
Fig a 6
2 K
5
9 3
7
K 4
K
1
2
5
6
7
4
8
3
C TE
D
8
1
9
6
4
8
3
9
Fig c
Example solutions to the tree generation process
ht s
re s
Group Key Management & Message overhead
IG Al H lr T ig S
4.3
7
PR
Figure 17
5
er O ve T E d
Fig b
2
We now show how to calculate the number of encryption, messages and hops required by our approach. We list the necessary group key management operations and compute the
C O PY
R
number of encryptions, messages and hops required for each. (a) Initial keying.
Every sensor node elects the keyserver in a distributed and secure manner by the
scheme in [Pirretti 2005]. The keyserver establishes a unique private key with
each member of the multicast group using Shamir’s protocol [Menezes 1996] which sets up a shared key over an untrusted channel by exchanging 3 messages. The keyserver then generates a key-encryption key (KEK) for pairs of nodes each at level (log nc-1) of the binary key tree. It encrypts the key for level j with the private key for level j+1 of the tree. Finally, the session key denoted by the root of
51
the binary tree is established. This session key can now be used to secure multicast data communications. Number of encryptions: At level (log nc), 0 encryptions are needed. Shamir’s protocol requires no encryption.
encryptions. (log n c ) -1 i
∑2
= 2 log n c − 1 = nc -1
er O ve T E d
The number of KEKs at these levels =
C TE
D
At each of (log nc)-1 levels from level 0 to level (log nc)-1, a KEK is established using 2
i =0
Number of messages exchanged:
(19)
PR
∴Total number of encryptions = 2 * (nc -1) + 0 = 2(nc -1)
re s
ht s
key.
IG Al H lr T ig S
At level (log nc), 3 messages are exchanged using Shamir’s protocol to setup the private
At each of (log nc)-1 levels from level 0 to level (log nc)-1, a KEK is established and it
R
takes two messages to transmit to both the branches. Thus for each KEK, we have
C O PY
2 messages.
∴ Total number of messages = 2 * (nc -1) + 3 * (nc-1) = 5(nc-1)
Number of hops:
Let ni denote number of nodes exactly i hops from the root node such that h
(n c − 1) = ∑ ni i =1
(20)
52
At level (log nc), each of the 3 messages required to set a private key using Shamir’s protocol require hi hops where hi is the number of hops to member mi from the root node, i.e. keyserver. h
∴ Number of hops to set up keys at level (log nc), = 3 * ∑ (ni * i )
D
i =1
C TE
At level (log nc)-1, again we transmit one message to each of the members of the
er O ve T E d
multicast group.
h
∴ Number of hops to set up keys at level (log nc)-1, =
∑ (n * i) i
i =1
PR
At level 0, the session key for the entire cluster has to reach all the members.
re s
h
∑ n = (nc-1) i
i =1
ht s
IG Al H lr T ig S
∴ Number of hops to set up session key at level 0, =
At remaining (log nc)-2 levels (level 1 to level (log nc)-2), each level i has 2i nodes. At
R
each node we transmit two messages to their respective left and right branch,
C O PY
which have to reach nodes mi each of which are hi hops away. (i = 0, …, nc-1). However, the number of hops is reduced according to our ability to group nodes so that paths from the root to neighboring nodes overlap. We define a variable ά which represents this effect. Consider a physical layout where there is no overlap.
Every sensor node in the multicast group has a separate path from the keyserver. This worst case estimate can be calculated by setting ά to 1. In the best case scenario, number of hops at (level 1 to level (log nc)-2) would be h. h
∴ Average number of hops at (level 1 to level (log nc)-2) = ά
∑ (n * i) i
i =1
53
h
∴ Total number of hops = (nc-1) + (4 + ά * ((log nc)-2))*
∑ (n * i) i
(21)
i =1
(b) Member ostracism. If a single node is found to be insecure [Brooks 2006], a new multicast key is
D
created and sent to the rest of the multicast tree. If node ml leaves the cluster, its
C TE
former sibling replaces their parent node. All keys with member ml are
er O ve T E d
compromised and must be re-keyed. When a single node is compromised, the entire log nc keys associated with it are compromised. However since the node’s
PR
sibling is promoted one level in the tree structure, one fewer key needs to be replaced. Removing isolated nodes is the worst-case scenario, since it is often the
re s
IG Al H lr T ig S
case that sets of nodes will have some SKEK in common. The existence of a
ht s
common key allows the keyserver to group nodes in a way that reduces both the number of encryptions and the number of message hops.
R
Number of encryptions:
C O PY
(log nc)-1 keys have to be replaced, each requiring 2 encryptions. ∴ Total number of encryptions = 2 *((log nc)-1)
(22)
Number of messages exchanged: Replacement of (log nc)-1 keys. Each replacement requires sending one message to each of the key’s two child nodes. ∴ Total number of messages = 2 *((log nc)-1)
Number of hops:
(23)
54
Each message must reach a subset of nodes within the cluster which consist of all leaf nodes associated with the new KEK. The session key at level 0 (K0.0) has to be encrypted with its child node (K1.0 and K1.1) and then transmitted to the set of all leaf nodes served by K1.0 and K1.1. In general, the size of the subset of nodes is
C TE
D
nc/(2(j-1)) where j denotes the level of the KEK in the key tree.
Average number of hops to deliver 2 *((log nc)-1) messages, where each message
er O ve T E d
reaches nc/(2(j-1)) nodes = [2 *((log nc)-1)] *[ nc/(2(j-1))] = nc((log nc)-1)/2j. h
Average number of hops at each level = ά
∑ (n * i) i
i =1
IG Al H lr T ig S
nodes within the cluster,
re s
PR
With every change, the session key has to be rekeyed which requires nc hops to reach all
ht s
Number of hops required to transmit remaining ((log nc)-2) KEKs h
R
= ά * nc/2j * ((log nc)-2)*
∑ (n * i) i
i =1
C O PY
∴ Total number of hops = nc + ά * nc/2j * ((log nc)-2)*
h
∑ (n * i) i
(24)
i =1
(c) Member Join operation. A join operation is a request from a sensor node to join the cluster. The join may be as a result of re-seeding the network, or re-organizing of the existing sensor nodes to maintain connectivity. Sensor nodes have severe energy and resource constraints. It is not efficient to re-key the entire tree to perform a single join. Instead, the new sensor node is attached to leaf nodes without siblings when they are available. If nc was even, then there are usually no isolated nodes. In which
55
case, the new sensor node attaches itself to the nearest sensor node. Over time the key tree may become unbalanced and a complete re-keying of the multicast region will be necessary. In our approach, we assume that the process does not have to keep previous transactions secret from new members. If that is the case, a new
C TE
D
session key needs to be distributed to all nodes in the multicast region. Number of encryptions:
er O ve T E d
When a node joins a leaf node, it creates an extra parent node and a KEK associated for that node.
