SUDOKU: Secure and Usable Deployment of Keys on Wireless Sensors



Similar documents
Performance Analysis of IEEE in Multi-hop Wireless Networks

Hierarchical Clustering and Sampling Techniques for Network Monitoring

A Holistic Method for Selecting Web Services in Design of Composite Applications

An Efficient Network Traffic Classification Based on Unknown and Anomaly Flow Detection Mechanism

Computer Networks Framing

A Keyword Filters Method for Spam via Maximum Independent Sets

Behavior Analysis-Based Learning Framework for Host Level Intrusion Detection

' R ATIONAL. :::~i:. :'.:::::: RETENTION ':: Compliance with the way you work PRODUCT BRIEF

Traitor Tracing Schemes for Protected Software Implementations

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 3, MAY/JUNE

UNIVERSITY AND WORK-STUDY EMPLOYERS WEB SITE USER S GUIDE

arxiv:astro-ph/ v2 10 Jun 2003 Theory Group, MS 50A-5101 Lawrence Berkeley National Laboratory One Cyclotron Road Berkeley, CA USA

Channel Assignment Strategies for Cellular Phone Systems

Deadline-based Escalation in Process-Aware Information Systems

State of Maryland Participation Agreement for Pre-Tax and Roth Retirement Savings Accounts

Sebastián Bravo López

A Survey of Usability Evaluation in Virtual Environments: Classi cation and Comparison of Methods

A Comparison of Service Quality between Private and Public Hospitals in Thailand

A Context-Aware Preference Database System

Open and Extensible Business Process Simulator

Intelligent Measurement Processes in 3D Optical Metrology: Producing More Accurate Point Clouds

How To Fator

Wireless Networking Guide

Neural network-based Load Balancing and Reactive Power Control by Static VAR Compensator

Information Security 201

Using Live Chat in your Call Centre

SLA-based Resource Allocation for Software as a Service Provider (SaaS) in Cloud Computing Environments

Asymmetric Error Correction and Flash-Memory Rewriting using Polar Codes

Context-Sensitive Adjustments of Cognitive Control: Conflict-Adaptation Effects Are Modulated by Processing Demands of the Ongoing Task

Static Fairness Criteria in Telecommunications

Capacity at Unsignalized Two-Stage Priority Intersections

INCOME TAX WITHHOLDING GUIDE FOR EMPLOYERS

Parametric model of IP-networks in the form of colored Petri net

FIRE DETECTION USING AUTONOMOUS AERIAL VEHICLES WITH INFRARED AND VISUAL CAMERAS. J. Ramiro Martínez-de Dios, Luis Merino and Aníbal Ollero

An Enhanced Critical Path Method for Multiple Resource Constraints

INCOME TAX WITHHOLDING GUIDE FOR EMPLOYERS

Software Ecosystems: From Software Product Management to Software Platform Management

OpenScape 4000 CSTA V7 Connectivity Adapter - CSTA III, Part 2, Version 4.1. Developer s Guide A31003-G9310-I D1

WORKFLOW CONTROL-FLOW PATTERNS A Revised View

Optimal Sales Force Compensation

Trade Information, Not Spectrum: A Novel TV White Space Information Market Model

) ( )( ) ( ) ( )( ) ( ) ( ) (1)

AUDITING COST OVERRUN CLAIMS *

Account Contract for Card Acceptance

Granular Problem Solving and Software Engineering

Unit 12: Installing, Configuring and Administering Microsoft Server

Dataflow Features in Computer Networks

protection p1ann1ng report

THE PERFORMANCE OF TRANSIT TIME FLOWMETERS IN HEATED GAS MIXTURES

Chapter 1 Microeconomics of Consumer Theory

Petri nets for the verification of Ubiquitous Systems with Transient Secure Association

On the Characteristics of Spectrum-Agile Communication Networks

REDUCTION FACTOR OF FEEDING LINES THAT HAVE A CABLE AND AN OVERHEAD SECTION

A novel active mass damper for vibration control of bridges

Table of Contents. Appendix II Application Checklist. Export Finance Program Working Capital Financing...7

Lemon Signaling in Cross-Listings Michal Barzuza*

MATE: MPLS Adaptive Traffic Engineering

Electrician'sMathand BasicElectricalFormulas

Findings and Recommendations

Weighting Methods in Survey Sampling

Marker Tracking and HMD Calibration for a Video-based Augmented Reality Conferencing System

