IHPIm Technologiepark 2515236 Frankfurt (Oder)

Germany

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

On Concealed Data Aggregation for Wireless Sensor Networks

Steffen Peter

Peter Langendörfer, Krzysztof Piotrowski

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Outline

• Concealed Data Aggregation?What does it mean? What is it for?

Privacy homomorphism

• Example for an efficient CDA schemeCaMyTs-Algorithm

• Discussion of security propertiesAwareness to passive and active attacks

• Solution to overcome security problemsCascaded privacy homomorphism

• Conclusions

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Scenario: WSN as movement/intruder detection

Q: Sensed something since last request?

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

In-Network-Aggregation (INA)

1

0

0

0

1

0

0

11,0

1,0

0,0

1,0

1,0,1,0

1,0,0,0

1,0,0,0,1,0,1,0 3

Without INA:

Reduced packet traffic

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Security Issues of in-network aggregation

• Without cryptographyNo security

• Classic End-to-End security (DES, AES, ECC)Encryption on sensor – decryption on sink

+ Very secure- No possibility of in-network aggregation

• Hop-by-Hop encryptionPackets are encrypted and decrypted on every routing node

+ In-network aggregation possible- No End-to-End security

every routing node knows and can change every plaintext

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Concealed (In-netwok) Data Aggregation

• We need:

End-to-End security that allows aggregation on routing nodes

= Routing nodes do not know what they aggregate

= Ability to compute with encrypted values

Only sink node can decrypt the aggregated value

• Solution:Privacy Homomorphism

Encryption

Value1

Encryption

Value2

Encryption

Value1 + Value2

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

CaMyTs (Castelluccia, Mykletun, Tsudik)

Random Stream:15226

Random Stream:30911

Random Stream:27229

Value:1

Value:0

Value:1

Encryption:1+15=16 (mod 32)

Aggregation:16+30+28=74=10 (mod 32)

10

Decryption:10 - 15 – 30 - 27= -62=2 (mod 32)= 1 + 0 + 1

16

30

28

Random Stream 1:15226

Random Stream 2:30911

Random Stream 3:27229

0+30=30 (mod 32)

1+27=28 (mod 32)

Decryption:16 – 15= 1

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Attack Scenarios

• Passive Attacks

Eavesdropping

Ciphertext analysis

Chosen/known plaintext attacks

• Active Attacks

Unauthorized aggregation

Forged packets

Replay attacks

Malleability

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

23

Active Attack - ReplayValue:1

Value:0

Key:9

Value:0

Key:2

(Previous: 0+15=15)

1+22=23

3

15

9

2

0+9=9

0+2=2

Key Stream:15226

Decr: 3-34 1

Attack 1: 26-34 24 no plausible value

Attack 2: 20-34 18 no plausible value

9

2620

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Active Attack - Malleability

Value:1

Key:15

Value:0

Key:30

Value:0

Key:27

Encryption:1+15=16

Aggregation:16+30+27=73=9 (mod 32)

9

Decryption:9 -15 – 30 - 27= -62= 1 (mod 32)= Alert

16

30

27

Key1: 15Key2: 30Key3: 27

Encryption:0+30=30

Encryption:0+27=27

8

8

NO ALERT0-63

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Evaluation

Domingo-Ferrer(DF)

CaMyTs Elliptic CurveElGamal (ECEG)

Ciphertext size - + o

Encryption o + -

Decryption o - -

Aggregation o + -

Security/Resistance

Ciphertext only attack + + +

Chosen plaintext attack - + +

Replay attack - + -

Malleability + - -

Malicious aggregation - + -

Forged packets + + -

Captured Sensors - + +

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Increase Security – Combination of two PHs

Encryption 2

Encryption 1

Value1

Encryption 2

Encryption 1

Value2

Encryption 2

Encryption 1

Value1 + Value2

Domingo-Ferrer

CaMyTs

Value1

Domingo-Ferrer

CaMyTs

Value2

Domingo-Ferrer

CaMyTs

Value1 + Value2

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

CMT/DFcombination

CMT/DFcombination

-

o

-

o

CMT/DFcombination

-

o

-

o

+

+

+

+

+

+

+

CaMyTs + DF combination

Domingo-Ferrer(DF)

CaMyTs

Ciphertext size - +

Encryption o +

Decryption o -

Aggregation o +

Security/Resistance

Ciphertext only attack + +

Chosen plaintext attack - +

Replay attack - +

Malleability + -

Malicious aggregation - +

Forged packets + +

Captured Sensors - +

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Conclusions

• Concealed Data Aggregation in WSNs is required

Reduced network trafficEnd-to-End security

• Concealed Data Aggregation in WSNs is possibleComputation overhead is reasonable (e.g. with CaMyTs,

DF)

• There is not one perfect CDA schemeThere are still some security issues (e.g. integrity)

Trade-off security/computation effort

Evaluation helps selecting application-fitted scheme

• Combined (cascaded) privacy homomorphism increases security with very low additional costs (e.g. CaMyTs/DF)