Embed Size (px)
Citation preview
Cynthia Kuo, Mark Luk, Rohit Negi, Adrian PerrigCarnegie Mellon University
Message-In-a-Bottle:User-Friendly and Secure Cryptographic Key Deployment in Sensor Networks
1
How do nodes receive cryptographic keys?
“Distribution is simple; nodes are loaded with the shared key before deployment.”
TinySec
…send the key in the clear“thus resulting in a brief
moment of vulnerability.”ZigBee
2003 2004 2005 20062002
SPINS
Eschenauer and Gligor
TinySec
ZigBee
MiniSecINSENS
2
Potential approach – Factory installation
3
Potential approach – Physical interface
Properties achieved• Secrecy• Ease of use
But…• Batch deployment remains a
tedious task• USB interface will not exist on
many commodity nodes• Sensors deployed in harsh
environments• USB interface are expensive 4
An ideal practical solution
No physical interface• No USB connectors, screens, or keypads
Deploy keys wirelessly• Resistant to eavesdropping and injection
attacks Key deployment by end users
• End users are not security experts Batch deployment for multiple nodes
• Scales for large deployments 5
Agenda
Motivation Problem definition Single node key deployment User study Batch deployment
6
Agenda
Motivation Problem definition Single node key deployment User study Batch deployment
7
Problem definition (1/2) Securely setup a shared secret between
a base station and a new node• Key secrecy
• Attacker cannot compromise shared secret
• Key authenticity• New node receives the key that base station
intended it to receive
• Demonstrative identification• Users are certain which devices are
communicating8
Problem definition (2/2)
• Robust to user error• Fail safe - human error result in failure to setup
a key, not key compromise
• Cost effective• Does not require additional hardware on each
node
• No asymmetric cryptography• Even asymmetric crypto schemes need one
authenticated value
9
Assumptions
Installer• Trusted• Not expert
Base station• Trusted• Generates keys
Sensor node• Unmodified hardware• Loose time synchronization• Unmodified software
10
Strong attacker model Dolev-Yao
• Overhear, intercept, modify, reorder, and send arbitrary messages
• Before, during, and after key deployment More powerful malicious device
deployed around vicinity of nodes• Higher antenna gain• Faster processor
11
Agenda
Motivation Problem definition Single node key deployment User study Batch deployment
12
Keying Device
How to send key wirelessly to new node?
Base station KM
New Node
KMKM
Attacker eavesdrops on
key! Attacker 13
Keying Device
Need some type of isolation
KM
New Node
KM
Shieldedmessages
Faraday cage approach proposed by Castelluccia and Mutaf, 2005
14
Why isn’t a Faraday cage sufficient?
How does installer know when to open cage? How does installer know cage is closed? What happens if Faraday cage is imperfect? How does installer know if node has correct
key?
15
How does installer know when to open cage?
Faraday Cage
Keying Device
New Node
16
How does installer know when to open cage?
Faraday Cage
Keying Device
New Node
Keying Beacon 17
‘
Keying beacon interacts with user
Faraday Cage
Keying DeviceNew Node
Keying Beacon
Solid blue - performing key deployment Blinking blue - done
18
Keying beacon interacts with user
Faraday Cage
Keying DeviceNew Node
Keying Beacon
Solid blue - performing key deployment Blinking blue - done
19
Why isn’t a Faraday cage sufficient?
How does installer know when to open cage? How does installer know cage is closed? What happens if Faraday cage is imperfect? How does installer know if node has correct
key?
20
How do nodes know when cage is closed?
Faraday Cage
Keying DeviceNew Node
Keying Beacon
Authenticated heartbeats
21
‘
Authenticated heartbeats determine whether cage is closed
Faraday Cage
Keying DeviceNew Node
Keying Beacon
Authenticated heartbeats
22
Why isn’t a Faraday cage sufficient?
How does installer know when to open cage? How does installer know cage is closed? What happens if Faraday cage is imperfect? How does installer know if node has correct
key?
23
What if cage leaks?
Faraday Cage
Keying Device
New Node
Keying Beacon 24
What if cage leaks?
