SecureDAV: a secure data aggregation and verification ... - CiteSeerX

SecureDAV: A Secure Data Aggregation and Verification Protocol for Sensor Networks Ajay Mahimkar

Theodore S. Rappaport

Wireless Networking and Communications Group (WNCG) Wireless Networking and Communications Group (WNCG) Department of Electrical and Computer Engineering Department of Electrical and Computer Engineering University of Texas at Austin, TX 78712, USA University of Texas at Austin, TX 78712, USA Email : [email protected] Email: [email protected]

Abstract— Sensor networks include nodes with limited computation and communication capabilities. One of the basic functions of sensor networks is to sense and transmit data to the end users. The resource constraints and security issues pose a challenge to information aggregation in large sensor networks. Bootstrapping keys is another challenge because public key cryptosystems are unsuitable for use in resource-constrained sensor networks. In this paper, we propose a solution by dividing the problem in two domains. First, we present a protocol for establishing cluster keys in sensor networks using verifiable secret sharing. We chose elliptic curve cryptosystems for security because of their smaller key size, faster computations and reductions in processing power. Second, we develop a Secure Data Aggregation and Verification (SecureDAV) protocol that ensures that the base station never accepts faulty aggregate readings. Integrity check of the readings is done using Merkle Hash Trees avoiding over-reliance on the cluster-heads.

I. I NTRODUCTION A sensor network consists of a large number of low-power wireless sensors spread across a geographical area which can be used to monitor and control the physical environment from remote locations. Potential applications of sensor networks include real-time traffic monitoring, battlefield surveillance, nuclear attack detection, wireless meter reading services, etc. The sensors have the capability to sense particular attributes and send the readings to the base station and end users. Since the sensor nodes are energy-constrained, communication between the base station and sensors must be energy-efficient. One approach to sensor networks allows each of the nodes to organize themselves into clusters once deployed. Instead of each sensor sending its readings to the base station, the readings are aggregated in the network and then unicast to the base station. In this way, the sensors conserve energy by transmitting their readings to a special node, called the clusterhead. The cluster-head is responsible for aggregating and then forwarding the readings from its cluster to the base station. For example, in a reconnaissance-oriented sensor network, sensor readings indicate detection of a target, while the aggregation at the cluster-head can be used for tracking and identifying the detected target. Data aggregation in sensor networks is made challenging by the fact that the sensor nodes deployed in hostile environments may be compromised due to physical tampering. Previous work in data aggregation assumes that every node is honest IEEE Communications Society Globecom 2004

[9], [10]. However, we do not make such assumption. In this paper, we address the problem of how to enable secure data aggregation and verification. We assume that within a cluster, upto t nodes could be compromised. We first set up the security infrastructure using elliptic curve cryptography and then ensure that the base station accepts the aggregate readings with high reliability, inspite of faulty cluster-heads. We use elliptic curve cryptosystems (ECC) for key management because of its smaller key size, faster computations and reductions in processing power, storage space, and bandwidth. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no sub-exponential algorithm is known to solve the elliptic curve discrete logarithm problem (ECDLP). This means that significantly smaller parameters can be used in ECC than in other systems like RSA and DSA, but with equivalent levels of security. This makes ECC ideal for constrained environments such as wireless sensor networks. A. Related Work Hu et al. [2] have studied the problem of data aggregation if one node is compromised, but their protocol may be vulnerable if a parent and a child node in their hierarchy are compromised. B. Pryzdatek et al. proposed a novel framework for secure information aggregation in sensor networks [1]. They used efficient random sampling mechanisms and interactive proofs to verify that the answer given by the aggregator (or cluster-head) is a good approximation of the true value. There are several algorithms in literature that discuss key predistribution [4], [5], [6], [7] and management [12], [13], [3]. Security issues in mobile ad hoc networks are similar to those in sensor networks, but the defense mechanisms developed for ad hoc networks are not directly applicable to sensor networks [8]. Ad hoc network security mechanisms are based on public key cryptography [12], [13]. Public Key cryptography is too expensive for sensor nodes because they are extremely resource constrained. B. Main Contributions of the paper The main goal of the paper is to design a protocol that results in secure and reliable communication in a sensor network.