Annual Return/Report of Employee Benefit Plan

AT 6 OF 2012 GAMBLING DUTY ACT 2012

Retirement Option Election Form with Partial Lump Sum Payment

Customer Efficiency, Channel Usage and Firm Performance in Retail Banking

F220 Series. Installation Instructions. Photoelectric Smoke/Heat Detectors

The D.C. Long Term Disability Insurance Plan Exclusively for NBAC members Issued by The Prudential Insurance Company of America (Prudential)

TRENDS IN EXECUTIVE EDUCATION: TOWARDS A SYSTEMS APPROACH TO EXECUTIVE DEVELOPMENT PLANNING

Effects of Inter-Coaching Spacing on Aerodynamic Noise Generation Inside High-speed Trains


INTELLIGENCE IN SWITCHED AND PACKET NETWORKS

Supply chain coordination; A Game Theory approach

A Comparison of Default and Reduced Bandwidth MR Imaging of the Spine at 1.5 T

In order to be able to design beams, we need both moments and shears. 1. Moment a) From direct design method or equivalent frame method

Discovering Trends in Large Datasets Using Neural Networks

The Basics of International Trade: A Classroom Experiment

Impedance Method for Leak Detection in Zigzag Pipelines

Board Building Recruiting and Developing Effective Board Members for Not-for-Profit Organizations

THE UNIVERSITY OF TEXAS AT ARLINGTON COLLEGE OF NURSING. NURS Introduction to Genetics and Genomics SYLLABUS

i_~f e 1 then e 2 else e 3

The Application of Mamdani Fuzzy Model for Auto Zoom Function of a Digital Camera

RELATED WORK 1.1 Our Contributions PROBLEM FORMULATIONS

A Three-Hybrid Treatment Method of the Compressor's Characteristic Line in Performance Prediction of Power Systems

To the Graduate Council:

OpenSession: SDN-based Cross-layer Multi-stream Management Protocol for 3D Teleimmersion

Deduplication with Block-Level Content-Aware Chunking for Solid State Drives (SSDs)

Public DNS System and Global Traffic Management

Transcription:

SUDOKU: Seure and Usable Deployment of Keys on Wireless Sensors Matthias Wilhelm, Ivan Martinovi, Ersin Uzun, and Jens B. Shmitt diso Distributed Computer Systems Lab, TU Kaiserslautern, Germany {wilhelm, martinovi, jshmitt}@s.uni-kl.de Computer Siene Department, University of California, Irvine, United States euzun@is.ui.edu Abstrat Initial deployment of serets plays a ruial role in any seurity design, but espeially in hardware onstrained wireless sensor networks. Many key management shemes assume either manually pre-installed shared serets or keys authentiated with the aid of out-of-band hannels. While manually installing seret keys affets the pratiability of the key deployment, out-of-band hannels require additional interfaes of already hardware-limited wireless sensor nodes. In this work, we present a key deployment protool that uses pair-wise ephemeral keys generated from physial layer information whih subsequently enables an authentiated exhange of publi keys. Hene, this work presents an elegant solution to the key deployment problem without requiring more apabilities than already available on ommon low-ost devies. To justify the feasibility of this solution, we implement and experimentally evaluate the proposed key deployment protool using ommodity wireless sensor motes. I. INTRODUCTION One of the ruial problems in wireless sensor networks is how to establish initial seurity assoiations between wireless sensor motes and a base station. Speifially, how to reate an authentiated hannel that an be used to exhange ryptographi