Che materia stai cercando?

Network Security

Tesina di Network security, scritta il lingua inglese. Gli argomenti principali trattati sono: Attack Model, Data Aggregation, Cluster, Hierarchical, Key Management and Authentication, Key Symmetric vs Asymmetric, In Cluster Scheme,... Vedi di più

Esame di Network security docente Prof. F. De Natale





sink. It’s considered only a single base station and associated sensor nodes. It’s ignored the

structure of the multi-hop network, assuming only that each sensor node has a separate link

to the base station. This abstracted architecture is depict in Fig.1. The main problem of this

Fig. 1: An abstract sensor network architecture, with inessential underlying physical struc-

tures abstracted away. We have n sensor nodes (the small circles), each with a separate secure


channel to a single trusted base station (the large solid square). The sensor sends measure-


x to the base station, and the base station uses the function to compute the aggregate

ment i = 9.

y. n

In this picture, [8]

configuration is that the aggregator forwards to the home server all data and authentication

information from each sensor. Given all the data, the home server can verify authenticity of

each data item, and answer all the statistical queries locally. However, the transmission is

increased and consequentially the power consumption of the whole sensors network.

In the second case, In-Network Aggregation reduces the communication overhead, only

processed and aggregated information is returned to the base station. It’s possible subdivide

the problem in two:

• Cluster

• Hierarchical

3.1 Cluster

The sensor networks allows each of the nodes to organize themselves into clusters once de-

ployed. There are some nodes called aggregators or cluster-head that help aggregating in-

formation requested by a query. The aggregator collects the data from sensors and locally

computes the aggregation result. [3] propose to send at the base station also the prove that

2 where a data fusion

the sensor work correctly. Similar configuration are present in WBA

node receives data from a number of sensors, conducts data fusion, and then sends the result

(decision) to the base station with the help of two witness.

If the Query is local, i.e. the detection of an event, we can consider the cluster like

3 paper, is a normal

the number of sensor that reveal it. The Cluster-head described by SEF

2 “A Witness-Based Approach For Data Fusion Assurance In Wireless Sensor Networks” [9]

3 “Statistical En-route Filtering of injected False Data in Sensor Network, 2004” [4]


sensor elected from the other sensors like it. The number of the sensors that take part is low

and so the number of data to compute, so the Cluster-Head doesn’t require high computation


Fig. 2: An example sensor network. Suppose we want to monitor three areas of interest, the

road, the river, and the munition plant, by deploying a cluster of sensor nodes (filled circles)

in each area. The base station sends commands or queries to the sensor nodes, and receives

reports from them. All the communications are relayed by some forwarding nodes (blank

circles). [10]

3.2 Hierarchical 4

The hierarchic scheme is only presented by SAW where the sensors network is presented

like a tree diagram. The leaves send the measure to their parent that compute the aggregation

and send the result to its parent. SAW says:

“Keep in mind, though, that the benefits of our protocol come when there are

a large number of nodes arranged in a deep tree, so that many readings can be

aggregated in a single message.”

In this paper, for simplicity, they assume only leaf nodes are collecting sensor readings,

and intermediate nodes are just aggregating and forwarding data.

4 “Secure Aggregation for Wireless Sensor Networks” [5] 5

4 Key Management and Authentication

The configuration used by all protocols is that each node is initialized, before deployment,

with a symmetric secret key. The base station establishes secrets with the ad hoc wireless

nodes before deployment.

4.1 Key Symmetric vs Asymmetric

Security issues in mobile ad hoc networks are similar to those in sensor networks, but the

defense mechanisms developed for ad hoc networks are not directly applicable to sensor

networks. Ad hoc network security mechanisms are based on public key cryptography. Con-

ventional public-key algorithms can help set up and manage keys in a network, but these

algorithms are not feasible in a sensor network because of their communication and compu-

tation complexity.

Almost all protocol presented say that is a risk to store the same key on every device to

enable encryption or authentication, since an adversary who recovers the key from a single

device will be able to control the entire network. Thus, is necessary to use different keys for

each sensor.

4.2 In Cluster Scheme


In SIA , the authors assume that each sensor has a unique identifier and shares a separate

secret cryptographic key with the base station and with the aggregator.


