SCONCE 1 sconce Pronunciation: \ skn(t)s\ Function: noun Etymology: - - PDF document

9/4/2008 1

Security and Privacy in Unattended Sensor Networks (or How to Cope with a Mobile Adversary)

Gene Tsudik SCONCE – Secure Computing and Networking Center UC Irvine http://sconce.ics.uci.edu

Luigi Mancini Università di Roma “La Sapienza” Roberto Di Pietro Università di Roma 3 Claudio Soriente University of California, Irvine

Joint work with:

Angelo Spognardi Università di Roma “La Sapienza” Di Ma University of California, Irvine

SCONCE

1sconce

Pronunciation: \ skän(t)s\ Function: noun Etymology: Middle English, from Anglo-French sconce, *esconse screened candle or lantern, from escunser to hide, obscure, from Old French escons, past participle of escondre to hide, from Vulgar Latin *excondere, :a bracket candlestick or group of candlesticks; also : an electric light :a bracket candlestick or group of candlesticks; also : an electric light fixture patterned on a candle sconce

2

Why SCONCE?

• Lights dark corridors / passages provides security
• Can be easily turned / blown off provides privacy when needed

9/4/2008 2

My Group’s Current Research Topics

• Security in Unattended Sensor Networks
• Forward-secure aggregate authentication
• Coping with mobile adversary
• Coping with mobile adversary
• Self-healing sensors
• Usable Security
• Pairing of Ubiquitous Devices (e.g., phones, PDAs): security + ease-of-use + low overhead
• Security/Privacy for RFID tags
• Group Key Management
• How to share a secret key in a group (e.g., for conferences) in efficient and robust manner
• Privacy-Preserving Services
• Revocation-Checking with Privacy
• Privacy-Enhanced Internet Name Lookup (hiding source and target of DNS query)

3

• Authentication with Affiliation Hiding (Secret Handshakes): 2-party and multi-party
• Policy-Based Privacy-Preserving Information Transfer
• Privacy in WSN queries
• Privacy in suspicious MANETs

DTN Security

For further information, have a look at: sprout.ics.uci.edu, sconce.ics.uci.edu

Roadmap

• Brief Introduction to WSN-s

I t d ti & M ti ti

• Introduction & Motivation
• A different kind of WSN
• New Mobile Adversary Model (with many “flavors”)
• Sensor Network without networking?
• UWSN: Naïve defense strategies
• Cryptography to the rescue

4

yp g p y

• Self-healing
• Related Work
• Conclusions + challenges

9/4/2008 3

A “Typical” Wireless Sensor Network

Many real, alleged and imagined applications

Networking Sensor-to-sink communication (opt. sink-to-sensors) Collection method Periodic collection

• r

E t d i

5 Event driven

• r

Query based = on-demand Online Sink Real-time off-loading of data

Lots of Prior Work on Sensor Security

Sensor Security

6

9/4/2008 4

Lots of Prior Work on Sensor Security

Sensor Security

7

That’s me

Recent WSN Security Topics

Key management Key management Secure routing Secure broad-/multi-casting Secure querying Secure data aggregation / statistics

gg g

Efficient cryptographic primitives Various attacks counter-measures, e.g.

denial-of-message, cloning, sleep deprivation…

8

9/4/2008 5

Prior Work

Almost all prior work (pre-2008) assumed that the WSN is supervised by a TTP/Collector/Sink/Base-Station/etc. Is this always so? What if there is no “N” in “WSN”? What if WSN is unattended most of the time?

Forward-Secure Sequential Aggregate Authentication Aggregate Authentication

9/4/2008 6

Motivation

Unattended collection of sensors:

• Sensors do not network. Why not?

Sink

C

• l l e

c t o r

Sensors do not network. Why not?