material in a seure, salable, and user-friendly manner. This question is important regardless of available ryptographi primitives, as even an asymmetri key must be proteted from ative adversaries abusing the broadast nature of wireless ommuniation. There are various onventional approahes to this problem. For example, Kuo et al. propose the use of a Faraday age and a wireless jammer to protet seret keys exhanged in the lear [4]. However, this approah requires a well designed Faraday age, a areful handling of sensors and an additional verifiation mehanism to ensure that the Faraday age is not leaking proteted transmissions. Further shemes inlude seure devie pairing protools that use human pereptible outof-band hannels suh as auditory, e.g., [2], [10], visual, e.g., [7], [8] and tatile [6], [9] hannels to authentiate serets by user interation. Yet, implementing suh out-of-band hannels assumes additional hardware interfaes, e.g., mirophones, ameras, displays, or keypads that are not ommonly available on hardware- and battery-limited wireless sensor devies. Additionally, suh shemes plae the seurity burden on the The work in this paper was partially funded by the Carl-Zeiss Foundation and the Landesforshungsshwerpunkt Ambient Systems (AmSys). user, who may not understand the importane of the seurity measures. Reently, there have been researh ontributions that follow an alternative path towards seret generation. They take advantage of multi-path signal propagation as a soure of randomness from whih shared serets an be derived. In partiular, the key generation shemes desribed by Mathur et al. [5], Jana et al. [3], and Wilhelm et al. [12] analyze how the fading behavior of wireless hannels an be used to generate seret material. Suh protools only require an exhange of sampling messages to estimate the wireless hannel state between legitimate transmitters. Interestingly, an adversary who eavesdrops on these sampling messages from another physial position remains ignorant of the generated serets. The reason is that its hannel estimates de-orrelate rapidly with inreasing distane to the legitimate transmitters (for more details on the serey analysis of suh shemes see, e.g., [3]). Hene, if an appliation setting an ensure that an adversary annot be loated in spatial proximity to one of the legitimate transmitters, these shemes an be used as effiient and seure key derivation protools. While existing researh on these protools is foused on identifying and analyzing primitives for suh seret generation, the evaluation of their pratiability in real-world settings remains an open question. The goal of this work is therefore to systematially analyze the appliability of suh shemes to a pratial problem of initial seret deployment in WSNs. In this paper, we take advantage of the protool introdued in [12] to design SUDOKU, a seure and usable key deployment sheme that requires minimal user interation and has minimal requirements on hardware interfaes of wireless devies. Additionally, we augment the key generation protool to support simultaneous key exhanges using broadast transmissions, inreasing its performane with multiple sensors. II. SUDOKU OVERVIEW We introdue the onept and the design goals of the protool in this setion. The role of the partiipants is introdued as well as the sequene of protool phases, and the involvement of the user is desribed. 978-1-4244-8915-2/10/$26.00 2010 IEEE 1

