PIKE: Peer Intermediaries for Key Establishment in Sensor Networks
Total Page:16
File Type:pdf, Size:1020Kb
PIKE: Peer Intermediaries for Key Establishment in Sensor Networks Haowen Chan Adrian Perrig Carnegie Mellon University Carnegie Mellon University 5000 Forbes Avenue 5000 Forbes Avenue Pittsburgh, PA 15221, USA Pittsburgh, PA 15221, USA Email: [email protected] Email: [email protected] Abstract— The establishment of shared cryptographic keys where the communication load is focused around the base between communicating neighbor nodes in sensor networks is a station. As the nodes closest to the base station are obliged to challenging problem due to the unsuitability of asymmetric key forward most of the communications between the base station cryptography for these resource-constrained platforms. A range of symmetric-key distribution protocols exist, but these protocols and the rest of the sensor network, they expend battery energy do not scale effectively to large sensor networks. For a given level at a higher rate, thus often shortening the lifetime of the of security, each protocol incurs a linearly increasing overhead network. This focused communication load is proportional to in either communication cost per node or memory per node. We the total number of nodes in the network. Furthermore, the describe Peer Intermediaries for Key Establishment (PIKE), a base station can become a rich target for compromise, since it class of key-establishment protocols that involves using one or more sensor nodes as a trusted intermediary to facilitate key represents a single point of failure which can break the security establishment. We show that, unlike existing key-establishment of the entire network. The highly focused communication protocols, both the communication and memory overheads of pattern also allows an adversary to easily perform traffic PIKE protocols scale sub-linearly (O(pn)) with the number of analysis to locate the base station for compromise. nodes in the network yet achieving higher security against node compromise than other protocols. Several other schemes use large stores of cryptographic information to ensure that any two nodes can perform key I. INTRODUCTION agreement directly without using intermediaries or asymmetric Secret communication is an important requirement in many cryptography. The simplest such memory-intensive scheme is sensor network applications, so shared secret keys are used the full pairwise scheme [9], [11]. In this scheme, each node between communicating nodes to encrypt data. Since pre- in a network of n nodes shares a unique pairwise key with determining the potential location or connectivity of sensor every other node in the network. The memory overhead is nodes in a large deployment can be impractical, we cannot n 1 cryptographic keys for every sensor node. Blom [4], − simply preload each sensor node with the relevant shared Blundo et al. [5], and Leighton and Micali [18] propose other keys. Key establishment protocols are used to set up the schemes which likewise guarantee that any two nodes will be shared secrets, but the problem is complicated by the sensor able to perform key establishment, but each of these schemes nodes’ limited computational capabilities, battery energy, and also involves a Ω(n) high memory cost if we require that the available memory. Hence, asymmetric cryptography such as system is secure against an adversary capable of compromising RSA or Elliptic Curve cryptography (ECC) is unsuitable for a certain fraction of the total number of nodes in the network. most sensor architectures due to high energy consumption and Random key predistribution schemes (abbreviated as increased code storage requirements. random-key schemes) are another major class of key- Several alternative approaches have been developed to per- establishment protocols for sensor networks. Examples include form key management on resource-constrained sensor net- schemes proposed by Eschenauer and Gligor [11], Chan et works without involving the use of asymmetric cryptography. al. [9], Du et al. [10], and Liu and Ning [20]. These schemes KDC-based schemes rely on the presence of a resource-rich take advantage of the fact that a random graph is connected key distribution center (KDC) in the network to act as a trusted with high probability if the average degree of its nodes is arbiter for key establishment. above a threshold. Hence, key establishment only needs to Examples of such schemes include SPINS [23] and Ker- be performed probabilistically such that any two neighboring beros [27]. In this class of protocols, the memory resource nodes have some probability p of successfully completing load on the sensor nodes is low since each node only needs key establishment. The probability p is computed such that to secure its communications with the KDC. For example, the average number of secure links established by each node in SPINS, only a single symmetric key shared with the base is greater than the threshold number of secure links needed station (KDC) needs to be