SPINS: Security Protocols for Sensor Networks

1
SPINS Security Protocols for Sensor Networks

• Authors Adrian Perrig, Robert Szewczyk, Victor
  Wen,David Culler and J.D.Tygar
• Presented By Tanu Sharma
• (Some slides have been taken from authors sites)

2
Outline

• Security for sensor networks
• - Research Problem
• Proposed Techniques
• - SPINS building blocks
• Applications
• Related Work
• Discussion
• Conclusion

3
Sensor Networks are emerging

• Many applications
• - Real-time traffic monitoring
• - Military applications
• - Emergency and critical systems etc.
• Need secure communication protocols

4
Security for Sensor Networks

• Data Authentication
• Data Confidentiality
• Data Integrity
• Data Freshness
• - Weak Freshness
• - Partial message ordering, no delay
  information
• - Useful for sensor measurements
• - Strong Freshness
• - Total ordering on req-res pair, delay
  estimation
• - Useful for time synchronization

5
Challenge Resource Constraints

• Limited energy
• Limited computation(4MHz 8-bit)
• Limited memory(512 bytes)
• Limited code size(8 Kbytes)
• Limited communication(30 byte packets)
• Energy consuming communication

6
Contributions

• SNEP
• -Sensor Network Encryption Protocol
• -Secures point-to-point communication
• µTESLA
• -Micro Timed Efficient Stream Loss-tolerant
  Authentication
• -Provides broadcast authentication

7
System Assumptions

• Communication patterns
• -Node to base station (e.g. sensor readings)
• -Base station to node (e.g. specific requests)
• -Base station to all nodes
• Base Station
• -Sufficient memory, power
• -Shares secret key with each node
• Node
• -Limited resources, limited trust

8
Notation
A, B Principals( nodes)
NA Nonce generated by A
CA Counter generated by A
? AB Master secret key between A and B ( no direction information)
KAB Secret encryption key between A and B (depends on direction)
KAB Secret MAC key between A and B (depends on direction)
MKAB Encryption of message M with KAB
MltKAB,IVgt Encryption of message M using key KAB and initialization vector IV
MAC(KAB,M) Message authentication code (MAC) of M
9
SNEP

• Data Confidentiality (Semantic Security )
• Data Authentication
• Replay Protection
• Weak Freshness
• Low Communication Overhead

10
Key Generation /Setup
Counter
KeyEncryption
RC5 Block Cipher
KeyMAC
Key Master
Keyrandom

• Nodes and base station share a master key
  pre-deployment
• Other keys are bootstrapped from the master key
• Encryption key
• Message Authentication code key
• Random number generator key

11
Authentication, Confidentiality
Node B
Node A
M, MAC(KAB, M)
MltKAB, CAgt, MAC(KAB, CA MltKAB, CAgt)

• Without encryption can have only authentication
• For encrypted messages, the counter is included
  in the MAC
• Base station keeps current counter for every node

12
Strong Freshness
Node B
Node A
Request, NA
ResponseltKBA, CB), MAC(KBA, NA CB
ResponseltKBA, CBgt)

• Nonce generated randomly
• Sender includes Nonce with request
• Responder include nonce in MAC, but not in reply

13
Counter Exchange Protocol

• Bootstrapping counter values

Node B
Node A
CA
CB, MAC(KBA, CACB)
MAC(KAB, CACB)
To synchronize A ?B NA B ?A CB,
MAC(KBA,NA CB).
14
µTESLA Authenticated Broadcast

• TESLA efficient source authentication in
  multicast for wired networks.
• Problems with TESLA
• -Digital Signature for initial packet
  authentication
• µTESLA uses only symmetric mechanism
• -Overhead of 24 bytes per packet
• µTESLA discloses key once per epoch
• -One way key chain is too big
• µTESLA restricts number of authenticated
  senders

15
Key Setup
F(Kn)
F(K1)
F(K2)
Kn
Kn-1
K1
K0
.
X

• Main idea One-way key chains
• K0 is initial commitment to chain
• Base station gives K0 to all nodes

16
?TESLA Quick Overview I

• Keys disclosed 2 time intervals after use
• Receiver knows authentic K3
• Authentication of P1MAC(K5,P1)

K4
K5
K6
K7
K3
t
Time 4
Time 5
Time 6
Time 7
P1
K3
17
?TESLA Quick Overview II

• Perfect robustness to packet loss

K4
K5
K6
K7
K3
t
Time 4
Time 5
Time 6
Time 7
18
?TESLA Properties

• Asymmetry from delayed key disclosure
• Self-authenticating keys
• Requires loose time synchronization
• Low overhead (1 MAC)
• - Communication (same as SNEP)
• - Computation ( 2 MAC computations)
• Independent of number of receivers

19
Applications

• Authenticated Routing
• Node to Node Agreement

• A B NA, A
• B S NA,NB, A, B, MAC(KBS, NA NB
  A B)
• S A SKABKSA , MAC(KSA,NA A
  SKABKSA )
• S B SKABKSB , MAC(KSB,NB B
  SKABKSB )

20
Related Work in Broadcast Authentication

• Symmetric schemes
• - Link-state routing updates
• - Multi-MAC
• Asymmetric schemes
• - Merkle hash tree
• Chained hashes
• - EMSS
• Hybrid schemes
• -Stream signature
• -K-times signature

21
Discussion Drawbacks

• The ?TESLA protocol lacks scalability
• - require initial key commitment with each
  nodes, which is very communication intensive
• SPINS uses source routing, so vulnerable to
  traffic analysis

22
Discussion Risks Un-addressed

• Information leakage through covert channels
• No mechanism to determine and deal with
  compromised nodes.
• Denial of service attacks
• No Non-repudiation

23
Conclusion

• Strong security protocols affordable
• - First broadcast authentication
• Low security overhead
• - Computation, memory, communication
• Apply to future sensor networks
• -Energy limitations persist
• -Tendency to use minimal hardware
• Base protocol for more sophisticated security
  services