Faraday Cage
Keying DeviceNew Node
Keying Beacon
Solution 1: Keying beacon eavesdrops
I hear shielded message
s!
25
How leaky is cage?
Faraday Cage
Lcage : Attenuation of cage (dBm)• Strong attenuation (large negative number)
• Attacker cannot overhear shielded messages
• Weak attenuation (small negative number)• Attacker can overhear shielded messages• Keying beacon can also detect leaked messages
In order for leaking to go undetected…• Attacker needs a sweet spot• Based on our setup: -66 dBm
26
How far away does attacker have to be?
RSe : Eavesdroppers required radio sensitivity Attacker antenna gain of 10dBm
Pt : Transit power of keying device, at minimum power
Lcage : Attenuation of cage
dmin : Distance of eavesdropper
27
If cage leaks, attacker needs to be within 19cm
What if cage leaks?
Faraday Cage
Keying DeviceNew node
Keying Beacon
Solution 2: Keying beacon jams at full power• Leaked messages overpowered by jamming signal
28
How do nodes know jammed at correct time?
Faraday Cage
Keying DeviceNew node
Keying Beacon 29
Requires loose time synchronization
Summary: Protecting shielded messages
1. Faraday cage attenuates shielded messages
2. Shielded messages sent at minimum power
3. Keying beacon jams at full power
30
Why isn’t a Faraday cage sufficient?
How does installer know when to open cage? How does installer know cage is closed? What happens if Faraday cage is imperfect? How does installer know if node has correct
key?
31
Rsp
Chal
How does installer know if node has correct key?
Faraday Cage
Keying DeviceNew Node
Keying Beacon
KMKM
MAC
KM
32
How does installer know if node has correct key?
Faraday Cage
Keying DeviceNew node
Keying Beacon
KMKMKM
33
Key verification
Faraday Cage
Keying DeviceNew node
Keying Beacon
KMKMKM
Rsp
Chal Rsp’
=KM
MAC
34
What if there was an error?
Faraday Cage
Keying DeviceNew node
Keying Beacon
KMKMKM’
Easy for user to detect Fail-safe
35
Rsp’
Rsp!=
Summary: Single node key deployment
Installer places…• New Node and Keying Device inside Faraday cage• Keying Beacon outside Faraday cage
Keying Device and Beacon exchange authenticated heartbeats to determine whether cage is closed
Installer closes cage…• Key exchange inside cage (Shielded messages)• Beacon jams at full power
Beacon notifies installer to open cage Key verification
• Compares jamming schedule• Challenge response protocol
Beacon signals to installer whether keying was successful36
Agenda
Motivation Problem definition Single node key deployment User study Batch deployment
37
User study
38
Agenda
Motivation Problem definition Single node key deployment User study Batch deployment
39
Batch deployment
New Nodes
Faraday CageKeying Beacon
Keying Device
40
K1
K2
K3
Same questions apply for batch deployment
How does installer know when to open cage?• Keying might take variable time!• Need to determine number of nodes in batch
How does installer know cage is closed?• Authenticated heartbeats
What happens if Faraday cage leaks signal?• Beacon jams at full power
How does installer know if node has correct key?• Key verification
41
Batch deployment
New Nodes
Faraday CageKeying Beacon
Keying Device
42
Weight Scale
Batch deployment
New Nodes
Faraday CageKeying Beacon
Keying Device
Same protocol from user’s perspective
43
Weight Scale
# nodes = Weight / Unit weight Heartbeat: Weight
Related Work
44
Physical interface Resurrecting Duckling [Stajano 01] Seeing is Believing [McCune 04]
Other side channel as sensors Talking to Strangers [Balfanz 03] Shake Them Up [Castelluccia 05]
Requires pre-existing information Integrity code [Cagalj 06]
Insecure Key Infection [Chan 03]
Conclusion Key deployment
• Hard problem• Not currently addressed for highly secure
environments• Needed by all secure sensor network
protocols Message-in-a-Bottle
• Secure• Robust to user error
45