A. Protool Goals We onsider a very ommon appliation of WSNs in residential monitoring and living-assistane senarios. A user wishes to deploy wireless sensors as part of an assisted-living appliation where environmental onditions are olleted and sent to a entral base station (BS), whih makes more sophistiated deisions. One of the main problems in suh senarios is how to initially establish seure assoiations between wireless sensors and the BS to protet the appliation from various impersonation and injetion attaks inherently possible due the broadast nature of wireless ommuniation. Examples of suh attaks are (i) the evil twin attak where a sensor mote is impersonated, (ii) eavesdropping and violating the onfidentiality of the ommuniation, and (iii) the injetion of rogue (attaker-ontrolled) sensor devies into the network. The goals is to mitigate these attaks with the following measures: Devie identifiation: the user an physially identify whih devies are being paired. Authentiated messages: it is not possible for adversaries to injet messages into the network. Confidentiality: a strong seret key is derived to ahieve long-term seurity. The protool is designed to meet these goals in an user-friendly way suh that usage errors are mitigated. B. Protool Partiipants Three different parties partiipate in the SUDOKU protool: the base station that manages the exeution of the protool, a group of sensor motes that wants to establish seure assoiations with the BS, and the user who deploys the network. a) Base Station: The base station is the entral element in the exeution of the protool, it oordinates the partiipating sensor motes and protets them against message injetion attaks by onstantly monitoring the wireless hannel. We assume suffiient performane and a user interfae that enables omfortable interation (suh as a high resolution display and multiple buttons), omparable to desktop-lass omputers. b) Sensor Motes: For the sensor motes ost-effiieny is the most important aspet in the hardware design, whih results in minimal platform apabilities. Therefore, we only require the availability of three ommon interfaes for SU- DOKU: a single LED light, an on/off swith and a wireless transeiver to ommuniate and to measure the reeived signal strength (RSS). The swith an be simulated, e.g., by inserting or removing the battery of the devie. We use the status LED in three different states for user feedbak: OFF shows that the devie is either un-powered, searhing for a BS or in an error state, BLINKING means that the devie is assoiated with the base station but the key is not ready, and ON indiates suessful key deployment. In ontrast to other seure key deployment protools, the LEDs are not used for generation or distribution of seret material, but only as a status-reporting interfae. User Base Station Sensors Setup Wireless Key Generation K 1,...,K n Enrypted Key Exhange K 1,...,K n Verifiation Phase n seure ontexts Figure 1. Key deployment onept of SUDOKU. The protool proeeds in four phases: (i) the user sets up the devies, (ii) ephemeral keys K i are generated from hannel measurements, (iii) enrypted key exhanges are performed to establish long-term serets K i with the help of the ephemeral keys, and (iv) the user verifies that the orret devies are paired by heking the devies LEDs. ) User: The user involvement and interation in the protool must be designed to be simple enough for the user to understand and omplete with minimal errors. In SUDOKU, users are only required to arry out very simple tasks suh as ounting the sensor motes or verifying that their status LEDs are on. The user an abort the protool if an attak is deteted and an initiate ountermeasures suh as a delayed key deployment or even law enforement if the attak persists. C. Protool Overview The protool exeution proeeds in four phases, the oneptual overview is depited in Fig. 1. First, the user sets up the devies, starting with the base station that begins to monitor the wireless hannel and periodially sends out beaon frames with ontrol information. New sensor motes assoiate with the base station, whih detets the number of sensors that are ative in the viinity and displays this number to the user to prevent rogue sensor motes. When all sensors are ready, the user initiates the seond phase, wireless key generation. Ephemeral shared serets are derived from hannel measurements between the base station and the sensors. In the third phase, key deployment, these generated keys are used to protet ryptographi key exhanges with the sensors against ative attaks. The derived long-term serets are then verified by the devies in the last phase, and the sensors indiate suessful key agreement with their LEDs. The user heks if all sensors were suessful, at this point the base station shares pair-wise strong seurity ontexts with all sensors. After this, the nodes an be plaed in their final loations; the derived keys an either be used for seure single-hop ommuniation or to support end-to-end enryption in multi-hop topologies. D. User Perspetive In order to ahieve a seure key deployment by non-expert users, error mitigation and error resistane are major goals of SUDOKU. With our proposed protool, the steps a user must perform an be summarized as follows: 1) The user powers on the base station first, whih starts to assist the user in the progression of the protool. 2