2175

0-7803-8794-5/04/$20.00 © 2004 IEEE

1) We develop a key establishment protocol (Section III) that generates a secret cluster key for each cluster. Each sensor only has a share of the secret cluster key. The share will be used to generate partial signatures on the readings. This ensures node authentication. 2) We propose a Secure Data Aggregation and Verification (SecureDAV) Protocol (Section IV) that ensures that the base station does not accept faulty readings for a upper bound of t compromised sensors within a cluster. The verification is done using threshold signatures. Since we employ elliptic cryptosystems, signature generation, which is less-time expensive, can be done at the sensor, whereas the more-time expensive signature verification is done at the base station. Before describing the protocols, we give the problem definition in Section II. II. P ROBLEM D EFINITION Sensor routing protocols are quite simple and assume the cooperative and reliable behavior of sensor nodes. An attacker can perform a wide variety of attacks. For example, a compromised cluster head could report some significantly biased or fictive readings, instead of the real aggregates and so provide the base station with false information. This may have catastrophic implications depending upon the application. This attack is known as stealthy attack. The attacker’s goal is to make the base station accept false aggregate readings. Key deployment and management is a major challenge to secure communication in sensor networks. Conventional public-key algorithms can help set up and manage keys in a network, but these algorithms are not feasible in a sensor network because of their communication and computation complexity. Also, bootstrapping pair-wise secret keys prior to deployment is not possible because of the unpredictability of sensor deployment. III. C LUSTER K EY E STABLISHMENT (CKE) P ROTOCOL In this section, we develop a Cluster Key Establishment Protocol that generates a secret cluster key for each cluster. Each sensor node only has a share of the secret cluster key and the cluster key is hidden from each node. The public key for the secret cluster key is known to all nodes within the cluster as well as the base station. Since the secret cluster key is hidden from all nodes, attacks on the cluster key are not possible. A. Assumptions During the bootstrapping phase, we assume that the memory of each sensor node is pre-loaded with the ECC domain parameters and the EC-public key of the base station. Once deployed, each sensor will compute its EC-public/private key pair and broadcast its public key to all nodes within the cluster. This key pair is different from the share of the cluster key and is used for secure communication (shared secret generated using Diffie-Hellman) with any other node. Once the CKE protocol is executed for each cluster, each sensor will have a share of the secret cluster key. The share of IEEE Communications Society Globecom 2004

TABLE I ECC, DSA AND RSA KEY LENGTH COMPARISON Symmetric cipher key length 80 112 128 192

ECC key length for equivalent security

DSA/RSA key length for equivalent security

160 224 256 384

1024 2048 3072 7680

the secret key is used to generate partial signatures (using ECDSA [15]). The cluster-head accumulates all partial signatures from the cluster members, combines them to form a full signature and sends the full signature along with the aggregate reading to the base station. The base station who has the public key, can then verify the signature. Before describing our cluster key establishment protocol, we give a brief overview on elliptic curve cryptography in the next subsection. B. Overview of Elliptic Curve Cryptography The operation of elliptic curve cryptographic schemes involves arithmetic operations on an elliptic curve over a finite field GF (q) determined by some elliptic curve domain parameters D. ECC domain parameters over GF (q) are a septuple D = (q, F R, a, b, T, p, h) consisting of a number q specifying a prime power, field representation F R, two field elements a, b ∈ GF (q) that specify the equation of the elliptic curve E over GF (q), a base point T = (xT , yT ), a prime p which is the order of T , and an integer h = #E()/p. Since the primary security parameter is p, the ECC key length is thus defined to be the bit-length of p. In Table I, we compare key sizes of different cryptosystems with a comparable level of security. For a detailed description of elliptic curve cryptosystems, refer to [18]. The strength of ECC relies on the hardness of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP), which states that given T and Q = dT , it is computationally hard to find d. C. Formal Description of the Protocol Our protocol for cluster key establishment is based on Pedersen’s VSS [16], [17]. In [14], R. Gennaro et al. develop a secure distributed key generation protocol based on discretelogarithm systems. We extend their protocol by employing elliptic curve principles. The protocol description is given in Protocol 1. Notations we use are discussed below. 1) Notations: We denote n as number of sensor nodes (players) within a cluster identified by (P1 , P2 , ..., Pn ), where Pi ∈ GF (q) and all Pi
s are distinct. n is a random variable and could be different for different cluster. t is the adversarial threshold, indicating that less than t players cannot decrypt an encrypted message. D. Protocol Properties The security properties of the CKE protocol are stated below:

