PAST : Probabilistic Authentication of Sensor Timestamps Ashish - - PowerPoint PPT Presentation

past probabilistic authentication of sensor timestamps
SMART_READER_LITE
LIVE PREVIEW

PAST : Probabilistic Authentication of Sensor Timestamps Ashish - - PowerPoint PPT Presentation

Aug 25, 2022 131 likes •356 views

PAST : Probabilistic Authentication of Sensor Timestamps Ashish Gehani SRI 1 INTRODUCTION : What is a sensor? Example sensor: MICA mote Figure 1: Mote in a vineyard 2 INTRODUCTION : What is a sensor network? Sensors measure the

slide-1
SLIDE 1

PAST : Probabilistic Authentication of Sensor Timestamps

Ashish Gehani SRI

1

slide-2
SLIDE 2

INTRODUCTION : What is a sensor?

  • Example sensor: MICA mote

Figure 1: Mote in a vineyard

2

slide-3
SLIDE 3

INTRODUCTION : What is a sensor network?

  • Sensors measure the environment

Station Base Storage Server Sensor Phenomenon Target

3

slide-4
SLIDE 4

MOTIVATION : Are the keys safe?

  • Key compromise likely:

– Sensors exposed since: ∗ Deployed in public, remote locations ∗ Physically reachable – Base station exposed since: ∗ Sensors use radio ∗ Power (range) is limited

  • Tamper-resilience is expensive:

– Limited protection smart-card: $15 – IBM 4758 Secure Co-processor: $2,000 – Sensor: $1

4

slide-5
SLIDE 5

MOTIVATION : What is the problem?

  • Spurious readings

→ Scientific / judicial / financial consequences

  • Adversary can:

– Tamper with sensors – Tamper with base stations

  • Trusted timestamps distinguish tainted data

5

slide-6
SLIDE 6

RELATED WORK :

  • 1999 : Bellare, Miner (UCSD)

Forward secure authentication Uses public key cryptography Drains power rapidly, Slow

  • 2004 : Przydatek, Song, Perrig (CMU)

Sensor network setting O(n) verification of nth reading

  • 2005 : Ouyang, Le, Ford, Makedon (Dartmouth)

Initial key split among base stations

6

slide-7
SLIDE 7

GOALS : Which threats to address?

  • Time of sensor compromise known

→ Distinguish tainted data

  • Base station compromised

→ Prevent forgery of sensor timestamps

  • Adversary generates wireless noise

→ Tolerate unpredictable delays

  • Multiple sensors collude

→ Prevent masquerading

  • Fraction of sensors / base stations compromised

→ False authentication still hard

7

slide-8
SLIDE 8

CONSTRAINTS : How powerful is a node?

  • Base station:

– Serves many sensors – Significant compute power, memory, bandwidth – CerfCube solar panels generate 60 − 120 Watts

  • MICA1 mote:

– 8-bit microcontroller, 4 MHz, 4 KB RAM – Flash memory: 128 KB Instructions, 512 KB Data – 2 AA batteries, 2.5 Ah @ 3V

8

slide-9
SLIDE 9

CONSTRAINTS : How long does a mote last?

  • Sensing, computing

→ 75 hour life @ 0.1 W

  • Expected life is years

→ Sleep mode @ 30 µW

  • TinySec on 29 byte packet:

– Symmetric encryption: 2 ms – MAC: 3 ms

  • Public key algorithms:

→ Orders of magnitude more expensive → Significant reduction in mote life

9

slide-10
SLIDE 10

CONSTRAINTS : How fast is a mote?

  • RSA (512, 768, 1024 bits) : 3.8, 8.0, 14.5 sec
  • Reading: 16 bit timestamp, 16 bit data

→ 32 readings / 1024 bit RSA → 0.5 sec / reading

  • Signed hash

→ Transmit separate data, signature → @ 40 Kb/s : 25.6 sec → Amortize over many readings But . . . mote memory is small

10

slide-11
SLIDE 11

PAST : Overview

to different base stations Base Station Target Phenomenon Sensor 3 Successive readings forwarded 2 All readings sent to closest base station 1 Reading generated at sensor 4 Reading verified using other data from same sensor

11

slide-12
SLIDE 12

PAST : Sensor block output

d 1 Reading 1 = Encrypted with key shared by sensor ’Source’ and base station ’Destination’ Notary 1 Notary 2 Witness 2 Reading 2 Destination Source Hash Timestamp Index s j t Witness

12

slide-13
SLIDE 13

PAST : Testimony verification

  • Notary (bd) decrypts block
  • To validate jth witness wij :

bd → bi : {s, i, j, x} bi → bd : w′ = h(w′

ij ⊕ x)

(Blinding) bd : w′ ? = h(wij ⊕ x) bi - ith block’s notary, s - Source sensor address, i - Block index, j - Witness index, x - Nonce

  • Probability of witness verification =

Probability notary is not subverted

13

slide-14
SLIDE 14

PAST : FIFO

  • Witness generated by hash composition

→ Subverted nodes can’t forge earlier witness

2

h( )

n−1 r h ( ) n−2

α

h ( n− )

α

r

Head Tail

α Elements

r

14

slide-15
SLIDE 15

PAST : Witness generation

  • Distinct forward-secure witness sets (wij = hj(ri))

→ Trust is distributed

2

w 2 r 2 1 r n r r α r α−1

r h( ) r 2

α−1 h ( ) r

h( ) h( ) r r h( )

n−1 r h ( ) n−2

α

h ( n− )

α

r

w w α r n−1 r α+1

α−2 n−2

Sensor Reading Block

2

n−3 r

2 2

α−2 r α−3 r h ( ) h ( )

Witness Set

α

r h ( n− )

α−1

α r h( ) α r h( )

α

r

α−1

h( )

h ( )

α

1

r h ( )

1

r h( )

1

15

slide-16
SLIDE 16

CONCLUSION :

  • Forward-secure timestamp authentication
  • Tolerates compromised:

– Sensors – Base stations

  • O(1) timestamp verification
  • High certainty with:

– Low power consumption – Low storage overhead

16

slide-17
SLIDE 17

More?

17

slide-18
SLIDE 18

ANALYSIS : Variable threshold

  • Adversary can deny true witness
  • Adversary can not provide false witness

18

slide-19
SLIDE 19

ANALYSIS : Varied number of witnesses

19

slide-20
SLIDE 20

ANALYSIS : Storage overhead

20

slide-21
SLIDE 21

ANALYSIS : Sybil Attack

  • Defence : Trust distributed

Counter-attack : Adversary masquerades

  • Sensor, notary share key

→ Sensor can’t masquerade as other sensor

  • Block opaque to gateway

→ Gateway can’t masquerade as sensor / notary

  • Different keys used for notaries

→ Notary can’t masquerade as sensor

21