The base station and the aggregator doesn’t need to store keys. In fact, they store


K and , and each sensor node stores the shared keys MAC (node

simply a master key B A K B

(node ID), where MAC is a secure message authentication code that is used

ID) and MAC


here as a pseudo-random function. To verify the authenticity of each sensor reading, each

sensor shares a key with the aggregator. With the distribution of the keys it’s preventing only

sensor impersonation, and not data come from a damage or currupt sensor.

A new approach is that the authors of SIA call aggregate-commit-prove:

“aggregators help computing aggregation of sensor nodes’ raw data and reply to

the home server with the aggregation result together with a commitment to the

collection of data. The commitment to the input data ensures that the aggregator

uses the data provided by the sensors, and that the statement to be verified by the

home server about the correctness of computed results is meaningful.”

One efficient way of committing to the data is a Merkle hash-tree construction [6], [7].

6 algorithm. This is a efficient way to reduce the com-

This method is used also in the DAV

munication overhead between the network and the base station.

All the collected data are like the leaf nodes of the tree, and the aggregator then computes

a binary hash tree starting from them. In other words, each internal node in the hash tree is

computed as the hash value of the concatenation of the two child nodes. The root of the tree is

5 “SIA: Secure Information Aggregation and verification protocol in Sensors Network” [3]

6 “A Secure Data aggregation and Verification Protocol for Sensor Networks” [2]


called the ‘commitment’ [3] of the collected data. Since the hash function in use is collision

resistant, once the aggregator commits to the collected values, he cannot change any of the

collected values. Fig.3 pag.6 gives an example of a Merkle hash tree.

Fig. 3: Merkle hash tree used to commit to a set of values. The aggregator constructs the

, ..., m

m . To lower the size of verification

Merkle hash tree over the sensor measurements 0 7

information, the aggregator first hashes the measurements with a cryptographic hash function,

= ),


v assuming that the size of the hash is smaller than the size of the data. To

e.g., 3,0 0

construct the Merkle hash tree, each internal value of the Merkle hash tree is derived from its

= || ).

H(v v

v The Merkle hash tree is a commitment to all

two child nodes: i,j i+1,2j i+1,2j+1 v , a verifier can authenticate any leaf value

the leaf nodes, and given the authentic root node 0,0

by verifying that the leaf value is used to derive the root node. For example, to authenticate

m v , v , v m

m , the aggregator sends along with , and is authentic

the measurement 5 5 3,4 2,3 1,0 5

= || || )) || )).

H(v H(H(v H(m v

v [3]

if the following equality holds: 0,0 1,0 3,4 5 2,3

A different point of view is to use an asymmetric system with the private key subdivided

and another key for the sensor. In DAV [2] article they propose a protocol named Cluster

Key Establishment that generates a secret cluster key for each cluster. Each sensor node only

has a part of the secret cluster key and the cluster key is hidden from each node. The public

key for the secret cluster key is known to all nodes within the cluster as well as the base

station. Since the secret cluster key is hidden from all nodes, attacks on the cluster key are

not possible.

In WBA, in order to prove the validity of the fusion result, the fusion node has to provide

proofs from several witnesses. A witness is one who also conducts data fusion like a data

fusion node.

“They assume that the data fusion node and witness nodes share a secret key with


the base station. Let denote the data fusion node. Assume that we have chosen 7

, ..., w k , ..., k

m w , and represent the MAC keys they share with

witnesses, 1 1

m m

the base station. To reduce energy consumption in this scheme, they analyzed

and computed the minimum length needed for the Message Authentication Code

(MAC) to achieve a predefined level of security.”

This configuration type it’s good because the number of bits used for MACs does not

increase linearly with the number of witnesses.

Otherwise, to prevent any single compromised node from breaking down the entire sys-

tem, SEF [4] carefully limits the amount of security information assigned to any single node,

and relies on the collective decisions of multiple sensors for false report detection.

In SEF paper there is a global key pool.