A B : M A : M BS S i S n i C m k slots Pub DH Ping,j P ong,j i RSSMAP S i RSSMAP B i T i,p i h() K i a i, b i A i, B i E K (), D K () K i A sends message M to B A broadasts message M to all partiipants Base station, manages the protool exeution Sensor mote i {1,...,n} Set of all legitimate sensors, S = {S 1,...,S n} Number of sensors partiipating in the protool Wireless hannel available for probing, i {1,...,m} Set of available hannels, C = { 1,..., m} Number of available hannels Number of sampling rounds in the KeyGen Phase Number of time slots/assoiated sensor motes Publi parameters for the enrypted key exhange The jth probe message on hannel from BS The jth probe message on hannel from S i Reeived signal strength means of S i on hannel Reeived signal strength at BS from S i on hannel Tolerane and repair values for KeyGen phase Strong ryptographi one-way hash funtion Pair-wise ephemeral key between BS and S i Large random numbers used in the DH key exhange Publi keys used in the DH key exhange Symmetri en- and deryption using key K Pair-wise long-term seret between BS and S i Table I PROTOCOL NOTATION 2) Then, eah sensor devie at a time, the user ativates the sensor motes. A sensor tries to assoiate with the BS, and notifies the user by a blinking LED that it is suessfully assoiated. The user an then plae the sensor in the viinity of the BS and go on with the other sensors until all are ready. 3) Before starting the key deployment, the user ensures that the number of sensors shown on the display of the BS mathes with the number the user wishes to assoiate. He then triggers the key generation phase with a button. 4) After approx. 20 30 seonds, the BS notifies the user that the key deployment has finished and asks him to hek that all sensors have their LEDs onstantly ON. 5) If all sensors indiate suessful ompletion, the user presses OK on the base station to finish the key deployment. Eah of the instrutions require the user to handle the hardware, hek for LEDs or information displayed on the base station; no keying material must be entered by the user manually. And by using the BS to guide him through the proess, many possible further error soures an be avoided. III. THE SUDOKU PROTOCOL This setion presents the key deployment protool in detail, disussing every step of the protool. To assist the reader, the notation used in the protool desription is summarized in Table I. A. Initial Setup Phase This initial phase is used to distribute parameters for the protool exeution. We require a deterministi medium aess sheme in SUDOKU. Any ontention-free MAC an be used; we implemented a simple TDMA-based MAC that divides the medium into 2 ms time slots allotted aording to the number of assoiated sensors. The BS starts sending out beaons periodially that mark the beginning of a new turn. New sensors ontend for the free time slot at the end of a turn, while assoiated sensors transmit in their respetive time slot to show presene to the base station and to laim the medium. This is the only period with ontention in the protool, i.e., the period where ollisions are possible without indiating an attak. User: Power on BS BS : slots, k, C,Pub DH for Si S: User: Turn on S i S i : Find a free time slot using slots S i BS: slots, k, C,Pub DH S i : Start BLINKING User: Put sensor S i near BS User: Confirm the number of sensors n on BS Initiate the key generation phase on BS Figure 2. Setup Phase. As shown in Fig. 2, the user turns on the base station first, whih starts to monitor the wireless hannel to protet against message injetion. Also, it starts sending out beaons with the protool parameters periodially; ontrol information for the key generation phase, i.e., the number of samples k to ollet on eah hannel and the set of hannels C to measure on, the number of urrently assoiated sensors in slots to help new sensor motes aligning into the TDMA sheme and to give them feedbak whether they are suessfully assoiated with the BS, and finally the publi protool parameters Pub DH, in the ase of Diffie-Hellman g and p, that are later used in the key deployment phase (Setion III-C). The user then proeeds to sequentially turn on the sensor motes that he wishes to seurely deploy keys to. A joining sensor starts sanning for beaon frames and assoiates with the BS by re-broadasting the reeived parameters to verify with the BS that no forged parameters were injeted. The BS an detet the presene of a joining sensor, and adjusts the number of assoiated sensors in slots to notify the sensor. In turn, the sensor informs the user that it is assoiated by BLINKING. This ensures the required devie identifiation. The user an then plae the sensor devie in the viinity of the BS and proeed with the next mote. The base station keeps trak of the number n of already deteted sensors and displays it to the user to ensure that no rogue sensors are present that want to enter the network. When everything is set up and ready, the user starts the key generation phase by pressing the respetive button on the base station. At this point, he onfirms that the number of devies talking to the BS mathes the number of sensors present to prevent the pairing of maliious sensors, and to enable the BS to detet the ompletion of the protool. B. Key Generation Phase The goal of this phase is to use the randomness of the wireless hannel to extrat an authentiated seret key without user interation. This is ahieved by the reation of a reeived 3