2176

0-7803-8794-5/04/$20.00 © 2004 IEEE

Protocol 1 : Cluster Key Establishment (CKE) Generating Secret Shares within a cluster : 1) Each player Pi performs a Pedersen-VSS of a random value zi as a dealer :
a) Pi chooses two random polynomials fi (z), fi (z) over GF (q) of degree t:




fi (z) = aio + ai1 z + ai2 z 2 + ... + ait z t Let zi = ai0 = fi (0). Pi computes • Cik = (aik + bik )T for k = 0, 1, ..., t.

• Shares sij = fi (j) mod p, sij = fi (j) mod p for j = 1, 2, ..., n

fi (z) = bio + bi1 z + bi2 z 2 + ... + bit z t




b) Pi broadcasts Cik to all members in the cluster. It also sends sij , sij secretly to Pj , j = 1, 2, ..., n. c) Verification of the shares received from other players by player Pj : For each i = 1, 2, ..., n, Pj checks if


(sij + sij )T =

t


j k Cik mod p

(1)

k=0

If the check fails for Pi , Pj broadcasts a complaint against Pi .
d) Each player Pi who received a complaint from Pj broadcasts the values sij , sij that satisfy Eq. 1. e) Each player marks a player as disqualified if either • It received more than t complaints in Step 1c, or • answered to a complaint in Step 1d. If more than t players complain against a player Pi , then it is faulty and hence is disqualified. Otherwise Pi reveals the shares sij matching equation (1) for each complaining player Pj . If any of the revealed shares fails this equation, Pi is disqualified. 2) Each player Pi builds the set of non-disqualified players, QU AL. 3) Each player Pi sets his share of the cluster secret as xi = s mod p. The distributed secret value x is not explicitly computed by j∈QU AL ji  any player, but it equals x = z mod p. i i∈QU AL Extracting the public key for the distributed cluster secret : 1) Each player Pi ∈ QU AL exposes yi = zi T : a) Pi broadcasts Aik = aik T for k = 0, 1, ..., t. b) Each player Pj verifies the values broadcast by other players in QU AL. Pj checks if sij T =

t


j k Aik mod p

(2)

k=0


If the check fails for any player Pi , Pj complains against Pi by broadcasting the values sij , sij that satisfy Eq. 1, but do not satisfy Eq. 2. 2) For players Pi who receive at least one valid complaint, the other players run the generation phase of Pedersen-VSS again to compute zi , fi (z), Aik for k = 0, 1, ..., t. 3) Computation of the public key y :  For all players in QU AL, set yi = Ai0 = zi T . Compute y = y mod p i∈QU AL i

Secrecy: No information on the secret cluster key x can be learned by the adversary, who can compromise upto t sensor nodes out of n nodes where t < n/2. Correctness: (C1) All subsets of t + 1 shares provided by honest players define the same unique secret key x. (C2) All honest parties (nodes within cluster and the base station) have the same value of the public key y. Uniqueness of QU AL: When CKE terminates, all honest players hold the same set QU AL. Lemma 3.1: If the dealer is not disqualified during the protocol, then all honest players hold shares that interpolate to a unique polynomial of degree t. For proof, refer [17] Theorem 3.2: The CKE Protocol satisfies the secrecy, correctness and uniqueness requirement with threshold t, for any t < n/2. Proof of Correctness: We first note that the set QU AL is unique across all honest players since the determination IEEE Communications Society Globecom 2004