“However, only the sink has the knowledge of the entire pool. Each sensor stores

a small number of keys that are drawn in a randomized fashion from the global

key pool before deployment. Once a stimulus appears in the field, multiple de-

tecting nodes elect a CoS node that generates the report. Each detecting node

produces a keyed MAC for the report using one of its stored keys. The CoS node

collects the MACs and attaches them to the report in the form of a Bloom filter.

These multiple MACs collectively act as the proof that a report is legitimate. A

report with an insufficient number of MACs will not be forwarded. The key as-

signment procedure should ensure that each node can only generate part of the

proof for a legitimate report. Only by the joint efforts of multiple detecting nodes

can the complete proof be produced.” = 9


Fig. 4: An example of a global key pool with partitions and 4 nodes, each of which

= 3

k k, n

has keys randomly selected from one partition. In a real system, may be much

larger. ([4])

At the same time, the procedure of key assignment should also ensure that any two nodes

share common keys with a certain probability. When the report with forged MACs is for-


warded by intermediate nodes, key sharing allows them to examine the correctness of the

MACs, and allows to detect and drop false reports en-route.

4.3 In Hierarchical Scheme

The SAW protocol cannot encrypt messages using a unique key shared between each sensor

and the base station since each intermediate node needs to understand the received messages


to perform aggregation. The protocol it’s adopted for authentication of messages


transmitted by the base station [1]. is a protocol that provides authenticated broad-

cast for resource constrained environments, it achieves asymmetry from clock synchroniza-

tion and delayed key disclosure.

5 The Mean


The mean is a good method for low power nodes and small sensor networks. In fact, the

sensors have low computational ability and they are enough close to the base station to be

able to communicate with it. In this way, we don’t care about safety problems of aggregation,

because the step that collect and elaborate data coming from the near sensors and then to

transmit them to the base station is missed. The author of RAS paper present a few primitive

function that can compute aggregation and he explain which are secure and insecure in the

presence of compromise sensor nodes. Some functions simply cannot be computed securely

in the presence of compromised nodes.

Average is insecure: ) = (x + + )/n,

(x , ..., x ... x


“We saw earlier that the average, given by 1 1

n n

is insecure in the presence of a single malicious sensor node. Say that sensor

x in place of

node 1 is compromised. Then by substituting the fake reading 1

= (x )

y f , ..., x

x , the average is changed from to

the real measurement 1 1 n

∗ ∗ ∗

= (x ) = + (x − )/n.”

f , x , ..., x y x

y 2 1

1 1

n ∗ ∗ = +δn

x x

x freely and put in any value for it. So if he can set

The attacker can choose 1

1 1

∗ = +

y δ.

y y Consequently, in the presence

the average will be successfully altered from to

of even a single compromised node, the average is not a meaningful aggregate. If the network

is dense of sensors, for the problem of temperature measuring, there is the possibility to reject

false data results that are not harmonious with the neighborhood. But, with a large number of

sensors, increase also the trouble about communication and aggregation. In our opinion we

can say that it is possible to implement a statistical method to compute the average based on

random sampling of measures. In such way the probability to pick up a fake sensor is lower

than take all sensor measures.

Truncation is another technique showed in RAS: [l, u],

“if we know that valid sensor readings will usually be in the interval

then we can truncate every input to be within this range. Note, for instance, that

7 “Resilient Aggregation in Sensor Networks” [8] 9

[0, 1]-truncated

the count can be viewed as a version of the sum. In general,


given any base aggregate we can construct a truncated aggregator by applying

g to the truncated data values. (x) ≤ ≤

l x < l, x l x u, u x > u.

be if if and if

More formally, let trunc


To obtain a truncated replacement for the raw average, set

(x ) + + (x )


trunc trunc


[l,u] [l,u] n

(x ) =

f , ..., x

1 n n

This method is good to increase the conventional aggregation, but it is not an entirely

satisfactory solution. Since a large intervals gives the attacker a great choice, while narrow

intervals reduce the utility of the sensor network.

Another technique is showed by DAV where each cluster of the network has a cluster-

head that aggregates the sensor readings and computes its average. The the cluster-head

broadcasts the average to all the members within the cluster. The sensor node compares its

reading with that of the average and if the difference is less than a threshold, the node creates

a partial signature on the average using the shared secret and sends it to the cluster-head.