• Sensors unable to communicate to sink at will (in real time)
• Collect data and wait for collector
• Collector not fully trusted
• Off-line trusted sink

11

s e n s

• r s

Goal: authenticate data accumulated during multiple intervals

Two Issues

• Issue 1: Threat of Sensor Compromise

p

Sensor characteristics:

• Low cost
• No tamper-resistance
• Very limited communication capabilities

Adversarial and unattended environment Compromise Possible need Forward Security:

• Protect pre compromise data

12

• Protect pre-compromise data
• Periodic key evolution
• Issue 2: Storage and Communication Overhead

Sensors have limited on-board storage Forward-security requires one authentication tag per message

9/4/2008 7

Forward Security

• Makes sense with symmetric encryption, MACs and public key signatures
• Time divided into equal intervals
• Key evolved – via OWF F() -- at the end of each interval

Ki K1 Kv K0 Ki+1

Key evolved – via OWF F() -- at the end of each interval

13

ADV breaks in and leaves can compute all future keys! TIME

T0 Tv-1 T1 Ti+1 Ti Tv

but, cannot compute prior keys

Backward Security

Sink or TTP

Ki K1 Kv K0 Ki+1

14

ADV breaks in and leaves cannot compute any future keys! TIME

T0 Tv-1 T1 Ti+1 Ti Tv

9/4/2008 8

Key Insulation & Intrusion Resilience

Forward security Backward security? Forward security Backward security? Backward security Forward security? Backward security + forward security =

Intrusion-resilience or key insulation * Suppose Adv knows: K0…Ki-1 ,Ki+1…Kv * It must be infeasible for Adv to compute Ki

15

Forward-Secure Sequential Aggregate (FssAgg) Authentication

Combine minimal storage with mitigating potential

sensor (and its signing key) compromise sensor (and its signing key) compromise

Allow signer to combine multiple authentication tags

(generated in different time periods) into a single constant-size tag

Compromise of current key does not endanger authenticity of 16 Compromise of current key does not endanger authenticity of

pre-compromise data

Verification of aggregate simultaneously verifies every

component signature

9/4/2008 9

FssAgg IS NOT THE SAME as Aggregated Signatures

Aggregated Signatures

More general construct More general construct X signers produce Y (Y>X) signatures Anyone can combine them into one aggregated signature Aggregation can be done altogether or incrementally Caveat: mapping between signers and messages is EXTRA

FssAgg

One signer 17 One signer Key evolves each interval One message signed per interval Aggregation is incremental: one signature at a time is folded into

the aggregate

Definition

Component algorithms: Component algorithms:

i , 1

σ

1 , 1 − i

σ

• 2. FssAgg.Asig: aggregate sign, generate a FssAgg signature
• n message mi and aggregate-so-far FssAgg signature

with ki

• 3. FssAgg.Upd: key update, generate Ki from Ki-1, must be a one way

f nction and sec rel erase K

• 1. FssAgg.Kg: key generation, generate the initial signing key K0 and the

verification key VK

18

function, and securely erase Ki-1

• 4. FssAgg.Aver: aggregate verify, verify a FssAgg signature with the

verification key VK, accept or reject

9/4/2008 10

Properties

• 1. Correctness: any FssAgg signature produced by Asig

y gg g p y g must be accepted by Aver.

• 2. Unforgeability: without the knowledge of any signing

keys, no adversary can compute an FssAgg signature

19

• 3. Forward-security: No adversary who breaks in i-th

time period can generate a valid signature containing a signed message for any period j<i

MAC-based Scheme

• 1. FssAgg.Kg: any symmetric key generation algorithm to

generate k-bit secret s and set K0=VK=s

) || ( )

1 , 1 , 1 i i i

H b σ σ σ

−

=

• 2. FssAgg.Asig: for new message mi:
• 3. FssAgg.Upd:

) , ( )

i i i

m K MAC a = σ

a) Ki+1 = H(Ki) b) Remove Ki, move to time i+1

20

• 4. FssAgg.Aver: To verify σ1,i :

b) Re-compute a) Re-compute (from VK ): K1 … Ki, c i , 1

σ

c) Compare σ1,i

c

? σ1,i

9/4/2008 11

MAC-based Scheme

Fast and space-efficient But:

Either collector cannot authenticate tags (if doesn’t have s)

• r

Collector can cheat (if he has s)

21

Two MAC-based aggregates?