signal strength (RSS) map ontaining hannel measurements for every sensor in S and every wireless hannel in C. We denote this map RSSMAP Si, it belongs to S i and ontains the RSS means for the BS sensor pair, and RSSMAP Bi for the orresponding measurements by BS. Using this measurement data, an ephemeral pair-wise and symmetri seret key K i is generated, whih is used to authentiate the key deployment in the next phase of the protool. 1) Wireless Key Generation: The ephemeral key is generated using the protool desribed in [12]. Due to the reiproity of the wireless hannel, two devies are able to extrat shared seret information simply by exhanging probing messages over the wireless hannel. These measurements may not be equal as the reiproity is not perfet and measurement errors are introdued, so both devies must perform a seret reoniliation step to orret these deviations. In ontrast to related work that requires devie mobility, the use of multiple hannels in our protool enables the generation of seure keys even in stati senarios. Our previous work shows that wireless key generation an suessfully be applied in the ontext of resoure-onstrained devies in WSNs, enabling the generation of unpreditable keys and a high suess ratio, by experiments in real-world senarios. However, the previous protool is designed for a pair-wise key generation between two devies only; this paper proposes improvements to the basi protool that enable an elegant way to inrease the number of protool partiipants, thus dereasing the duration of the protool, as the hannel sampling is the major fator in the overall runtime. The key idea is that by using the broadast nature of the wireless medium, we are able to run several key generations simultaneously; eah devie broadasts its sampling messages to all other devies, who reord the reeived signal strength. This sheme works beause of the long oherene time of the wireless hannel due to the stati network infrastruture. In Setion IV, we show that this new approah is feasible, even using urrently available sensor mote hardware, to improve the overall performane of SUDOKU. 2) Exeution of the Capturing Phase: In this phase, all devies are still operating aording to the TDMA sheme. In eah time slot, the sensors and the base station broadast their probing message to all other devies. Due to the fixed hannel swithing pattern (the timing, sending pattern, and number of sensors is distributed by the BS), there is no ontention for the medium and the BS an make sure that it an monitor the orret hannel and that no sensor loses its synhronization, whih is ruial to protet the sensor motes from attaks. C, j 1..k S i S BS : S i BS: Figure 3. Ping,j to all sensors in S, update RSSMAP S i P ong i,j to BS, update RSSMAPB i Randomness Capturing Phase. AsshowninFig.3,theBS starts by broadasting Ping,j frames on the first hannel after the user has started the operation. For every reeived frame, eah sensor S i responds with a broadast frame Pong,j i in its time slot. After k rounds, all partiipants know from the deployed parameters the time for hannel swithing. The sampling is repeated until all m hannels have been sampled. The overall number of transmissions required for this phase is in the order of O(kmn). After all samples have been taken, the protool proeeds by orreting the measurements, generating and heking the ephemeral key K i as desribed in [12] with eah of the sensors in S. BS: Generate T i,p i, and alulate K i BS S i : T i,p i S i : Corret the RSSMAP S i and alulate K i S i BS: h(k i ) BS: Chek K i is equal on both sides Figure 4. Key Reoniliation Phase for Sensor S i. The base station hooses a vetor of tolerane values T i = (t 1,...,t m ) with one entry for eah hannel. These values desribe the amount of errors than an be present in the measurements until the protool results in different keys. However, this presents a tradeoff as larger tolerane values lower the unertainty for attakers and therefore the seurity of the generated key. There is a diret onnetion between the preision of the measurements, the number of hannels used for sampling and the length of the generated seret; all aspets influene the seurity of the protool. This interrelation has been quantified in our previous work, whih supports us here to hoose suitable protool parameters. The publi reoniliation string P i sent to S i helps sensor S i to repair its signal measurements. The values (T i,p i ) are generated and broadasted for eah of the sensors S i, whih an in turn orret their RSSMAP Si and generate K i. Then, the keys are heked for equality by exhanging the hash value of the seret. If K i does not math, it is possible to repeat the repair mehanism; this step is omitted in this paper for the sake of larity. After this phase, the base station has suessfully established ephemeral keys K i generated from the wireless hannel with all sensor motes S i, whih an then be used to authentiate key agreements on long-term serets. C. Key Deployment Phase The keys K i generated in the previous phase an diretly be used as authentiated shared serets. However, as urrent hardware platforms only support a small number of hannels and have limited measurement preision, the resulting serets urrently have approximately 20 30 bit of information entropy as experiments in [12] show, whih is omparable to passwordbased seurity, but not useful as long-term serets. Therefore, we ombine publi key ryptography for onfidentiality and the wireless key generation approah to enable an authentiated key exhange. The ommuniation is authentiated as only devies at the orret positions an know the seret generated by the wireless hannel. 4