re s
Number of messages exchanged:
(25)
PR
Hence total 2 extra encryptions are required
IG Al H lr T ig S
As the case for encryption, we require 2 messages to transmit that KEK. Also, the new
ht s
node should establish its private key (3 messages) and receive existing ((log nc)2)KEKs in the path to the root node (keyserver) in the keytree. (26)
C O PY
R
∴ Total number of messages = 5 + ((log nc)-2)
Number of hops:
Since, the join occurs on any of the members less than h hops away, the total number of hops required to transmit the messages to the new member and its sibling can be a maximum of (5 + ((log nc)-2))*h and minimum of (5 + ((log nc)-2))
(27)
56
Total Encryptions
Total messages transmitted
2(nc -1)
5nc –2
Initial keying
Total hops required nc + (4 + ά * ((log nc)-2))*
h
∑ (n * i) i
i =1 h
4.4
C TE
D
Member 2 *((log nc)-1) 2 *((log nc)-1) nc + ά * nc/2j * ((log nc)-2)* ∑ (ni * i ) ostracism i =1 Member join 2 5 + ((log nc)-2) ά *h*(5 + ((log nc)-2)) Table 1 System overhead for membership operations Power consumption
er O ve T E d
We use data from NAI Labs [Carman 2000] to predict the power requirements of our scheme. We consider networks using the SA-110 StrongARM and ARC-3 processors
PR
using AES (Advanced Encryption Standard) and RSA encryption. Symmetric key
re s
cryptography algorithms like AES consume less power than asymmetric algorithms like
ht s
IG Al H lr T ig S
RSA. We assume the random key pre-distribution protocol preloads each sensor node with 50 keys, and an average message length of 900 bits. The StrongARM 110 processor consumes 108 nJ for 128-bit operation [Carman 2000].
C O PY
R
The StrongARM consumes 12 times the energy of the ARC-3 [Carman 2000]. Hence, power consumption for a 128-bit operation on ARC-3 can be estimated as 9nJ. RSA encryption roughly requires 7,056 128-bit operations and decryption requires 145,408 128-bit operations. Therefore RSA requires 5.36 mJ to encrypt a message of 900 bits and decryption consumes 110.42 mJ on StrongARM 110 processor. RSA encryption on ARC-3 requires 0.45 mJ and decryption 9.20 mJ. AES requires less energy than RSA. AES encryption and decryption overhead is nearly identical. Encrypting 900 bits on a StrongARM processor would require 15.3 µJ whereas the ARC-3 requires only 0.6 µJ. These estimates are based on 0.00217 mJ/128 bit
57
encryption for StrongARM and 0.00008 /128 bit encryption for ARC-3 processor [Carman 2000]. Our protocol requires 2(nc -1) encryptions by the keyserver and log(nc) decryptions at each node. Table 2a gives tabulates the power consumption for encryption and decryption
C TE
D
key initialization at any keyserver and sensor node.
Transmission costs are usually 1.5 times the energy required for reception. The energy
er O ve T E d
consumed by idling and receiving data are nearly identical. Assuming that only transmission requires extra energy, we estimate the cost for transmitting 900 bit messages
re s
per bit for transmission.
PR
within a range of 50 meters. Radio communications using Bluetooth expend 10-7 joules
IG Al H lr T ig S
Private key establishment with each sensor node requires 2 message transmissions by the
ht s
keyserver and one by the sensor node. Each sensor node receives 2 messages and has to transmit one. Also, for each KEK in the binary key tree other than leaf nodes, the
C O PY
R
keyserver transmits 2 messages and every sensor node receives log nc
such
transmissions. There exist ( nc − 1) such KEKs. Thus, that amounts to total of 4 ( nc − 1)
transmissions and
( 2 + log nc )
( nc − 1)
receptions at the keyserver and one transmission and
receptions at each of the ( nc − 1) sensor nodes in the multicast group.
Table 2b tabulates total power consumption for transmission and reception during key initialization.
58
RSA-ARC 3
AES-SA 110
AES-ARC 3
10.72(nc -1) mJ
0.90(nc -1) mJ
30.52(nc -1) µJ
1.12(nc -1) µJ
Each sensor node 110.42log(nc) mJ 9.2log(nc) mJ log(nc) decryptions
15.26log(nc) µJ
0.56log(nc) µJ
Keyserver 2(nc -1) encryptions
D
RSA–SA 100
C TE
Table 2a Keyserver 4(nc -1) Tx & (nc -1) Rx
Total power consumption for 900bit messages
0.42(nc -1) mJ
er O ve T E d
Bluetooth Tx & Rx
Each sensor node 1 Tx & (2+ log(nc)) Rx (150 +60 log(nc)) µJ
PR
Table 2b Table 2 Power consumption for network initialization
re s
IG Al H lr T ig S
Thus for a sample network of 100 nodes scattered in unit square with a communication
ht s
radius of 0.2, the ideal cluster size (see chapter 6) is a 2-hop radius containing 26 nodes on an average. Assuming AES encryption on ARC-3 processor, the keyserver consumes
R
28 µJ for encryption and 10.5 mJ for communication, whereas every sensor node in the
C O PY
multicast consumes 2.6 µJ for decryption and 0.43 mJ for communication. 4.5
Cluster size estimation
Each keyserver serves all nodes within h hops. Message overhead and power consumption are directly proportional to the cluster size. This section explains how to predict the number of nodes in a cluster. We compute nc as a function of h. The network of keyservers is modeled as an ErdösRényi random graph overlaid on a range-limited graph of sensor nodes. Every keyserver has an equal probability of communicating with another keyserver in the network within
59
2h hops. Each node can communicate with all other sensor nodes physically located within its communications range in a single hop. The area covered by this range is π*r2. The mean field approximation p, the probability that any node is within range of a given node, is π*r2 /A, where A is the size of the field or region being surveyed.
(28)
range r of a given node is
er O ve T E d
⎛n⎞ pk = ⎜ ⎟ p k (1 − p )(1− k ) ⎝k⎠
C TE
D
Node placement follows a binomial distribution. The probability that k nodes are within
(29)
The average number of nodes reachable in a single hop is the average degree:
PR
n −1
Average degree =
∑ k * pk
(30)
re s
IG Al H lr T ig S
k =0
ht s
The probability that a node lies within h hops is obtained by increasing the range by a factor of h. This is justifiable, since after the phase change, connections between nodes
R
are very probable across all scales. The likelihood that a node is within h hops can
C O PY
therefore be estimated as π*(h*r)2/ A. We compensate for edge effects that are an artifact of our model by inflating the area considered by a factor of (h*r). The probability density function for the number of nodes within h hops becomes phk, where: ⎛n⎞ phk = ⎜ ⎟ P k (1 − P)(1− k ) and P = π*(h*r)2/ A*(1+ h*r) 2 ⎝k⎠
(31)
The expected number of nodes within h hops of the keyserver becomes: n −1
nc =
∑ k * phk k =0
(32)
60
Given the total number of nodes in the network n, their communication range r equation we can compute the average number of nodes within h hops of any node picked at random from equation 22.