• ne for collector and one for sink

Or use signatures…

Signature-based Scheme

Based on BLS/BGLS signature scheme; works on groups with bilinear map e: G1x G2 GT where: 1) G and G groups of order p; 2) |G |=|G |=|G |;

• Boneh/Lynn/Shacham. Asiacrypt 2001
• Boneh/Gentry/Lynn/Shacham, Eurocrypt 2003
• 1. FssAgg.Kg: pick random x0 from Zp, Compute pairs (xi,vi) s.t. xi=H(xi-1), and

vi=g1

xi, set K0=x0, VK={vi}

• 2. FssAgg.Asig: given: new message mi, current key Ki, and aggregate-so-far

b)

) , ( . )

i i i

h k sign BLS a = σ

1 , 1 − i

σ

1) G1 and G2 groups of order p; 2) |G1|=|G2|=|GT|; 3) g1,g2: generator of G1, G2

22

i i i

b σ σ σ )

1 , 1 , 1

• =

−

• 3. FssAgg.Update: Ki+1 = H(Ki) , remove Ki
• 4. FssAgg.Aver: To verify

∏

= i t t t i

v h e g e

1 2 , 1

) , ( ? ) , (σ

σ1,i

9/4/2008 12

Performance Metrics

Signer efficiency Space

Size of aggregate signature Size of signing key Complexity of key update Complexity of aggregate signing

• Time

23

Size of verification key Complexity of aggregate verification Verifier efficiency

Performance Evaluation

MAC scheme is near-optimal Signature scheme is not

Signer-friendly

• Constant private key and signature size
• Efficient signing and key update

24

• Efficient signing and key update

Not verifier-friendly

• Public key size - O(t)
• Costly pairing operations in verification

9/4/2008 13

Summary

Forward-Secure Aggregate authentication

gg g

Two practical schemes:

MAC-based scheme near-optimal Signature-based scheme not (yet) verifier-friendly

C t k li ti t l i

25

Current work: applications to secure logging Future work: more efficient schemes

END PART 1 END PART 1

26

9/4/2008 14

Unattended Wireless Sensor Network (UWSN)

Nodes operate in hostile environment

I iti l d l t i ht b d h

Initial deployment might be ad-hoc No ever-present sink Itinerant, visits UWSN periodically Periodic data sensing (on-demand – N/A, event-driven -- ?) Nodes might retain data for a long time Data might be valuable 27

Data might be valuable

Nodes are mostly left on their own Adversary roams around with impunity Adversary has lots of time

Challenge: Data Survival in UWSNs

Examples

WSN deployed in a recalcitrant country to

p y y monitor any potential nuclear activity

Underground WSN monitoring sound and

vibration produced by troop movements or border crossings

28

Anti-poaching WSN in a national park

tracking/recording firearm discharge locations

9/4/2008 15

UWSN Mobile Adversary

Adv defined by: goal / operation / visibility

Goal:

Search-and-erase Search-and-replace

C i Operation:

Reactive Proactive

y g p y

Curious Polluter Eraser

29

Visibility:

Stealthy Visible

Focus:

General Targeted

UWSN Mobile Adversary

Ad G l

Search-and- erase Search-and- replace Curious Polluter Eraser

Stealthy

Proactive Reactive Proactive Reactive Proactive N/A N/A

Adv Goal bility

30

Visible

Proactive Reactive N/A N/A Proactive Reactive Proactive Reactive

Visi

9/4/2008 16

New kind of Adversary (Adv)