The cluster-head combines them into a full signature and sends this full signature along with

the average reading to the base station. The base station check the validity of this signature

because hold the public key. Since the attacker does not know the cluster key, it cannot


generate the full signature. Also, within a cluster, a collusion of less than compromised

sensor nodes cannot make the base station accept faulty readings. The protocol description


(considering cluster is given in Protocol 2 (Fig.5 pag.10).

“ Notations |CH |


CH is cluster-head for a cluster is the number of sensors in cluster

i i

i jm

j i. χ

i. k is secret share of sensor in a cluster is the secret key shared

j m j, j

between sensor and any node could be a sensor, cluster-head or the base

m avg

R is the reading from sensor node and is the average reading

station. m i

i h(∆)

transmitted from cluster to the base station. We denote as a one-way

strongly collision-free hash function. We use the following primitives:


EN C(χ, M M

a) : symmetric encryption of message using shared secret


key )

sign(k, M M

b) : partial signature generated on a message ;


dest, M M

c) send(src, : a communication primitive to send a message

src dest;

from source to destination



d) bcast(src, : a communication primitive to broadcast a message


from a source node

Integrity of Readings

Threshold signature scheme ensures the authenticity of message. The in-

tegrity of readings is ensured with the help of a Merkle Hash Tree. The sensors

10 Fig. 5: Protocol 2: Secure Data Aggregation and Verification [2]

transmit the encrypted value of their readings along with its hash to the cluster-

head. The cluster-head builds a Merkle Hash Tree based on the hash values of

the readings. When the base station receives the encrypted value of the average

reading along with the signature, it verifies the signature using the public key. To

verify integrity, the base station can query repetitively to the cluster-head on the

individual readings. Illustration is given in Fig.?? pag.??”.

Another protocol that compute the Mean is SAW. It shows a efficient way to collect the

same information, since each node, that calculates the average for all of its descendents, has


to send that value and the number of descendants to its parent. SAW assume a simple hierar-

chical tree aggregation. The idea of the protocol is based on delayed aggregation and delayed

authentication. Instead of aggregating messages at the immediate next step, messages are for-

warded unchanged over the first hop and then aggregated at the second step. If the two step

(nodes parents/child) are compromised, the entire network is compromised. The authenticate

messages is not made immediately, but after a time delay. This enables authentication keys

to be symmetric keys, revealed to the authenticator after the time delay has expired.

The design of the protocol is this:

a) The powerful base station broadcast messages directly to all nodes. Sensor devices are

low power. The sensors communicate only with nearby nodes.

b) The message, to provide reliable, are delivery by a low-level network mechanisms.

c) There are many hops between sensors and the base station, since the networks is enough

large. The network is dense enough to have good choice of sensor at the first step for a


d) Each node establish shared secrets with the base station before deployment.

“The base station generates a one-way key chain using a public one-way

= (K ).


F K Each device stores before deployment

function where 0

i i+1

= (K)


F n F K).

K (that is, applications of to a secret We can imagine

where 0

doing this using a location limited channel where the keys are established in a

secure environment near the base station before they are deployed.”

This protocol let the sensor nodes to be able to produce messages that can be authenticated

by the base station.

Figure 6 pag.12 shows a small part of a sensors network formed by eight low-power

(A − H)

sensor nodes and a powerful base station. The base station collects information

(A − D)

from all sensor nodes. All sensor nodes are identical, but are the leaves of the

(E − G)

tree, while nodes are intermediate nodes. A typical network would have hundreds

or thousands of nodes and a branching factor greater than two. This configuration produce

a hierarchical scheme topology where every node has a immediate parents node. Each leaf


(K , R is

node transmits its reading to its parent. A message authentication code, MAC Ai A

included with the message. To transmit the data to the base station each node use key that is

not known to the other sensor nodes. The parent node will store the message and its MAC

K is revealed by the base station. Then, it will verify the MAC and raise an

until the key Ai

alarm if it does not match. The aggregation is performed in each intermediate step.