Radius
1 hop
2 hop
0.10
3.0
5.3
100
0.15
6.2
13.9
100
0.20
10.3
25.8
500
0.10
14.4
500
0.15
30.9
1000
0.07
14.7
8.7
5.3
16.7
8.7
25.6
40.5
13.0
43.6
94.0
26.7
83.5
13.4
47.3
25.9
87.2
PR
42.6
C O PY
R
ht s
re s
1000 0.10 28.3 89.8 Table 3 Average number of nodes within a multicast
IG Al H lr T ig S
2 hop
2.6
er O ve T E d
100
1 hop
C TE
Nodes
Analytical
D
Simulation
Figure 18
Cluster size estimation The graph shows the number of nodes in a cluster versus the number of hops in a cluster for a network of 100 nodes with range 0.15 and 0.2.
Chapter 5
5.1
Clone Detection and Removal
Random Key Predistribution
Our approach uses sensor networks that are initialized by using random key
D
predistribution schemes where each node is preloaded with a subset of keys from a large
C TE
key pool.
Eschenauer and Gligor proposed this random key predistribution scheme [Eschenauer
er O ve T E d
2002] that supports network self-organization, which is a necessity when network deployments are not rigidly structured. A large pool of P cryptographic keys and key
PR
identifiers is generated offline. Each of the n sensor nodes in the system randomly selects
re s
IG Al H lr T ig S
a subset of k keys (keyring) from the key pool without replacement (i.e. each node has a
ht s
set of k distinct keys from P). After sensor nodes are deployed, there is a key discovery phase where each node attempts to communicate with all other nodes in radio range.
R
Links are established between any two nodes that find a common key in their set of k
C O PY
keys. All further communications use this shared secret key. Key discovery is followed by a path-key establishment phase, where nodes within communication range without keys in common establish direct links by exchanging a key. This is possible as long as there is a path of nodes sharing common keys between them.
Random key predistribution security schemes are well-suited for use in sensor networks due to their low overhead. However, the security of a network using pre-distributed keys can be compromised by cloning attacks. In this attack an adversary breaks into a sensor
62
node, reprograms it, and inserts several copies of it into the sensor network. Cloning gives the adversary an easy way to build an army of malicious nodes that can cripple the sensor network. Minimal reverse engineering is required at the time of the attack. Chan and Perrig [Chan 2003a] explain how clones can falsify sensor data; extract data from the
C TE
D
network; and/or stage denial of service attacks. Cloned nodes can create false target tracks and spurious network traffic. If enough bogus tracks are created, useful tracking
er O ve T E d
information is masked. Alternatively, nodes can be kept from entering into energy saving sleep states. They exhaust their battery power and the network becomes inoperable. Our
PR
system is capable of detecting and ostracizing cloned nodes in the network by a clone
re s
Clone Detection using Bloom Filters
ht s
5.2
IG Al H lr T ig S
detection protocol embedded into the network.
A Bloom filter is an approximate representation of a set that supports membership
C O PY
R
queries. It is a vector of m bits. Initially all bits in the vector are set to 0. Each member of the set is hashed using h hash functions each having with range [1…m]. The bit
corresponding to each hash value is set to one. A bit might be set more than once. Counting Bloom filters are an extension of this idea where each bit is replaced by a small counter. Often 4 to 6 bit counters are enough. When inserting an element, counters at the index positions given by the hash function values are incremented instead of setting the bit as in standard Bloom filters. These counters are decremented when a query is successful. Each sensor node makes a counting Bloom filter of the keys used by its neighbors to authenticate themselves. Bloom filters simultaneously reduce the volume of
63
data transmitted and avoid sending key values over the network. Every node transmits a bloom filter of the key usage to its keyserver. Each keyserver collects key usage statistics within its cluster. Equations that define threshold values for cloned key use in sensor networks can be found in [Brooks 2006]. If a key is used more than the threshold value,
C TE
D
sensor nodes authenticated by using that key are assumed to be cloned. Since counting Bloom filters are transmitted within the cluster, any keyserver can only recognize the
er O ve T E d
keys within its key ring. Hence, a second round of message exchanges between keyservers is necessary so that the key usage for every key is available to every
PR
keyserver.
re s
We define a threshold for the number of times a key is used for communications. Any
IG Al H lr T ig S
key that exhibits higher usage is considered cloned and hence ostracized from the
ht s
network by terminating connections with the cloned key. The threshold for the number of times a key is used for authentication is based on the probability two nodes share a key
C O PY
R
and the probability they share a connection. The expected number of times a key is used for communications in the network is : n
µk =
∑M j =1
j
⎛N ∗⎜ j ⎜Mj ⎝ P
⎞ ⎟⎟ ⎠
(33)
with variance: ⎛N ⎞ M j ∗ ⎜ j − µk ⎟ ∑ ⎜Mj ⎟ j =1 ⎝ ⎠ νk = P n
2
(34)
64
where Mj is the probability a key is on exactly j nodes, and Nj is the expected number of times a key on exactly j nodes is used. We determine whether or not a key is cloned by comparing Ui (the number of times key i is used to establish connections, which we collect by using Bloom filters) to µk computed
C TE
D
using (2) [Chan 2003a]. If Ui is significantly higher than µk it is likely that the key is being used by cloned nodes.
er O ve T E d
Our approach monitors key usage and detects statistical deviations in key use that indicate cloning attacks. The system can recover from a cloning attack by terminating
and derivation of equations 33 and 34.
re s
PR
connections using cloned keys. In [Brooks 2006] we detail the clone detection protocol
IG Al H lr T ig S
Simulations on Ad hoc network of 900 nodes shows that all cloned nodes can be detected
ht s
if the network is flooded with at least 40 cloned nodes. Simulations on Erdös Rényi
C O PY
R
network of 250 nodes could detect more that 20 clones in the network.
5.3
Key Agreement Protocol
If any keyserver turns out to be subverted, it gives rise to a problem similar to the Byzantine Generals Problem (BGP). [Barborak 1993] provides a survey of BGP research that contains algorithms for forcing agreement as long as well-known criteria (described in section 5.3.1.4) are satisfied. By applying these algorithms, our group key agreement protocol can ensure security as long as less than one-third of the keyservers are compromised.
65
The Byzantine Generals Problem considers the case when participants in a protocol are malicious and try to force disagreement among legitimate nodes. Consider the application discussed in section 1. As shown in figure 19, all white circles indicate Ad hoc network of sensor nodes. K1, K2 and K3 are keyservers of which K3 is subverted by enemy
C TE
D
forces. K3 further subverts the sensor nodes in its multicast. The sensors in the multicast
tank
K2
no tank
re s
tank
ht s
IG Al H lr T ig S
PR
K1
er O ve T E d
of K2 and K3 both sense the tank.