of which players are to be disqualified depends on public broadcast information. (C1) From Lemma III.1, we know that all honest players hold shares (sij ) which interpolate to a unique polynomial with constant coefficient equal  to zi . Thus, for any set Z of t + 1 correct shares, zi = j∈Z lPj (0) · sij mod p, where lj are appropriate Lagrange interpolation coefficients 1 for the set Z. Sinceeach honest player Pj computes its share xj of x as xj = i∈QU AL sij mod p, then we have that for the set of shares Z:    x = i∈QU AL zi = i∈QU AL ( j∈Z lPj (0) · sij )    = j∈Z lPj (0) · ( i∈QU AL sij ) = j∈Z lPj (0)xj Since this holds for any set of t + 1 correct shares, then x is uniquely defined. (C2) The public key y is computed by honest players 1 Lagrange

coefficient in the cluster is defined as lPj (x)

(x−P1 )....(x−Pj−1 )(x−Pj+1 )....(x−Pt ) . (Pj −P1 )....(Pj −Pj−1 )(Pj −Pj+1 )....(Pj −Pt )

2177

=

0-7803-8794-5/04/$20.00 © 2004 IEEE

 y = i∈QU AL yi mod p, where the values yi are derived from information broadcast in the protocol and thus known to allthe honest players. We need to show y = x T where x = i∈QU AL zi . For Pi , i ∈ QU AL, against whom a valid complaint has not been issued, the value yi set to Ai0 = zi T . Now,   y = i∈QU AL yi = i∈QU AL zi T  = ( i∈QU AL zi )T = x T

Protocol 2 : Secure Data Aggregation and Verification 1: begin 2: /* Sensors transmit the encrypted and hash value 3. of their readings to the cluster head */ 4: for j = 1 to |CHi | do 5: begin CH 6: encrypted := EN C(χj i , Rj ); 7. /* message integrity */ 8: send(j, CHi , encrypted||h(Rj )); 9: /* || : concatenation operation */ 10: end 11: 12: /* Cluster-Head aggregates readings */ 12: avgi := 0; 11: for each sensor j in cluster i do 12: avgi := avgi + (Rj /|CHi |); 13: 14: /* Cluster-Head broadcasts average reading 15: to cluster members */ 15: bcast(CHi , avgi ); 16: 17: /* Generate partial signatures and 18: combine into a full signature */ 18: for j = 1 to |CHi | do 20: begin 21: partialsignaturej := sign(κij , h(avgi )); 22: send(j, CHi , partialsignaturej ); 23: end 24: CHi combines partial signatures into combinei ; 25: 26: /* Transmit the aggregate reading along with the 27: signature to the base station */ 28: send(CHi , BS, EN C(χBS CHi , avgi )||combinei ); 25: 29: BS verifies combinei using the public key. 30: /* ensures authentication and integrity */ 31: end

IV. S ECURE DATA AGGREGATION AND V ERIFICATION P ROTOCOL Once the CKE protocol is executed, each sensor within a cluster will have its share of the secret. This share is used to generate partial signatures on the aggregate readings. We describe our Secure Data Aggregation and Verification (SecureDAV) Protocol that ensures that the base station never accepts faulty readings. A. Intuition For each cluster, the cluster-head aggregates the sensor readings and computes its average. It then broadcasts the average to all the members within the cluster. The sensor node compares its reading with that of the average and if the difference is less than a threshold, the node creates a partial signature on the average using the shared secret and sends it to the cluster-head. The cluster-head combines them into a full signature and sends this full signature along with the average reading to the base station. A signature resulting from a threshold signature scheme is the same as if it was produced by a single signer possessing the full secret signature key. The validity of this signature is verified at the base station who has the corresponding public key. Since the attacker does not know the cluster key, it cannot generate the full signature. Also, within a cluster, a collusion of less than t compromised sensor nodes cannot make the base station accept faulty readings. The protocol description (considering cluster i) is given in Protocol 2. B. Notations CHi is cluster-head for a cluster i. |CHi | is the number of sensors in cluster i. κij is secret share of sensor j in a cluster i. χjm is the secret key shared between sensor m and any node j, j could be a sensor, cluster-head or the base station. Rm is the reading from sensor node m and avgi is the average reading transmitted from cluster i to the base station. We denote h(·) as a one-way strongly collision-free hash function. We use the following primitives: a) EN C(χ, M ) : symmetric encryption of message M using shared secret key χ, b) sign(κ, M ) : partial signature generated on a message M , c) send(src, dest, M ) : a communication primitive to send a message M from source src to destination dest and d) bcast(src, M ) : a communication primitive to broadcast a message M from a source node src. IEEE Communications Society Globecom 2004