Each child can contribute at most one reading in each time step. Nodes aggregate the data

they receive from their grandchildren (via their children) and transmit the MAC of the aggre-

gation value. Delayed aggregation ensures that an adversary who obtains key material from

a compromised node cannot tamper with many sensor readings. After a stage of messages

arrives at the base station, the base station reveals the temporary node keys along with a MAC


generated using base station’s current key. Once the key is revealed, nodes advance

to the next temporary node key. After this, the key is revealed to enable authentication, and

the base station advances to the next key in the chain.

12 Fig. 6: Example Sensor Network. [5] 13

Protocol Details

The protocol used in SAW is characterize by separate steps while sending data from sen-

sors to the base station. Beside, it’s possible to authenticate the information sent retroactively.

The benefits of protocol come when there are a large number of nodes arranged in a deep tree,

so that many readings can be aggregated in a single message.

This notation are used to describe the protocol:

B, C, ...

“A, Sensor nodes

S Base station

A B A B.

Node sends a message to Since messages are wireless, this is a

local broadcast and nearby nodes will also hear the message.


ID Unique of node




Concatenation of messages and .

1 2 1 2


E(K, M M K.

Encryption of using key


M AC(K, M M K.

Authentication code of using key

Aggr(x, y) x y.

Result of the aggregation function on and The aggregation

function must be deterministic, distributive and not depend on the order

readings are incorporated. A S.

K Unique key shared between node and base station


R Data reading value of node

A =


i A E(K , i)

K The key for node

Ai AS = (K)”.

th n−i


K The key in the base station hash chain


Data Validation

The protocol is designed to avoid that a single compromised node can breakdown the

network. It should not be able to produce aggregate values that improperly represent the state

of the network. Since the base station has a shared temporary key with each sensor node,


it can verify that the message it receives in the final step was transmitted by (see Fig.6

pag.12). In fact, the base station can calculate the MAC of the aggregation, computed by

H, K and comparing it to the MAC transmitted in the message. It’s only possible

using Hi H

to validates that sent the final message, but does not validate that it correctly reflected

reading from the other sensor nodes. The power of the algorithm is that the base station

also receives the MACs and readings of its grandchildren, and can authenticate those values.

The goal is to authenticate all the readings that contributed to the aggregation value, without

requiring every reading to be sent to the base station. To validate data, the base station reveals

temporary node keys to the network. Using wide-area broadcast, the base station sends out

µTESLA K . Nodes will

each temporary node key along with a MAC using its current key, i

advance to the next temporary node key for succeeding messages. Requiring that the base

station reveal every node key for every aggregate reading it receives does not scale to large

sensor networks or work well in situations where frequent readings are desired. Note that

although all the node keys are sent out by the base station, each sensor node only needs a few

of them.

14 ).

, R

E K to verify MAC(K If the key

“For example, node needs Ai Ai A

broadcasts are synchronized, it will not be necessary to listen to all the key

broadcasts to find the relevant ones. After sending out all the node keys, the

µTESLA K , to enable nodes to check

base station sends out its current key, i

transmitted MAC values, and advances to the next key in the chain for future

K , nodes verify the MAC for the node keys. Nodes

messages. After receiving i (K )


K is legitimate by calculating and comparing it to . If a node

verify i i i−1

detects a forged message in the data validation stage, it sends out an alarm mes-

sage. Alarms are raised by a parent when it detects an inconsistent MAC from

a child or grandchild, and sent to the base station along with a MAC computed

using the node’s temporary key.”

The weak point of this method is that if the compromised node is a leaf node, the adver-

sary can transmit false readings without detection. Cryptographic way is not possible because

the adversary has obtained all key material on the compromised node. This protocol allow

to an attacker to compromise either parent and child node. For example, an attacker who


compromised both nodes and in Fig.6 pag.12 would be able to transmit a bogus aggre-


R and , along with the legitimate reading for ’s subtree. In general, an

gation value for A B

attacker who simultaneously compromises a child and parent can misrepresent the readings

for every node in the child’s subtree.

6 The Sum

The sum is insecure. The sum is lower than average in term of safety, due to the impossibilty

to simpling all sensors and achieve a similar result.

) = + +

(x , ..., x x ... x

f is not meaningful in the

“Similarly, the sum 1 1

n n

presence of one or more compromised nodes. The attacker can freely increase

or decrease this value without limit.”