C O PY
R
K3
Figure 19
Byzantine attack
However, since K3 is compromised and in turn the sensors in its multicast they forward information of absence of tanks whereas K2 and sensor nodes within its multicast correctly report the presence of the tank. K1 now has contradicting information and is
66
unable to tell which node is providing deceptive information. This is a classic example for a Byzantine attack carried by the subverted keyserver K3. Since compromised nodes may incorrectly report key usage statistics and adversaries may collude to cause legitimate nodes to be detected as cloned nodes and ostracized from
C TE
D
the network, our group agreement protocol must be immune to internal subversion. The following protocol reaches agreement on the set of cloned keys, and can tolerate
er O ve T E d
subversion of less than 1/3 of the keyservers. The limit of 1/3 is the theoretical bound on distributed consensus in the presence of malicious parties [Barborak 1993].
PR
5.3.1 Group key agreement protocol
re s
To reach consensus on the set of cloned keys in the network:
ht s
the node.
IG Al H lr T ig S
1. Each node transmits to its keyserver the counting bloom filter for the keys used by
2. The keyserver transmits the counting bloom filters from all the nodes within its
C O PY
R
multicast region to every other keyserver in the network using an authenticated channel. These channels can be established using Shamir’s 3 pass protocol [Menezes 1996].
3. Every keyserver now has counting bloom filters for every multicast region. Each keyserver computes key usage statistics for keys in its keyring to identify cloned nodes. 4. The keyservers use a Byzantine agreement protocol [Barborak 1993] to reach consensus on key usage statistics. The protocol from [Brooks 1998] comes to a correct consensus as long as less than one-third of keyservers are faulty or
67
compromised. It also degrades gracefully as long as fewer than ½ of the inputs are malicious. − The keyserver computes a vector v of usage statistics from the Bloom filters provided by the keyservers.
C TE
D
− The vector v is sorted, and the lowest and highest τ values are discarded to give rise to a new vector v’ containing (k – 2*τ) entries, where τ is the number
er O ve T E d
of adversaries the network can tolerate as keyservers. − The key usage value is the mean of the vector v’.
PR
− This protocol is guaranteed to be correct when k ≥ 3τ+1. Performance
re s
degrades slowly until k = 2τ+1, at which point the majority of information is
ht s
IG Al H lr T ig S
false and the opponents control the network. Suppose that the system is designed to tolerate up to τ =10 subverted keyservers. The key usage reported by the subverted keyservers is questionable and should not be taken into
C O PY
R
account in the decision process. We discard 20 values (the first 10 and last 10 from the sorted vector v of key usage statistics) so that values with highest deviation from the mean do not affect the clone detection protocol. Any adversary that launches a Byzantine attack will have to report values near to those reported by the legitimate nodes if their values need to be a part of the decision-making process. The protocol is thus robust against Byzantine attacks. The average number of nodes in a single multicast group is nc. Hence, (nc-1) messages have to be transmitted for the keyserver to collect the counting Bloom filters from every node in its multicast group. This amounts to (k* (nc-1)) for the entire network of k keyservers.
68
A secure private key has to be established between every pair of keyservers to exchange the compressed counting Bloom filters. Using Shamir’s 3 pass protocol 3k (k − 1) 2 messages have to be transmitted to setup a secure connection between every pair of keyservers. We require additional k (k − 1) messages to exchange counting Bloom filters.
(
)
C O PY
R
re s
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
∴ Total number of messages for group agreement = k (nc − 1) + 5 k 2 − k 2
Chapter 6
Tradeoff between Keyservers and Cluster size
In chapter 4, we discussed the protocol for initializing and maintaining multicast secure regions by the sensor network. The total number of messages was directly proportional to
D
the size of the multicast region. This overhead is a minimum when every node is a
C TE
keyserver for its own multicast region, because the number of hops within the region is zero. Chapter 5 discusses how to detect cloned nodes in the network. We discuss a
er O ve T E d
distributed key agreement protocol using counting Bloom filters to detect compromised nodes in the network. A round of key agreement needed to detect compromised nodes
(
)
PR
requires an exchange of k (nc − 1) + 5 k 2 − k 2 messages. The message overhead for the
re s
IG Al H lr T ig S
distributed key agreement protocol increases with the number of keyservers. The
ht s
Byzantine agreement protocol from section 5.3 ensures that cloned keyservers do not falsify information when exchanging the counting Bloom filters. This can be done by
R
introducing redundancy and allowing nodes to be served by multiple keyservers. This
C O PY
redundancy also improves the accuracy of the key usage statistics reported by the Bloom filters. Thus both security measures have a message overhead of the order of k2. To minimize traffic for the agreement protocol, we need to minimize the number of keyservers. Thus a trade-off exists between the number of keyservers and the number of hops. We use the results for predicting the phase change in the network from chapter 3, to find the values of k and h that minimize the overhead required to establish sensor network security. ∴Total messages to set up k multicasts = k*(5(nc –1))
(35)
70
(
)
∴Total messages for key agreement = k (nc − 1) + 5 k 2 − k 2
(36)
The total number of messages for both is Ms = k ∗ ( 6 ∗ ( nc − 1) + 5 ∗ ( k − 1) 2 )
(37)
D
Section 4.5 shows that nc is a function of n, r and h.
C TE
Section 3.3 shows that k is indirectly depended on n, r and h.
Thus, the optimization problem of minimizing Ms, subject to k and h, can be solved using
er O ve T E d
gradient descent or any numerical optimization algorithm. Gradient descent is an iterative algorithm to find the local minima of a function that involves moving in the direction of
PR
the negative gradient from an initial estimate. We assume the initial point for h=1.
C O PY
R
k
1
8
2
nc
k′
ht s
h
re s
IG Al H lr T ig S
N =100 ; r = 0.2
Ms
10.3
16
1492.8
4
25.8
8
1330.4
3
3
45.6
7
1978.2
4
3
56.3
7
2427.6
Table 4 Total messages for a network of 100 nodes Table 4 shows the results for a network of 100 nodes with communication range 0.2. It is clear from the data that for this instance the network can be established with minimum messages with 4 keyservers and 2 hops from each keyserver. Cluster size estimates from section 4.5 give a cluster size of 26 nodes. Hence the optimum layout for multicast communication is 4 keyservers each with a cluster size of 26 nodes that fall within 2 hop radius. This architecture can buffer up to one compromised keyserver.