C. Integrity of Readings Threshold signature scheme ensures the authenticity of message. The integrity of readings is ensured with the help of a Merkle Hash Tree [19]. The sensors transmit the encrypted value of their readings along with its hash to the cluster-head. The cluster-head builds a Merkle Hash Tree based on the hash values of the readings. When the base station receives the encrypted value of the average reading along with the signature, it verifies the signature using the public key. To verify integrity, the base station can query repetitively to the cluster-head on the individual readings. Illustration is given in Fig. 1. V. P ERFORMANCE A NALYSIS The SecureDAV Protocol uses threshold signatures with elliptic curve systems to ensure the authenticity of the aggregate reading at the base station. Since an attacker can compromise at most t out of n nodes within the cluster (t < n/2), it cannot generate the full signature. Even if the cluster-head is compromised, the aggregate reading integrity is ensured using Merkle Hash Trees. EccM 1.0 [20] provides an implementation of ECC on MICA2 in the form of a TinyOS module. Using the modules

2178

0-7803-8794-5/04/$20.00 © 2004 IEEE

M

1−6

TABLE II A NALYSIS DURING ONE EXECUTION OF ELLIPTIC CURVE ALGORITHMS ON MICA2

Hash Commitment

M1234

h

3

h

r2

h

r3

h

r4

6

M = h(r ) i

h

r5

i

h

r6

Encrypted Sensor Readings

Fig. 1. Merkle Hash Tree used to commit to a set of values: The cluster-head constructs the hash tree over the encrypted sensor measurements r1 , r2 , ..., r6 . ri = EN C(χBS i , Ri ). The Merkle Hash Tree is a commitment to all the leaf nodes. The root of the tree is a hash commitment. For example, to authenticate measurement R3 , the cluster head sends R3 along with M4 , M12 , M56 , M1−6 to the base station. The base station computes r3 using χBS i . It authenticates R3 using M1−6 (sent by the cluster-head) and the computed value h(h(h(r3 ||M4 )||M12 )||M56 )

for elliptic-curve public-key computation, we found that 33bit keys required a running time of just 1.776 seconds, while requiring only 1.7 KB of SRAM. One optimization using EccM 2.0 [20] makes 160-bit keys feasible requiring only 820 Bytes of RAM. Generation of the node’s private key only requires 5.7 mJ, while computation of the public key requires approximately 12.6J. In order to save power, the public key generation could be moved to the more powerful base station. For our protocol, during bootstrapping, we assume that EC public/private key for each node along with EC public key of base station is embedded into sensor’s memory. During the execution of the CKE protocol, the sensor nodes establish the shares of the cluster key and the heavy-weight computation of the cluster public key is done at the base station. This is achieved by the secure transmission of the share of the secret key by the sensors to the base station. The initial results we obtained using EccM, as shown in Table II indicate that elliptic curve implementations are feasible on tiny sensor nodes. Future work would involve implementing CKE and SecureDAV on Mica motes. VI. C ONCLUSION In this paper, we developed a protocol and hierarchical network structure for establishing cluster key in sensor networks using elliptic curve cryptosystems. The cluster key is secret from all the sensor nodes, thereby eliminating eavesdropping on the cluster key. Since each sensor has a share of the secret cluster key, it can generate partial signatures which is then combined at the cluster-head and given to the base station for authentication. The SecureDAV protocol presented here ensures that the base station accepts the aggregate readings with high reliability, even if the cluster-head is compromised or there is a collusion of less than t compromised nodes within a cluster. Integrity check of the readings is done using Merkle Hash Trees avoiding over-reliance on the cluster-head. IEEE Communications Society Globecom 2004