We propose another approach to preserve the final result. If a sensor gain his value up to

the double or more of the value measure by the other sensors, we set his value equal to the

mean. Thus, this method let us to recover the correct value. Also the truncation technique

(see Section 5 pag.8) is possible to applied to the sum, but the trimmed technique proposed

by the authors, more complex and tidy than the our method, allow to obtain good result.

The trimmed technique lets:

“to ignore the highest 5% and lowest 5% (for instance) of the sensor readings,

and then compute the aggregate on the remaining 90% of readings in the middle.

This is known as the trimmed mean in the statistical literature. Intuitively, we

might expect this to be fairly robust to compromised nodes, so long as no more

than 5% of the sensors are compromised. , ..., x x , ..., x

x , let the symbols

Let’s work out the details. On inputs 1 (1) (n)


x ρ. g

represent the -values in sorted order. Fix a security parameter Let denote

i 15


the underlying aggregation function. We construct a more resilient version of

by defining (x ) = ).

, ..., x g(x , x , ..., x

f 1 (ρn) (ρn+1) (n+1−ρn)

ρ n

Trimming can be viewed as a principled, automated form of outlier elimi-


nation, where we always throw away the smallest and largest observations,

k < ρn,

on the principle that they might be outliers. Assuming that all an ad-

versary can do is affect which subset of legitimate sensor readings are used as


inputs to however, the adversary cannot control in any other way the inputs to

g. Interestingly, the median is a special case of the above construction, obtained


ρ from below. For these reasons, trimming looks

by taking the limit as

intuitively promising.”

7 The Minimum

The minimum is insecure. Differently from the sum and average, minimum is not a mean-

ingful aggregate to compute in the presence of a single compromised node. In fact, is not

possible to find a solution to reduce this problem. )

(x , ..., x

f =

“Consider computing the minimum of the sensor readings, 1 n


, ..., x and suppose that sensor 1 is compromised. The attacker can


1 n x is the unique smallest sensor reading, and

only increase the minimum if 1 ∗ ),

, x , ..., x which cannot exceed

even then, the minimum is raised to min(x 2

1 n


, ..., x Thus, the attacker has little capacity to increase the computed


2 n

aggregate. However, the attacker can freely reduce the computed minimum

x to be a very small (or even negative) value. So

value, simply by choosing 1

long as the attacker’s desired outcome is smaller than the correct outcome, the

attacker has complete control. Therefore, we consider that the minimum is not

resilient against false sensor readings.”

The minimum is like an event, only a cross check verification between sensor neighbors

can detect false reading. If we assume that the sensor nodes are deployed in a high density,

so that each stimulus can be detected by multiple sensors.

SEF elect one of the nodes as the Center-of-Stimulus (CoS). The CoS collects and sum-

marizes the detection results by all detecting nodes, and produces a synthesized report on

behalf of the group.

“When a stimulus appears, multiple nodes that detect it collaborate to process


the signal and elect the that summarizes the sensing results and generates a

, t, E L t

L on behalf of the group, where is the location of the event, is

report E E


the time of detection and is the type of event. This collaborative report gener-

ation can be carried out by following the procedure proposed in [7]: Each node

broadcasts its sensing signal strength within the detecting area. A node with a

weaker signal is suppressed by neighbors which sense stronger signals. Finally

16 CoS. CoS

the node with the strongest signal stands out as the The then aggre-

gates sensing results it has heard from other detecting nodes to generate a report.


Notice that the purpose of election is to eliminate redundant reports and


this process should exist even without SEF. After the generates the report,

it broadcasts the report to all detecting nodes. Upon receiving the report broad-


cast from the a detecting node A checks to see whether the report content

is consistent with the readings of its own sensing. If they match within certain

error range, pre-defined according to the sensors accuracy and the application’s


requirements to suppress duplicate data report generation, node randomly se-

= || ||

M M AC(K , L t E),

k K , and generates a MAC

lects one of its keys, i i i E

|| b)

(1) where denotes stream concatenation and MAC(a, computes the MAC

b a.