71
However, assume that c nodes in the network are compromised. Since every node is equally likely to be elected as the keyserver, the expected number of compromised ⎡c ⎤ keyservers is ⎢ ∗ k ′⎥ . We need k legitimate keyservers to maintain the giant component ⎢n ⎥
D
so that the network is viable. We pick k ′ keyservers to introduce redundancy required by
C TE
the Byzantine agreement protocol. The protocol discards 2*τ (the τ largest and τ smallest) values where τ indicates the number of adversaries the network can tolerate as
er O ve T E d
⎡c ⎤ keyservers. Hence, an extra 2 ∗ ⎢ ∗ k ′⎥ keyservers are introduced. To tolerate c clones in ⎢n ⎥
re s
PR
⎡c ⎤ the network of n nodes we pick k ′ keyservers such that k ′ = 2 ∗ ⎢ ∗ k ′⎥ + k . ⎢n ⎥
need to have 8 keyservers
ht s
IG Al H lr T ig S
In the above example, to tolerate a network where 25 percent of the nodes are clones, we
The figures below show a plot of total messages required to initialize the network versus
C O PY
R
the number of hops in a multicast region. In this graph, when h=5 the number of nodes in a single multicast region is of the order of total nodes in the network. The number of multicast regions reduces with increasing region size. However, the number of messages neither decreases nor increases uniformly with region size. In this instance, use of h=1 results in 16 multicast regions. The number of regions drops to 8 when h increases to 2. Larger values of h do not significantly reduce the number of regions, but result in additional overhead for key maintenance. Figure 20 highlights the importance of calculating that minima, to reduce overhead and power consumption.
72
3000
2000 1500
D
1000 500
C TE
Total messages (Ms)
2500
0 1
2
3
4
Tradeoff between h & k
16 14
C O PY
R
IG Al H lr T ig S
Number of keyservers (k')
18
Figure 21
10
8 6
ht s
12
re s
PR
Figure 20
er O ve T E d
Number of hops (h)
4 2 0
1
2
3
4
Number of hops (h)
Tradeoff between number of multicasts and size of multicast group
Similar results are tabulated below where the communication radius r was reduced to 0.15. The total nodes in the network n remain at 100. The optimal configuration has 27 keyservers serving all nodes within 2 hops of the keyserver. The number of messages
73
decreases as long as the multicast group size remains between 1 to 3 hops. The optimum occurs with 27 keyservers serving all nodes within 2 hops.
k
nc
k′
Ms
1
17
6.2
35
4067
2
13
13.9
27
3
11
23.7
23
4
11
34.6
5
10
45.7
6
10
56.3
C TE
h
D
n = 100 ; r = 0.15
3844.8
er O ve T E d
4397.6 5901.8
20
6314
20
7586
PR
23
ht s
8000
Total messages (Ms)
C O PY
R
7000
Figure 22
re s
IG Al H lr T ig S
Table 5 Total messages for a network of 100 nodes
6000 5000 4000 3000 2000 1000
0 1
Tradeoff between h & k
2
3
4
Number of hops (h)
5
6
74
35 30 25 20 15
D
10 5 0 1
2
3
4
C TE
Number of keyservers (k')
40
5
6
Tradeoff between number of multicasts and size of multicast group
C O PY
R
re s
ht s
IG Al H lr T ig S
PR
Figure 23
er O ve T E d
Number of hops (h)
Chapter 7
Security Analysis
Applications need to guarantee that adversaries cannot subvert the sensor network, and our approach can be used to neutralize many important classes of attacks. In Byzantine
D
attacks malicious nodes try to force disagreement among legitimate nodes. In Sybil
C TE
attacks compromised nodes try to maintain multiple identities. This can be used either to stage Byzantine attacks or drain power from legitimate network nodes. Cloning attacks
er O ve T E d
create multiple copies of legitimate nodes. They can disrupt a network by inserting false detections, dropping packets, modifying data and eavesdropping. In this section we
ht s
re s
Byzantine Attack
IG Al H lr T ig S
7.1
PR
describe these attacks and how they fail against our multicast encryption infrastructure.
In a Byzantine attack, a compromised node forwards manipulated information to cripple the decisions of legitimate nodes and, in certain cases, also to influence the result.
C O PY
R
Assume that a cloned node C reports incorrect information about its key usage by transmitting randomly generated Bloom filters. In this case, when a keyserver has to calculate the key usage statistics, it will discard the extreme τ values after sorting as in
the Byzantine agreement protocol. False information from malicious nodes thus gets thrown out. In short, if the opinion of a liar has to count then he ought to speak the truth. Consider a network of N nodes scattered randomly on unit area. Let c of the n nodes be adversaries. The probability that an illegitimate node gets selected as the keyserver is same as any other node in the network, i.e. c . If we pick k nodes at random as n
76
keyservers, the expected number of cloned keyservers is (c.k )
n
. According to the group
agreement protocol in Section 9.1, to secure the network against a Byzantine attack, we have to introduce redundancy in the network. To tolerate c clones in the entire network,
{
C TE
7.2
D
we have to select max (3c * k ) + 1, k } keyservers. n Sybil Attack
er O ve T E d
The Sybil attack [Menezes 1996, Doucear 2002] is an attack on a network where one compromised node acts as multiple nodes (i.e. has multiple identities.) For example,
PR
multiple Sybil identities can drain resources from legitimate nodes by sending spurious
re s
IG Al H lr T ig S
traffic. Alternatively, Sybil nodes can skew voting algorithms, like Byzantine Agreement.
ht s
Sybil attacks are known to affect routing, data aggregation and detection of cloned nodes in sensor networks. Our approach counteracts these attacks, since they make it easier for
C O PY
Theorem:
R
compromised nodes to be identified.
A Sybil attack from any node picked as a keyserver on the sensor network makes it easier
to detect that adversary. Proof:
We select k nodes out of N nodes distributed randomly in a square field of area A as keyservers. Hence, the density of keyservers in the field is k/A. In the case of a Sybil attack, a compromised keyserver reports the existence of multiple keyservers. This leads to an increase in the density of reported keyservers. We have a prior threshold on the density of keyservers in the sensor network. Since the keyservers
77
are selected at random, their density should remain within a predictable variance from the mean. A Sybil attack will increase keyserver density when the multicast region is contained entirely in the field. Alternatively, compromised keyservers can report a concave region outside the regular field to create Sybil nodes without changing the node
C TE
D
distribution. To counter this, it is advisable to restrict deployments to predefined regions. The key usage statistics will also support the detection of the Sybil nodes. Since the Sybil
er O ve T E d
nodes require its keys to be used multiple times, they quickly fall into the category of suspicious cloned nodes that will be ostracized by the network.