1) Authentiated Key Exhange: There are several ways to establish stronger keys from low entropy shared serets. In the following, we provide a onrete example of how a seret generated from the wireless hannel an be utilized for an authentiated key exhange. The protool in its original form is known as Password-based Enrypted Key Exhange (EKE), whih is originally desribed in [1] and extended in [11]. The general idea is to use the short seret key to enrypt randomly hosen key material. This is an elegant way of avoiding off-line ditionary attaks on weak shared serets, sine an adversary annot guess the random values. We use a Diffie-Hellman approah for key agreement in SUDOKU. BS: BS S i : S i : S i BS: BS: a i = random(), None i = random() A i = g a i mod p Nonei,E Ki (A i ) b i = random() B i = g b i mod p K i = A b i i mod p EKi (None i ),E Ki (B i ) K i = B a i i mod p ( Chek None i = D Ki EKi (None i ) ) Count S i as suessful on math EKi (None i +1) BS S i : ( S i : Chek None i +1=D Ki EKi (None i +1) ) Turn LED ON if suessful Figure 5. Enrypted Key Exhange with sensor S i. Conretely, in this protool the ephemeral seret key K i, generated in the previous protool step, is used to mask the transmission of the ryptographi material A i and B i, whih are then used for the generation of the strong enryption key K i (in ase of Diffie-Hellman, this key an be derived as K i = g aibi mod p, where modulus p and base exponent g are the parameters Pub DH exhanged in the setup phase). The publi parameters A i and B i are exhanged as shown in Fig. 5. At the same time, the Diffie-Hellman key K i is verified for its freshness. The BS hooses None i randomly and sends it to S i, whih in turn shows that it is in possession of the generated ephemeral key K i by extrating the publi parameter B i and using it to ompute K i. The none is send bak by the sensor, enrypted with K i to verify that it has suessfully generated this key. Additionally, BS an now detet the suessful key deployment. BS sends None i +1 bak to S i to ahieve mutual authentiation, and the sensor an report this suess to the user by turning the LED ON. This phase is repeated for all sensors. D. Verifiation Phase The sensors turn their LEDs ON when a suessful key exhange is deteted, and in the last phase it is neessary to ensure that the keys were deployed to the orret devies. The number of LEDs in the state ON must math. BS: User: Chek if the number of suessful key agreements mathes Show SUCCESS on display Verify that all sensor motes in S have LEDs ON Press OK if the number of sensors mathes Figure 6. Verifiation Phase. This phase is a ountermeasure against rogue, missing and impersonated sensors. The base station an also notie if K i = K i or if K i = K i aused by problems in the key generation proess, enabling it to deide if previous phases must be repeated to reah agreement. If the numbers math, the user an be sure that the devies he expets share a seure key with the base station, and in ase of error the BS an identify the possible auses (attaks, strong deviations in the hannel measurements, usage errors), warn the user and suggest ountermeasures. IV. EXPERIMENTS This setion desribes experiments that fous on the feasibility of broadast key generation introdued in Setion III-B. This is an extension to our key generation protool analyzed in [12], the hardware setup for this work is the same, so our previous results for robustness and strength of keys between pairs of devies still apply in this work. A. Channel Reiproity with larger Time Gaps One important aspet of the SUDOKU protool is the feasibility to generate ephemeral serets from the wireless hannel using broadast messages. Our previous work shows that the sheme works for pair-wise senarios, but due to the larger time gaps between the transmission of sampling messages, the hannel reiproity may be diminished in the multi-node ase. This setion desribes the feasibility evaluation in a realisti senario for our proposed extensions. 1) Methodology: The experiment takes plae on a university floor, an indoor loation omparable to assisted-living appliation senarios. The role of BS is taken by a MICAz sensor mote on a programming board, so that the operation an diretly be ontrolled by a host omputer attahed via serial onnetion. The six sensors S i are MICAz sensor motes as well, but operate on battery power. These motes are plaed randomly in a distane of 1 2 meters away from the BS and that the devies are at least 16 m apart to ensure independent wireless hannels [5]. During the experiments, several fators aounted for short-term disturbanes to the hannel. The wireless medium is shared with several wireless aess points using the IEEE 802.11g standard, and an operator was near the sensor motes during the sampling phase influening the signal propagation properties, whih is realisti as the normal user will also remain lose during the protool s exeution, and wireless interferene is typial in suh appliations. The experiment was repeated 20 times, and in every experiments, k =32samples were exhanged on m =16IEEE 802.15.4 hannels to generate the RSS maps. The sensor motes S 1,...,S 6 are programmed to measure the signal strength and report bak these values to BS where the RSS of these 5