Well-informed

Knows network topology and network defense strategy

p gy gy

Erratic (seemingly)

Unpredictable and possibly untraceable movements

Mobile

Migrates between sets of nodes between sink visits

31

Data-centric

No interference with sensing or network operation

Powerful (but not omnipotent)

Compromises up to a certain # (k out of n) of nodes

New kind of Adversary (ADV)

Previously considered adversaries would corrupt a

fixed number of nodes (k) ed u be o

• des ( )

Solutions focused on detection Once detected, on-line sink can mitigate the attack

• e.g., exclude compromised nodes
• Our adversary is MOBILE

– Roams the network and compromises different sets of sensors

32

sensors

• Given enough time, it can subvert the entire WSN

– Sink is off-line: real-time detection does not help

• Adv can reach its goal and leave with impunity (remain

undetected) NOTE: what happens if Eschenauer/Gligor WSN key management scheme is confronted with our mobile adversary?

9/4/2008 17

Assumptions

Scheduled (per round) data sensing/collection Max v rounds between sink visits Assumption: Adv’s round = UWSN round Assumption: Adv s round = UWSN round Adv compromises at most k (out of n) nodes per round Compromised nodes not necessarily contiguous Reads all storage Listens to all incoming and outgoing communication

Ad k hi h d t t t t d h it d

33 Adv knows which data to target and when it was sensed Receives external signal at collection time

• Target node identity + collection round
• Possibly, also knows the target value

UWSN knows nothing… Equal protection for all data

Does this sound familiar (at least to crypto people)?

Cryptographic Mobile Adversary yp g p y in Proactive Threshold Cryptography

• Proactive Cryptography: Decryption and Signatures (e.g., RSA, DSA)
• Adversary wants to learn some shared global secret
• Corrupts at most k out of n nodes per round
• Moves atomically at the end of each round
• Our setting (and problem) is different
• No global secret
• Less resources (power, storage, …)
• Brand new solutions required
• Ostrovsky &Yung, How to Withstand Mobile Virus Attacks, PODC 1991
• And much related literature since then…

34

9/4/2008 18

END PART 2 END PART 2

35

Stealthy Search-and-Erase Adv

36

IEEE Percom’08

9/4/2008 19

What if sensors have no crypto capability?

Cheap sensors No crypto No crypto Can only (attempt to) hide data location Data Migration strategies Do Nothing Move Once Keep Moving 37 Adv Goal: Search-and-erase Looks for target data in compromised sensors Adv strategy: Lazy Frantic Smart

Survival vs. Attack Strategies

Attack Strategy Survival Strategy

LAZY FRANTIC SMART DO NOTHING NO YES NO

38

MOVE ONCE NO YES NO KEEP MOVING YES YES YES

9/4/2008 20

Do Nothing

Data kept at originating sensor

p g g

Trivial Adversary wins in one round Round 0

39

• Learns ID of originating sensor

Round 1

• Compromises it
• Deletes target data

Move Once

Data off-loaded to a random recipient node Kept there for all subsequent rounds (until sink visit) Kept there for all subsequent rounds (until sink visit) Adversary wins in at most

rounds

Round 0

• Learns originating node (data is not there anymore)

Round i

⎥ ⎥ ⎤ ⎢ ⎢ ⎡ k n

40

• Move to next set of previously uncompromised nodes

At most rounds to find and erase

⎥ ⎥ ⎤ ⎢ ⎢ ⎡ k n

9/4/2008 21

Keep Moving

Adv learns target data at round 0 Adv looks for target data in the new set of compromised nodes

41

Nodes exchange messages Adv looks for target data in the messages received by corrupted nodes