stored in each sensor node. How- to achieve a connected network with high probability. Once ever, the protocol is dependent on every pair of communicating the connected secure network is formed, path keys are then sensor nodes being able to communicate with the base station routed through the secure links to complete the process of key during the key establishment process. In a large multi-hop establishment between every neighbor. The main advantage of network, this creates a non-uniform communication pattern random key schemes is that communication costs per node are constant regardless of the total number of nodes in the the total number of nodes in the network and exposing the network. Random key schemes incur a high memory overhead secret information contained within them. We will model the which increases linearly with the number of nodes in the effects of two forms of node compromise. In passive node network if the level of security is kept constant [9], [10]. compromise we assume that after node compromise, attacker Furthermore, since random key distribution is probabilistic can only launch passive attacks such as eavesdropping. In in nature, it is only suitable for networks where the random active compromise we assume that the attacker is also able to graph model for connectivity holds. For example, in a network perform active attacks such as providing false routing metrics where nodes are not densely distributed, or in a network through the compromised node. where node density is non-uniform, performing probabilistic We assume that the sole goal of the adversary is the key establishment could result in a disconnected graph due to exposure of the keys established using the protocol. the fact that a few critical pairs of nodes could not successfully perform key establishment. Since sparse networks with few III. THE PIKE PROTOCOL redundant links tend to minimize sensor network hardware In this section, we describe the basic PIKE protocol. We also costs, they represent an important class of sensor network describe various extensions to the protocol. We analyze and deployments for which random key distribution is unsuitable. discuss their trade-offs. Throughout this paper, n represents Contributions. Let n represent the number of nodes in the the number of nodes in the network. network. A. Motivation We present Peer Intermediaries for Key Establishment • (PIKE), a key-distribution scheme based on using peer We wish to address the lack of scalability of cur- sensor nodes as trusted intermediaries. rent symmetric-key key distribution protocols. KDC-based PIKE is designed to address the lack of scalability of schemes incur Ω(n) focused communication load on the • existing symmetric-key key distribution schemes. All nodes nearest to the base station. Random Key predistribution existing schemes incur linearly increasing costs (Ω(n)) schemes [9], [10] and other schemes such as those due to in either communications per node or memory per node. Blom [4], Blundo et al. [5], and Leighton and Micali [18] PIKE achieves a trade-off by achieving O(pn) overheads all incur at least Ω(n) memory cost in terms of key storage in both communications per node and memory per node. space in order to maintain security if it is assumed that the This is a highly desirable point in the design space of adversary is capable of compromising a fixed fraction of the key-distribution protocols. total nodes. We wish to design a scheme that will incur PIKE establishes keys between any two nodes regardless sub-linear overheads in both focused communication load per • of network topology or node density. This makes it node and memory per node, while retaining the property of applicable to a wider range of deployment scenarios than resilience against the compromise of a fraction of the network. random key predistribution, which requires a network B. Basic PIKE Protocol deployment with high, uniform node density. Besides the KDC approaches that have a high commu- The basic idea in PIKE is to use sensor nodes as trusted • nication overhead, PIKE is more resilient than previous intermediaries to establish shared keys between nodes. Each approaches against sensor node compromise. node shares a different (unique) pairwise key with each of O(pn) other nodes in the network. The keys are deployed II. ASSUMPTIONS such that for any two nodes A and B, it is possible to find We assume that an initial insecure communication infras- some node C in the network that shares a unique pairwise tructure exists to perform key establishment. We assume nodes key with both A and B. A can then securely route the key are globally addressable in this infrastructure, that is, any establishment message through C to B. Since we only pre- node can send communications through the network to any distribute unique pairwise keys that are shared between exactly other node in the network. An example of such a globally two nodes, the established key is secure if C has not been addressable communications infrastructure is geographically compromised by the adversary.