PR
Consider a network of 1000 nodes spread over unit area with 100 keyservers picked at
re s
random. Hence, average density of nodes is 1000 and that of keyservers is 100. Assume a
IG Al H lr T ig S
node located at location (0.1, 0.1) is a Sybil node. It reports the false existence of 6
ht s
keyservers around it, within a range of 0.1. Hence the density of keyservers around the Sybil node increases to 6/(π*0.1*0.1)=192. Such a high density of reported keyservers
C O PY
R
implies the nodes to be Sybil. To avoid detection of this increased density, the Sybil node would have to report its Sybil keyservers to be located outside our bounded area, say locations (-0.05, -0.1) which would in turn make that node void as it lies outside the area of the network. 7.3
Cloning Attacks
In a cloning attack, an adversary floods the network with copies of any compromised node. The cloned nodes then launch a variety of attacks ranging from forwarding erroneous data to manipulating the messages in the network. It also attempts to drain other legitimate nodes of its limited power. [Brooks 2006] shows that by using statistical
78
analysis of the key usage in the network such clones can be easily detected. They can be ostracized from the network by discarding the keys used by that node. A key that is used very often indicates unusual activity by the nodes using it. Each node transmits a counting Bloom filter of the used keys. The keyservers come to a
C TE
D
consensus on which keys are cloned on the basis of pre-defined thresholds. Any key that is used more than a given threshold times is a candidate to be a suspected cloned node. If
er O ve T E d
the mean usage and variance of a key is above the specified threshold, the keyserver calculates a confidence on the suspected cloned key. The cloned nodes are removed from
PR
the network by terminating all connections using the set of cloned keys.
re s
Simulations on a 250 node network support the predicted equations. With a key pool size
IG Al H lr T ig S
of 1000 and each node randomly picking a key ring of 50 keys and with an assumption
ht s
that 10% of the keys are already cloned, analysis predicts any key used more than 100 times on average indicates a cloned node. Simulations showed that cloned nodes used the
C O PY
R
same keys an average of 100 times. In a network of 250 nodes, if there are at least 20 clones, the cloned nodes can be detected with a false positive rate of 70%. A re-encryption of only log nc keys to form new key encryption keys restores the
credibility of the network with the suspected node thrown out of the network. Since, a single point of failure does not affect connectivity, the network still maintains a giant component and is able to perform its task.
Chapter 8
Application & Conclusion
Our infrastructure provides the setup of a secure sensor network with known bounds for the number of clones that can be tolerated. The complete network setup is a distributed
D
process with no single authority. The multicast approach ensures there is no single point
C TE
of failure in the entire network. Any adversary cannot disrupt the network by just attacking a particular node; alternately, the network doesn’t fracture even if a certain
er O ve T E d
number of nodes are compromised. The process of network setup keeps in mind the power consumption limitations of sensor nodes. Hence, we define optimum tradeoffs
PR
between the number and size of the cluster so as to have minimum message overhead.
re s
IG Al H lr T ig S
Group key management saves on considerable encryptions compared other standard
ht s
methods like random key predistribution without any compromise on security. The network setup is secure against Byzantine, Sybil or Cloning attacks. We clearly state how
R
cloned adversaries are unable to subvert the network. Methods to detect clones when
C O PY
above a certain threshold and ostracize are also incorporated in the system. Ostracizing a node requires only log nc messages to be retransmitted where nc is the size of cluster in term of nodes.
Traditional random key predistribution scheme involves every node using a shared key for encryption with every other node within its range. Hence, if a node has to transmit a message to all neighboring nodes it has to perform as many encryptions as the number of nodes. The overhead increases if the node has to communicate with nodes multiple hops away. Every node in the route has to decrypt and re-encrypt the message just to forward packets to the next node. Our infrastructure allows transmitting a message to multiple
80
nodes with just one encryption even for multiple hops as long as they are in the same cluster. A re-encryption is necessary only when the message has to be transmitted across multiple clusters. Consider the field test of ColTraNe conducted [12] in November 2001. The field test
C TE
D
tracked military targets using a sensor network of 70 nodes. Each node broadcasts a CPA packet to all neighboring nodes when a target is detected. A dynamically chosen local
er O ve T E d
clump head, i.e. the node with highest intensity of a target signal, calculates target velocity and heading from the CPA data, and forwards a tracking packet to nodes likely
PR
to detect the target in the future. The tracking was implemented using Extended Kalman
re s
filter (EKF), lateral inhibition and a combination of both. The number of tracking
IG Al H lr T ig S
packets, CPA packets and inhibition packets are shown in Table 6 [12]. The numbers in
ht s
parentheses indicate packet size in bytes.
C O PY
R
Track CPA Inhibition Total bytes sent packets packets packets over the network EKF 852 (296) 59 (40) 0 (56) 254552 Lateral Inhibition 217 ( 56) 59 (40) 130 (56) 21792 EKF & Lateral Inhibition 204 (296) 59 (40) 114 (56) 69128 Table 6 Data transmission requirements [12] for tracking application in ColTraNe. The node layout for the field test has a maximum of 20 hops between nodes. On an average, each node had 4 to 5 nodes within a one hop radius and 12 nodes within 2 hop radius. We assume our multicast topology would require 10 multicast regions where each region will contain nodes within 2 hop radius. The track packets are transmitted to all nodes that are in the direction of the target. The tracking packets contain sensitive information that has to remain secure from adversaries. An existing pair-wise key encryption technique would require a separate encryption for
81
every recipient of the same packet. Hence, the existing implementation in ColTraNe would
require
one
encryption/decryption
for
every
packet,
i.e.
852
encryptions/decryptions. Our approach would require one per multicast region. Only one encryption will be required for every 12 nodes; hence the total encryptions required
C TE
D
would be 71. When the tracking algorithm used lateral inhibition, only 18 encryptions would be required using our approach, as opposed to 217 with the existing encryption
er O ve T E d
technique.
A CPA packet is transmitted to only nodes within the vicinity. The network topology for
PR
ColTraNe shows on an average 5 nodes lying in the vicinity of any node. Hence 59 CPA
re s
packets indicate 12 CPA events were generated during the tests. Our multicast
IG Al H lr T ig S
communication would require one encryption for every CPA event as all nodes in the
ht s
vicinity would fall into a single multicast. If the node generating the CPA event is common to two multicast regions, that CPA packet would require two encryptions. A
C O PY
R
worst case estimate using our approach is 24 encryptions for all 59 CPA packets. Lateral inhibition approached involved only selective nodes forwarding track information. Our approach would require as many encryptions as multicast regions assuming a worst case that each inhibition packet is forwarded to all nodes. EKF implantation would require 71 encryptions for track packets and 24 encryptions for CPA packets totaling to 95 encryptions using our approach. Similarly, lateral inhibition implementation would require 18 encryptions for track packets, 24 encryptions for CPA packets and 12 encryptions for inhibition packets adding up to 53 encryptions. Table 7 compares the total number of encryptions required by an existing point to point
82
communication scheme and our approach for the ColTraNe application. The numbers within brackets indicate the total number of bytes to be encrypted.