• Adv has two chances per round
• Before data exchange
• After data exchange

Keep Moving – Lazy

Exploit the fact that data is constantly Exploit the fact that data is constantly

moving among sensors

Two chances at round 1; one chance

each new round

• Prob. data survives v rounds

42

1 2 1

) (

−

⋅ =

v L

P P v P

2 1

1 1 ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − = ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ − + = n k n k n k n k P

n k P − =1

2

9/4/2008 22

Keep Moving – Frantic

Select a new random k-set to compromise at Select a new random k set to compromise at

each round

Two chances per round Probability that data survives v rounds:

2

⎞ ⎜ ⎛ ⎞ ⎜ ⎛ k k k k

43

1 3 1 2 1

) (

− − ⋅

⋅ =

v v F

P P P v P

1

1 1 ⎠ ⎞ ⎜ ⎝ ⎛ − = ⎠ ⎞ ⎜ ⎝ ⎛ − + = n k n k n k n k P n k P − =1

2

k n k P − − =1

3

Keep Moving – Smart

Moves between two fixed (non-overlapping)

( pp g) set of nodes

No matter what adversarial strategy, data

recipient node is always chosen according to an uniform distribution

Same survival probability!

44

Frantic Smart

9/4/2008 23

Results

45

Keep Moving – Smart

46

9/4/2008 24

Overhead 1

• Prob. # stored messages do not exceeds a given value
• Li

r = # msg stored on si at round r

47

r

g

i

• From the method of bounded differences, given

Overhead 2

• Prob. # stored messages do not exceeds a given value
• Li

r = # msg stored on si at round r

48

r

g

i

• From the method of bounded differences, given
• Variables Li

r are independent Chernoff bound

• Mi

r = # msg received by si at round r

9/4/2008 25

Replication

Each sensor produces R copies of its reading

I f ti i l i

Information survives as long as one copy survives Xi,j = 1 if replica i survives up to round j

49

• Prob. that information survives:

Results

50

Replication of sensed data

• Increases survival probability
• Requires more storage and power
• Given enough rounds, Adv always wins

9/4/2008 26

Encryption

• Goal: hide data contents and origin from the adversary
• Adv can not decrypt
• Adv can not decrypt
• Adv can not identify data to erase
• Public Key vs. Symmetric key

51

• Randomized Encryption

Distinct random value involved in each encryption operation Given two ciphertexts encrypted under the same key, it is

infeasible to determine whether two corresponding plaintexts are the same

Public Key Encryption

Each node knows sink’s public key PKS Each node knows sink s public key PKS di r -- data sensed by si at round r stored as Adv can only try brute force guessing the plaintext

.) , , , ( etc s r PK E E

i S r i =

52

Adv can only try brute-force guessing the plaintext If random data involved in encryption, ciphertext

guessing becomes infeasible (i.e., randomized encryption)

9/4/2008 27

Symmetric Encryption

Each si shares ki 0 with the sink i i di r -- data sensed by si at round r stored as: Forward security

53

per round key evolution: Adv cannot compute previous keys

Encryption Type

Percom’08

NO YES

“Crypto Decision Tree”

yp RNG type Key Evolution Re-Randomization Re-Randomization Super-Encryption Super-Encryption

Secure against Proactive Adversary

*** *** ** * **

>* if r<(n/k) <* otherwise

*

YES YES YES YES NO NO NO NO

No hybrid encryption!

9/4/2008 28

END PART 3 END PART 3

55

Question:

How to recover from compromise without PK (for sink) +

p ( ) TRNG (per sensor)

56

9/4/2008 29

POSH: Proactive co-Operative Self-Healing in Unattended Wireless Sensor Networks

57

Motivation

Curious adversary wants to read/learn sensor-collected data Encryption does not help Encryption does not help

Symmetric keys are exposed with node compromise With public key encryption, ADV can GUESS the plaintext

• Randomized public key encryption helps but only with a TRNG
• Not currently available (nor is it foreseeable)

Can we protect category (1) and (3) data?