Channel deviations (db) -3-2 -1 0 1 2 3 on the protool desribed in [12]. In ontrast to previous work, the fous of this paper was to systematially analyze the appliability of this protool in a senario where nonexpert users need to distribute initial serets among wireless sensors in a seure and salable manner. For this reason, this paper presented a detailed analysis of the steps required for suh key deployments. The experiments show that the uniast key generation protool an be further optimized, reduing the message omplexity and runtime. As future work, we are working on a detailed seurity analysis and plan to ondut user studies to show the pratiability of SUDOKU. S 1 S 2 S 3 S 4 S 5 S 6 Figure 7. Deviations in the reiproity of the wireless hannel measurements for six sensors and a base station. The deviations are bounded and allow for a suessful key generation. reports ( are logged. At this point, ) BS has a pair of values RSSMAP Si,k,RSSMAPBi,k for both views of the wireless hannel state. In this experiment, we onsider the deviations between these two measurements. Smaller deviations enables a more robust generation of keys. 2) Robustness w.r.t. Number of Sensors: The result of this experiment is shown in Fig. 7. Eah staked histogram shows the distribution of deviations of the hannel measurements between BS and S i. Due to the timing sheme, the last sensor S 6 has the largest delay between the broadast of BS and the response. The experiments show that the wireless hannel is stable when the sensors stay in position, the deviations are bounded and omparable to the experimental results in [12], even for larger time lags in the hannel measurements. Thus, it is possible to apply the key generation protool with minor modifiations and generate keys with a suess probability of over 95%. However, the experiments also show that the protool is more suseptible to short-term deviations, suh that the number of exhanged samples should be inreased to ensure suessful key agreement. These short-term deviations are aused, e.g., by ollisions with WLAN transmissions that inreases the reeived signal strength, or hanging multipaths due to movement of the operator, leading to oasional large deviations. Additional measures must be taken to ensure suessful key generation, e.g., by filtering out samples that differ signifiantly from the sample mean. To summarize, we an onlude that the key generation phase works with multiple devies at one. As a pratial deployment guideline, a tolerane value of approximately t =2an be used that results in 20 30 seret bits, whih is enough for the authentiation in the key deployment phase, and ensures a high suess probability. V. CONCLUSION The goal of this paper was to understand how reently proposed key generation protools based on unpreditable signal propagation an be applied to the pratial problem of initial key distribution in WSNs. For this purpose, we designed SUDOKU, a seure and pratial key distribution sheme based REFERENCES [1] Steven M. Bellovin and Mihael Merritt. Enrypted key exhange: Password-based protools seure against ditionary attaks. In Proeedings of the 1992 IEEE Symposium on Seurity and Privay, pages 72 85, May 1992. [2] Mihael T. Goodrih, Mihael Sirivianos, John Solis, Gene Tsudik, and Ersin Uzun. Loud and lear: Human-verifiable authentiation based on audio. In ICDCS 06: Proeedings of the 26th IEEE International Conferene on Distributed Computing Systems, page 10, Washington, DC, USA, July 2006. IEEE Computer Soiety. [3] Suman Jana, Sriram Nandha Premnath, Mike Clark, Sneha K. Kasera, Neal Patwari, and Srikanth V. Krishnamurthy. On the effetiveness of seret key extration from wireless signal strength in real environments. In MobiCom 09: Proeedings of the 15th annual international onferene on Mobile omputing and networking, pages 321 332, New York, NY, USA, September 2009. ACM. [4] Cynthia Kuo, Mark Luk, Rohit Negi, and Adrian Perrig. Messagein-a-Bottle: user-friendly and seure key deployment for sensor nodes. In Proeedings of the 5th International Conferene on Embedded Networked Sensor Systems, pages 233 246, New York, NY, USA, November 2007. ACM. [5] Suhas Mathur, Wade Trappe, Narayan Mandayam, Chunxuan Ye, and Alex Reznik. Radio-telepathy: Extrating a Seret Key from an Unauthentiated Wireless Channel. In MobiCom 08: Proeedings of the 14th ACM International Conferene on Mobile Computing and Networking, pages 128 139, New York, NY, USA, September 2008. ACM. [6] Rene Mayrhofer and Hans Gellersen. Shake well before use: authentiation based on aelerometer data. In PERVASIVE 07: Proeedings of the 5th international onferene on Pervasive omputing, pages 144 161, Berlin, Heidelberg, May 2007. Springer-Verlag. [7] Jonathan M. MCune, Adrian Perrig, and Mihael K. Reiter. Seeingis-believing: using amera phones for human verifiable authentiation. International Journal of Seurity and Networks, 4(1/2):43 56, 2009. [8] Ramnath Prasad and Nitesh Saxena. Effiient devie pairing using "human-omparable" synhronized audiovisual patterns. In ACNS 08: Proeedings of the 6th international onferene on Applied ryptography and network seurity, pages 328 345, Berlin, Heidelberg, June 2008. Springer-Verlag. [9] Claudio Soriente, Gene Tsudik, and Ersin Uzun. BEDA: Button-enabled devie pairing. In International Workshop on Seurity for Spontaneous Interation, UbiComp 2007 Workshop Proeedings, Berlin, Heidelberg, September 2007. Springer-Verlag. [10] Claudio Soriente, Gene Tsudik, and Ersin Uzun. Hapadep: Humanassisted pure audio devie pairing. In ISC 08: Proeedings of the 11th international onferene on Information Seurity, pages 385 400, Berlin, Heidelberg, September 2008. Springer-Verlag. [11] Mihael Steiner, Gene Tsudik, and Mihael Waidner. Refinement and extension of enrypted key exhange. ACM SIGOPS Operating Systems Review, 29:22 30, July 1995. [12] Matthias Wilhelm, Ivan Martinovi, and Jens B. Shmitt. Seret Keys from Entangled Sensor Motes: Implementation and Analysis. In Proeedings of the ACM Conferene on Wireless Network Seurity (WiSe 2010), pages 139 144, Hoboken, NJ, USA, Marh 2010. ACM Press. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information