Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | august-curry |
View: | 94 times |
Download: | 1 times |
IHPIm Technologiepark 2515236 Frankfurt (Oder)
Germany
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
On Concealed Data Aggregation for Wireless Sensor Networks
Steffen Peter
Peter Langendörfer, Krzysztof Piotrowski
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Outline
• Concealed Data Aggregation?What does it mean? What is it for?
Privacy homomorphism
• Example for an efficient CDA schemeCaMyTs-Algorithm
• Discussion of security propertiesAwareness to passive and active attacks
• Solution to overcome security problemsCascaded privacy homomorphism
• Conclusions
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Scenario: WSN as movement/intruder detection
Q: Sensed something since last request?
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
In-Network-Aggregation (INA)
1
0
0
0
1
0
0
11,0
1,0
0,0
1,0
1,0,1,0
1,0,0,0
1,0,0,0,1,0,1,0 3
Without INA:
Reduced packet traffic
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Security Issues of in-network aggregation
• Without cryptographyNo security
• Classic End-to-End security (DES, AES, ECC)Encryption on sensor – decryption on sink
+ Very secure- No possibility of in-network aggregation
• Hop-by-Hop encryptionPackets are encrypted and decrypted on every routing node
+ In-network aggregation possible- No End-to-End security
every routing node knows and can change every plaintext
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Concealed (In-netwok) Data Aggregation
• We need:
End-to-End security that allows aggregation on routing nodes
= Routing nodes do not know what they aggregate
= Ability to compute with encrypted values
Only sink node can decrypt the aggregated value
• Solution:Privacy Homomorphism
Encryption
Value1
Encryption
Value2
Encryption
Value1 + Value2
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
CaMyTs (Castelluccia, Mykletun, Tsudik)
Random Stream:15226
Random Stream:30911
Random Stream:27229
Value:1
Value:0
Value:1
Encryption:1+15=16 (mod 32)
Aggregation:16+30+28=74=10 (mod 32)
10
Decryption:10 - 15 – 30 - 27= -62=2 (mod 32)= 1 + 0 + 1
16
30
28
Random Stream 1:15226
Random Stream 2:30911
Random Stream 3:27229
0+30=30 (mod 32)
1+27=28 (mod 32)
Decryption:16 – 15= 1
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Attack Scenarios
• Passive Attacks
Eavesdropping
Ciphertext analysis
Chosen/known plaintext attacks
• Active Attacks
Unauthorized aggregation
Forged packets
Replay attacks
Malleability
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
23
Active Attack - ReplayValue:1
Value:0
Key:9
Value:0
Key:2
(Previous: 0+15=15)
1+22=23
3
15
9
2
0+9=9
0+2=2
Key Stream:15226
Decr: 3-34 1
Attack 1: 26-34 24 no plausible value
Attack 2: 20-34 18 no plausible value
9
2620
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Active Attack - Malleability
Value:1
Key:15
Value:0
Key:30
Value:0
Key:27
Encryption:1+15=16
Aggregation:16+30+27=73=9 (mod 32)
9
Decryption:9 -15 – 30 - 27= -62= 1 (mod 32)= Alert
16
30
27
Key1: 15Key2: 30Key3: 27
Encryption:0+30=30
Encryption:0+27=27
8
8
NO ALERT0-63
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Evaluation
Domingo-Ferrer(DF)
CaMyTs Elliptic CurveElGamal (ECEG)
Ciphertext size - + o
Encryption o + -
Decryption o - -
Aggregation o + -
Security/Resistance
Ciphertext only attack + + +
Chosen plaintext attack - + +
Replay attack - + -
Malleability + - -
Malicious aggregation - + -
Forged packets + + -
Captured Sensors - + +
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Increase Security – Combination of two PHs
Encryption 2
Encryption 1
Value1
Encryption 2
Encryption 1
Value2
Encryption 2
Encryption 1
Value1 + Value2
Domingo-Ferrer
CaMyTs
Value1
Domingo-Ferrer
CaMyTs
Value2
Domingo-Ferrer
CaMyTs
Value1 + Value2
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
CMT/DFcombination
CMT/DFcombination
-
o
-
o
CMT/DFcombination
-
o
-
o
+
+
+
+
+
+
+
CaMyTs + DF combination
Domingo-Ferrer(DF)
CaMyTs
Ciphertext size - +
Encryption o +
Decryption o -
Aggregation o +
Security/Resistance
Ciphertext only attack + +
Chosen plaintext attack - +
Replay attack - +
Malleability + -
Malicious aggregation - +
Forged packets + +
Captured Sensors - +
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved
Conclusions
• Concealed Data Aggregation in WSNs is required
Reduced network trafficEnd-to-End security
• Concealed Data Aggregation in WSNs is possibleComputation overhead is reasonable (e.g. with CaMyTs,
DF)
• There is not one perfect CDA schemeThere are still some security issues (e.g. integrity)
Trade-off security/computation effort
Evaluation helps selecting application-fitted scheme
• Combined (cascaded) privacy homomorphism increases security with very low additional costs (e.g. CaMyTs/DF)