58 Sensor data can be partitioned, based on time of compromise: (1) Collected Before Compromise Need Forward-Secure Encryption (2) Collected During Compromise Nothing helps… (3) Collected After compromise (3) Need Backward-Secure Encryption

9/4/2008 30

Forward Secrecy

Even if ADV learns the current key, it cannot derive PREVIOUS

round keys round keys

Per-round key evolution At the end of round r, the next round key is computed through a one-way

function (and current key is securely erased)

• Kr+1=H(Kr)

But after compromise, ADV can mimic key evolution process 59

K1 K2 K3 K4 K5 K6 K7 … K4 K5 K6 K7 …

Sensor compromised at round 4 and then released

Backward Secrecy

Even if ADV learns the current key it cannot derive FUTURE round keys Even if ADV learns the current key, it cannot derive FUTURE round keys Based on per-round key evolution In the literature requires online TTP or secure hw per node (same as

distributed TTP)

Not suitable for UWSNs Our sink is offline A single sensor cannot act as a TTP for peers since any sensor can be

compromised at any time

60

compromised at any time K1 K2 K3 K4 K5 K6 K7 … K4 K1 K2 K3

Sensor compromised at round 4 and then released

9/4/2008 31

POSH: Main Idea

Forward secrecy achieved through key

evolution evolution

• Backward secrecy achieved through

sensor cooperation

– A sensor can securely generate a key unknown to ADV if it obtains at least one contribution from a non ADV, if it obtains at least one contribution from a non- compromised peer sensor

Network Assumptions 1/2

Periodic data collection

Time divided in equal and fixed collection rounds Time divided in equal and fixed collection rounds Each (of n) sensors collects a single data unit per round

Unattended Operation

Itinerant sink periodically visits to collect data. v – maximum number of collection rounds between successive

sink visits.

62

Communication

UWSN is always connected Any two sensors can communicate either directly or through

peers

9/4/2008 32

Network Assumptions 2/2

Storage

Each sensor has enough storage for O(v) data

g g ( )

Cryptographic Capabilities

Cryptographic hashing, e.g., SHA-2 Symmetric key encryption

• unique secret key shared with the sink

Pseudo-Random Number Generator (PRNG)

• unique secret seed shared with the sink

63

Re-initialization

During each visit, sink re-initializes ALL sensors (ADV not present):

• New secret key
• New secret seed
• Empty storage

Adversarial model 1/2

ADV Goal learn as many secrets as possible (keys and/or other keying material).

• ADV Compromise Power

– Can compromise at most 0 < k < n/2 sensors at any round. – Reads all storage/memory and listens to all communication of a compromised sensor.

64

• ADV Periodic Operation

– At the end of each round, picks a subset of up to k – At the start of each round, atomically releases current sensors and compromises new subset

9/4/2008 33

Adversarial model 2/2

Topology Knowledge

Knows the entire topology

Minimal Disruption

Does not interfere with sensor behavior Perhaps, in order to remain undetected 65

Defense Awareness

Fully aware of any scheme or algorithm used by the UWSN

POSH Algorithm

Contributions Nodes to contribute to Generic node protocol run (round i): Normal operation activities Key refresh

9/4/2008 34

Analysis (aka Sensor Coloring)

Starting from round 1, ADV compromises k sensors per round:

Red sensors (Rr)

currently controlled by ADV

Yellow sensors (Yr)

Compromised in some previous round and their

g , p p p p current keys are known to ADV

Green sensors (Gr)

Either never been compromised Or recovered through POSH r = 1 r = 2 7 r = 3

Example

1 3 2 4 6 2 4 5 K1 Sensor 1 K2=H(K1 || c3 || c6) K3=H(K2 || c2) K4=H(K2 || c4 || c7 )

9/4/2008 35

Sensor transition diagram

• |R|=k
• ADV’s goal it to maximize |Y|+|R|
• Network goal: |G|=n-2k

Two kinds of ADV

INF-ADV is always aware of G

U li ti b t f l

Unrealistic but very powerful Used as benchmark

• RR-ADV moves through set of nodes in a round-

robin fashion

Ti b d h i ti d th t h b i Y f – Time based heuristic…nodes that have been in Y for a long time could have since moved to G – Realistic but possibly weak

• Might choose to compromise a yellow sensor

9/4/2008 36

Results (|G| against INF-ADV)

• p = ADV eavesdropping prob.
• t = 6 results in each sensor receiving at least one green contribution, on

average

• Threshold phenomena:

– e.g. for p=0.2, |G| remains stable for k/n < 80/400 – That is 20% per round!!!