C TE
D
Our approach Point-to-point communication EKF 95 (21976) 911 (254552) Lateral Inhibition 53 ( 2584) 406 ( 21792) EKF & Lateral Inhibition 51 ( 6552) 377 ( 69128) Table 7 Number of encryptions required for secure transmission in ColTraNe AES encryption on a MC68328 DragonBall consumes 0.000101 mJ/bit. The estimated
er O ve T E d
power consumption is shown in Table 8. Energy consumption using is much lower in our approach for secure transmission of track information.
re s
ht s
IG Al H lr T ig S
PR
Our approach Point-to-point communication EKF 17.76 mJ 205.68 mJ Lateral Inhibition 2.09 mJ 17.61 mJ EKF & Lateral Inhibition 5.29 mJ 55.86 mJ Table 8 Power consumption comparison using AES encryption. Communications require from ~ 40 * 10-6 joules (GSM cellular phone) to 1 * 10-7 joules (Bluetooth for 10s of meters) per bit. Reception energy needs for GSM are 2*10-6 joules
C O PY
R
per bit and 10-7 joules per bit for Bluetooth. Assuming Bluetooth communication, we predict the power consumption for transmission of the messages. Table 9 compares the energy consumption for security with that required for communication.
Security using Communication using Bluetooth our approach EKF 17.76 mJ 203.64 mJ Lateral Inhibition 2.09 mJ 17.43 mJ EKF & Lateral Inhibition 5.29 mJ 55.30 mJ Table 9 Power consumption for security and communication The computations suggest that a sensor node using a point-to-point encryption mechanism expends the same amount of energy for security as required for
83
communication, whereas when using a multicast approach with the optimal number of keyservers and region size, the power requirements for maintaining security can be reduced by one-tenth. Our approach uses key usage statistics to detect cloned nodes. This keeps the false
C TE
D
positive rates within manageable bounds. If the number of clones is below this threshold, they will not be detected. This means that applications that use our approach need to be
er O ve T E d
designed to tolerate inputs from a small number of malicious participants. Further research is desirable in developing more efficient protocols for two portions of
PR
the proposed framework. The first aspect is keyserver selection. The current approach
re s
requires O(n2) messages. It would be useful to have a localized server selection protocol,
IG Al H lr T ig S
which requires less network bandwidth. The second issue is the use of Byzantine
ht s
agreement for securing against malicious keyserver nodes. Byzantine agreement protocols tend to require a large number of messages. It may be possible to develop local
C O PY
R
agreement protocols that provide similar safeguards. In the future, we wish to implement our approach on actual test beds and reduce threat against different attacks from adversaries.
BIBLIOGRAPHY
I. F. Akyildiz W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensor networks.” IEEE Communications, vol. 40, no. 8, pp. 102-114, Aug. 2002. http://www.cs.colorado.eduz/~rhan/CSCI_7143_001_Fall_2002/Papers/ak yildiz02survey.pdf
D
[Akyildiz 2002]
Sara Baase, Computer Algorithms – Introduction to Analysis and Design, Section 1.5.4, Second Edition, Addison Wesley Publication Company, 1988.
PR
[Baase 1988]
er O ve T E d
C TE
[Barborak 1993] M. Barborak, M. Malek & A. Dahbura, “The Consensus Problem in Fault-Tolerant Computing.” ACM Computing Surveys, Vol 25, No. 2, June 1993
re s
IG Al H lr T ig S
[Bollobás 2001] B. Bollobás, Random Graphs. Cambridge University Press, Cambridge 2001. R. R. Brooks and S. S. Iyengar, Multi-Sensor Fusion: Fundamentals and Applications with Software, Prentice Hall PTR, Upper Saddle River, NJ, 1998.
[Brooks 2002]
R. Brooks, C. Griffin, and D. S. Friedlander, “Self-Organized distributed sensor network entity tracking.” International Journal of High Performance Computer Applications, special issue on Sensor Networks, vol. 16, no. 3, pp. 207-220, Fall 2002
C O PY
R
ht s
[Brooks 1998]
[Brooks 2003]
R. R. Brooks, P. Ramanathan, and A. Sayeed, “Distributed Target Tracking and Classification in Sensor Networks.” Proceedings of the IEEE, Invited Paper, vol. 91, no. 8, pp. 1163-1171, August 2003.
[Brooks 2003a] R. Brooks, Friedlander, E. Grele, C. Griffin, N. Jacobson, T. Kaiser, J. Koch, S. Phoha, J. Moore, and T. Reggio, “Distributed Tracking and Classification of Land Vehicles by Acoustic Sensor Networks.” Journal of Underwater Acoustics, Classified Journal, Invited Paper, In Press, October 2003.
85
[Brooks 2004a] R. R. Brooks, D. Friedlander, J. Koch, and S. Phoha, "Tracking Multiple Targets with Self-Organizing Distributed Ground Sensors." Journal of Parallel and Distributed Computing Special Issue on Sensor Networks, vol. 64, no. 7, pp. 874-884, August 2004. R. R. Brooks, “Random networks and percolation theory.” Chapter 49. Distributed Sensor Networks, ed.s S. S. Iyengar and R. R. Brooks, pp. 907-946, Chapman & Hall/CRC Press, Boca Raton, FL, 2005.
[Brooks 2006]
R. R. Brooks, P. Y .Govindaraju M. Pirretti, N. Vijaykrishnan & M. Kandemir, “On the Detection of Clones in Sensor Networks Using Random Key Predistribution.”
[Canetti 1999]
R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas, “A taxonomy of multicast security issues and efficient constructions.” INFOCOM'99.
PR
er O ve T E d
C TE
D
[Brooks 2005]
re s
ht s
IG Al H lr T ig S
[Carman 2000] D. W. Carman, P. S. Kraus, and B. J. Matt, “Constraints and Approaches for Distributed Sensor Network Security (Final).” NAI Labs Technical Report #00-010, September 1, 2000.
R
[Carman 2004] D. W. Carman, “Data security perspectives.” in Distributed Sensor Networks, (ed.s) S. S. Iyengar and R. R. Brooks, CRC Press, Boca Raton, FLA, in press, Fall 2004.
C O PY
[Carman 2004a] D. W. Carman, “New directions in sensor network key management.” International Journal of Distributed Sensor Networks, in press, vol. 1, no. 1, Oct. 2004. [Chan 2003]
H. Chan, A. Perrig and D. Song, “Random key predistribution schemes for sensor networks,” Proceedings of the 2003 IEEE Symposium on Security and Privacy, pp. 197-214, 2003.
[Chan 2003a]
Haowen Chan and Adrian Perrig, “Security and privacy in sensor networks.” IEEE Computer Magazine, pp. 103–105, 2003.
[Chen 2004]
J. Chen and K. Yao, “Beamforming.” in Distributed Sensor Networks, (ed.s) S. S. Iyengar and R. R. Brooks, CRC Press, Boca Raton, FLA, in press, Fall 2004.
86
[Dahlman 2001] S. Dahlman, Key management schemes in multicast environments, Pro gradu Thesis, Computer Science Dept, University of Tampere, 2001. [Di Pietro 2003] R. Di Pietro, L. Mancini, and A. Mei, “Random key-assignment for secure wireless sensor networks.” Proc. 1st ACM workshop on security of ad hoc and sensor networks, ACM Press, pp. 62-71, 2003.