Public-Key Generation 8.5 mA 3.65 x 109 cycles 12.6 J

M

M5

M4

M

2

1

r1

34

M

M

Average Current Total CPU Utilization Total Energy

M56

M

M12

Secret-key Generation 8.8 mA 1.59 x 106 cycles 5.7 mJ

R EFERENCES [1] B. Przydatek, D. Song and A. Perrig, “SIA: Secure Information Aggregation in Sensor Networks”, Proc. 1st ACM Int. Conf. Embedded Networked Sensor Systems (ACM SenSys 2003), 2003, pp. 255-265. [2] L. Hu and D. Evans, “Secure aggregation for wireless networks”, Workshop on Security and Assurance in Ad Hoc Networks, January 2003. [3] A. Perrig, R. Szewczyk, V. Wen, D. Culler and J. D. Tygar, “SPINS: Security protocols for sensor networks”, Proc. 7th Annual ACM Int. Conf. Mobile Computing and Networks (MobiCom 2001), July 2001, pp. 189199. [4] L. Eschenauer and V. D. Gligor, “A Key-Management Scheme for Distributed Sensor Networks”, Proc. 9th ACM Conf. Computer and Communications Security (CCS 2002), November 2002. [5] H. Chan, A. Perrig and D. Song, “Random Key Predistribution Schemes for Sensor Networks”, IEEE Symposium Security and Privacy, May 2003, pp. 197-213. [6] D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks”, Proc. 10th ACM Conf. Computer and Communications Security (CCS 2003), October 2003, pp. 52 - 61. [7] S. Zhu, S. Setia and S. Jajodia, “LEAP: efficient security mechanisms for large-scale distributed sensor networks”, Proc. 10th ACM Conf. Computer and Communications Security (CCS 2003), October 2003, pp. 62 - 72. [8] C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures”, Proc. 1st IEEE Workshop Sensor Network Protocols and Applications, May 2003. [9] S. Lindsey, C. Raghavendra, K. M. Sivalingam, “Data Gathering Algorithms in Sensor Networks using Energy Metrics”, IEEE Trans. Parallel and Distributed Systems, vol. 13, no. 9, pp. 924-935, Sept. 2002. [10] K. Dasgupta, K. Kalpakis and P. Namjoshi, “An Efficient Clusteringbased Heuristic for Data Gathering and Aggregation in Sensor Networks”, Proc. IEEE Conf. Wireless Communications and Networking (WCNC 2003), vol. 3, pp. 1948-1953, March 2003. [11] Y.-C. Hu, A. Perrig and D. B. Johnson, “Ariadne: A secure on-demand routing protocol for ad hoc networks”, 8th Annual ACM Int. Conf. on Mobile Computing and Networks (MobiCom 2002). [12] L. Zhou and Z. Haas, “Securing ad hoc networks”, IEEE Network Magazine, vol. 13, no. 6, December 1999. [13] J. Kong, P. Zerfos, H. Luo, S. Lu and L. Zhang, “Providing robust and ubiquitous security support for mobile ad-hoc networks”, ICNP, 2001, pp. 251-260. [14] R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin, “Secure Distributed Key Generation for Discrete-Log Based Cryptosystems”, Eurocrypt’99. [15] D. Johnson, A. Menezes and S. Vanstone, “The Elliptic Curve Digital Signature Algorithm (ECDSA)”, Springer-Verlag, 2001. [16] T. Pedersen, “A threshold cryptosystem without a trusted party”, Advances in Cryptology - Eurocrypt’91, pp. 522-526, LNCS No. 547. [17] T. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing”, Advances in Cryptology - Crypt0’91, pp. 129-140, LNCS No. 576. [18] N. Koblitz, A course in number theory and cryptography, 2nd edition, Springer-Verlag, 1994. [19] R. C. Merkle, “A certified digital signature”, Advances in Cryptology Crypt0’89. [20] D. Malan, “Cryto for Tiny Objects”, Tech. Report, CS Harvard University, 2004.

2179

0-7803-8794-5/04/$20.00 © 2004 IEEE