Effect of “t”

• Increasing t when |G| ~ n-2k does not help

– Also, messages are expensive!

9/4/2008 37

INF-ADV vs RR-ADV

No difference if |G| is close to its

• ptimal value

Dealing w/ real world

Message delivery failure

g y

Sink synchronization Sensor must store the ID of their contributors

Sensor failure

If storage becomes unavailable key sensor

history cannot be reconstructed

Other sensors might depend on the failed

• ne

Publik Key Crypto

Encrypt round key under the sink PK

• Use round key for everything else

9/4/2008 38

Example

7 Sensor 4 fails after round 3 1 3 2 4 6 2 4 5 K1 Sensor 1 K2=H(K1 || c3 || c6) K3=H(K2 || c2) K4=H(K2 || c4 || c7 ) K1 Sink K2=H(K1 || c3 || c6) K3=H(K2 || c2) K4=H(K2 || ? || c7 ) K1 is shared K2 requires sensors 3 and 6 K3 requires sensor 2 K4 requires sensors 4 and 7 Sensor 1 will have contribute to other peers…

Conclusion

UWSN is a new, exciting field that calls

g for innovative security solutions

No crypto no means no security But…. Crypto helps! Role of randomization in UWSN not

completely characterized yet

9/4/2008 39

References

• D. Ma and G. Tsudik,

Extended Abstract: Forward-Secure Sequential Aggregate Authentication, IEEE Symposium on Research in Security and Privacy (S&P'07), May 2007.

• R. Di Pietro, L. Mancini, C. Soriente, A. Spognardi and G. Tsudik,

Catch Me (If You Can): Data Survival in Unattended Sensor Networks, IEEE International Conference on Pervasive Computing and Communications (PERCOM'08), March 2008.

• R. Di Pietro, L. Mancini, C. Soriente, A. Spognardi and G. Tsudik,

Playing Hide-and-Seek with a Focused Mobile Adversary: Maximizing Data Survival in Unattended Sensor Networks, Cryptology ePrint Archive, Report 2008/293, June 2008, D M d G T dik

• D. Ma and G. Tsudik,

DISH: Distributed Self-Healing (in Unattended Sensor Networks) 2008 International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS'08), October 2008.

• R. Di Pietro, D. Ma, C. Soriente and G. Tsudik,

POSH: Proactive co-Operative Self-Healing in Unattended Wireless Sensor Networks 2008 IEEE Symposium on Reliable Distributed Systems (SRDS'08), October 2008.

77

Related Work

Mobile Ad Hoc Networks Data availability in partitioned MANETs

• [Hara, et al. 2006, Giannuzzi, et al. 2005]

Multi-path routing to improve confidentiality

and availability

• [Papadimitratos, et al. 2006, Berman, et al. 2005]

78

Sensor Networks Data coding to increase data recovery in

presence of disasters

• [Kamra, et al. 2006]

9/4/2008 40

Conclusion + Future Directions

Contributions:

New kind of network - UWSN New mobile UWSN adversary Simple approaches for data survival simply don’t work!

Lots of interesting problems Ongoing and Future work:

Explore the design space of cryptographic techniques

79

Explore the design space of cryptographic techniques

• Encryption
• Authentication

New adversarial models and flavors

• What if Adv interferes with networking and/or sensing?

Finally… the end!

Q ti ?

Questions? Comments? Complaints?

80