C TE
D
[Doherty 2001] L. Doherty, B. A. Warneke, B. E. Boser, and K. S. J. Pister, “Energy and performance considerations for smart dust.” International Journal of Parallel and Distributed systems and Networks, vol. 4, no. 3, pp 121-133, 2001.
P. Erdös and A. Rényi, “On the evolution of random graphs.” Publ. Math. Inst. Hung. Acad. Sci. 5 (1960), 17-61.
PR
[Erdös 1960]
er O ve T E d
[Doucear 2002] John R. Doucear, “The Sybil attack.” In Proc. of the IPTPS02 Workshop, Cambridge, MA (USA), March 2002.
re s
ht s
S. S. Iyengar and R. R. Brooks, ed.’s, Distributed Sensor Networks, CRC Press, Boca Raton, FLA, in press, publication Fall 2004.
R
[Iyengar 2004]
IG Al H lr T ig S
[Eschenauer 2002] L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks.” Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 41-47, Nov. 2002.
S. S. Iyengar and R. R. Brooks, ed.’s, Distributed Sensor Networks, Chapman & Hall, Boca Raton, FLA, 2005.
C O PY
[Iyengar 2005]
[Krishnamachari 2001] Bhaskar Krishnamachari, Stephen B. Wicker, and Ramon Bejar, "Phase Transition Phenomena in Wireless Ad Hoc Networks." Symposium on Ad Hoc Wireless Networks, GlobeCom2001, San Antonio, Texas, November 2001. http://www.krishnamachari.net/papers/phaseTransitionWirelessNetworks. pdf [Menezes 1996] A. J. Menezes, P. C. van Oorschot, and A. A. Vanstone, Handbook of Applied Cryptography. CRC Press, Boca Raton, FLA, 1996. [Perrig 2002]
A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “SPINS: Security Protocols for Sensor Networks.” Wireless Networks, vol. 8, pp. 521-534, 2002.
87
A. Perrig, J, Stankovic, and D. Wagner, “Security in wireless sensor networks.” Communications of the ACM, vol. 47, no. 6, pp. 53-57, June 2004.
[Phoha 2002]
S. Phoha and R. Brooks, “Emergent Surveillance Plexus MURI Annual Report.” The Pennsylvania State University Applied Research Laboratory, Report 1, Defense Advanced Research Projects Agency and Army Research Office, (March 2002).
[Phoha 2003]
S. Phoha and R. Brooks, “Emergent Surveillance Plexus MURI Annual Report.” The Pennsylvania State University Applied Research Laboratory, Report 2, Defense Advanced Research Projects Agency and Army Research Office (March 2003)
[Pirretti 2005]
M. Pirretti, N. Vijaykrishnan, M. Kandemir, and R. R. Brooks, “Realistic Models for Sensor Networks Using Key Predistribution Schemes.” Innovations and Commercial Applications of Distributed Sensor Networks Symposium, Bethesda, MD (October 2005)
re s
PR
er O ve T E d
C TE
D
[Perrig 2004]
ht s
IG Al H lr T ig S
[Poovendran 1999] R. Poovendran, and J. S. Baras, “An information theoretic analysis of rooted-tree based secure multicast key distribution schemes.” Lecture Notes in Computer Science, vol. 1666, pp 624-638, August 1999.
C O PY
R
[Potlapally 2003] N. R. Potlapally, S. Ravi, A. Raghunathan, and N. K. Jha, “Analyzing the energy consumption of security protocols.” Proc. International Symposium on Low Power Electronics and Design, pp. 30-35, 2003. [Pottie 2000]
G. J. Pottie, and W. J. Kaiser, “Wireless integrated network sensors.” Communications of he ACM, vol. 43, no. 5, pp. 51-58, May 2000. http://portal.acm.org/citation.cfm?doid=332833.332838
[Przydatek 2003] B. Przydatek, D. Song, and A. Perrig, “SIA: Secure information aggregation in sensor networks.” Proceedings SenSys ’03, Nov. 2003. [Rabaey 2002]
J. M. Rabaey, J. Ammer, T. Karalar, S. Li, B. Otis, M. Sheets, T. Tuan, , "PicoRadios for Wireless Sensor Networks: The Next Challenge in Ultra-Low-Power Design." Proceedings of the International Solid-State Circuits Conference, San Francisco, CA, February 3-7, 2002.
88
[Roundy 2004] S. Roundy, P. K. Wright, and J. M. Rabaey, “Energy Scavenging for Wireless Sensor Networks.” Kluwer Academic Publishers, Amsterdam, 2004. E. Slavin, R. R. Brooks, and E. Keller, “A comparison of tracking algorithms using beamforming and CPA methods with an emphasis on resource consumption vs. performance.” PSU/ARL ESP MURI Technical Report, 2002.
D
[Slavin 2002]
er O ve T E d
C TE
[Slijepcevic 2002] S. Slijepcevic, M. Potkonjak, V. Tsiatsis, S. Zimbeck, M. B. Srivastava, "On Communication Security in Wireless Ad Hoc Sensor Networks." Eleventh IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'02), p.p. 139-144.
PR
[Stauffer 1992] D. Stauffer, and A. Aharony, Introduction to Percolation Theory, Taylor & Francis, London, 1992.
re s
ht s
IG Al H lr T ig S
[Stauffer 2001] D. Stauffer, and A. Aharony, Introduction to Percolation Theory, Taylor & Francis, London, 2001.
R
[Swanson 2005] D. C. Swanson, “Environmental effects.” Chapter 11. Distributed Sensor Networks, ed.s S. S. Iyengar and R. R. Brooks, pp. 201-212, Chapman & Hall/CRC Press, Boca Raton, FL, 2005.
C O PY
[Tubaishat 2003] Malik Tubaishat and Sanjay Madria, “Sensor Networks – An Overview.” IEEE Potentials APRIL/MAY 2003 [Washburn 2002] A. R. Washburn, “Search and Detection.” 4th ed. INFORMS, Linthicum, MD, 2002. [Wood 2002]
Wood, A. D., and Stankovic, J. A. “Denial of service in sensor networks.” IEEE Computer (2002), 54--62.
[Zhao 2004]
F. Zhao and L. J. Guibas, “Wireless Sensor Networks: an information processing approach.” Morgan Kaufmann, San Francisco, 2004.
[Zhu 2002]
Sencun Zhu, Sanjeev Setia and Sushil Jajodia, “Performance Optimizations for group Key Management Schemes for Secure Multicast.” Technical Report, George Mason University, 2002
89
S. Zhu, S. Xu, S. Setia, and S. Jajodia, “Establishing pairwise keys for secure communication in ad hoc networks: a probabilistic approach.” Proc. 11th IEEE Int. Conf. On Network Protocols, p. 326, Nov. 2003.
C O PY
R
re s
ht s
IG Al H lr T ig S
PR
er O ve T E d
C TE
D
[Zhu 2003]