M of message using key Many cryptographic one-way functions can serve

i A i, M

this purpose [8]. Node then sends , the key index and the MAC, to the


CoS. If a detecting node does not receive any report that matches its own sensor


readings, it participates in another round of election with other detecting

nodes.” CoS

This to avoid the case where a compromised node may elect itself as the and broad-

cast a false report.

CoS i, M ’s from the other nodes and sorts the MACs like are sorted

The collects all the i

on the key partitions. The MACs generated by keys of the same partition are defined as one


CoS T T n,

category. Then the selects from the all the received categories, where then ran-

i, M tuple from each category and attaches it to the report. At the end, the

domly chooses one i , t, E, i , M , i , M , ..., iT, M

CoS L .

final report that the send to the base station is like 1 2

E i1 i2 iT

SEF is candidated to operate in dense deployment of large sensor networks. To prevent

any single compromised node from breaking down the entire system, SEF try to take the

collective decisions by the reading of multiple sensors.

System Model

SEF consists of three components which work together:

• The same stimulus detected from multiple nodes generate multiple MACs;

• Intermediate forwarding nodes detect incorrect MACs;

• The sink verifies the correctness of each MAC and eliminates remaining false reports.

When the report with forged MACs is forwarded by intermediate nodes, probabilistic

key sharing allows them to examine the correctness of the MACs probabilistically, thus de-

tecting and dropping false reports en-route. The sink serves as the final goal-keeper for the

system. When it receives reports about an event, the sink verifies every MAC carried in the

report because it has complete knowledge of the global key pool. False reports with incorrect

MACs that sneak through en-route filtering will then be detected. Several questions must be

answered to make the above design work: The authors of RES paper were able to prevent a

compromised node from forging the complete proof while enabling verification by interme-

diate forwarding nodes. Moreover were able to detected and filtered out false reports enroute

by forwarding sensors. 17

Fig. 7: A compromised node injects false reports of non-existent tanks “appearing” in various

locations. Large quantities of such bogus reports cause false alarms. Considerable amount

of energy and bandwidth could be wasted in delivering false reports. The user may also be

overwhelmed and miss a real event. ([4])

Key Assignment and Report Generation 0 ≤ ≤ − 1,

, i N

N K which

“There is a pre-generated global pool of keys i

0 ≤ ≤ − 1.

, i n

n N Each partition

is divided into non-overlapping partitions i


N n∗m),

has m keys (i.e., and each key has a unique key index. A simple way

= |im ≤ ≤ (i + 1)m − 1.

K j


to partition the global key pool is as follows: i j

Before a sensor node is deployed, the user randomly selects one of the n parti-


k < m)

tions, and randomly chooses keys from the partition. The sensor node

is then loaded with these keys and the associated key indices (see Fig.4 pag.7 for

an example).”

8 The Median

The common function used by the most sensor networks is the The median ,that can substi-

, ..., x x , ..., x x

x , let denote the -values placed in sorted

tute the average. On inputs 1 (1) (n)

n i

12 12


i) x x

i x be short-hand for . The definition of

order. If is not an integer, let ( (i−0.5) (i+0.5)

) = = = (n + 1)/2.

(x , ..., x x x r

f med where RES says that:

the medium is 1 1≤i≤n (r)

n i


“Note that a attack can only change the median to something between


x and . If we have at least three readings, these two endpoints are sen-

(r−1) (r+1) k-node

sor readings from uncompromised nodes. In general, after a attack, the

], 2k,

[x , x n >

and when the endpoints

median will be in the interval (r−1) (r+1)

of this interval are readings from uncompromised nodes”.




387.74 KB




+1 anno fa


Tesina di Network security, scritta il lingua inglese. Gli argomenti principali trattati sono: Attack Model, Data Aggregation, Cluster, Hierarchical, Key Management and Authentication, Key Symmetric vs Asymmetric, In Cluster Scheme, In Hierarchical Scheme, The Mean, The Sum, The Minimum, The Median.

Corso di laurea: Corso di laurea in ingegneria industriale
Università: Trento - Unitn
A.A.: 2012-2013

I contenuti di questa pagina costituiscono rielaborazioni personali del Publisher summerit di informazioni apprese con la frequenza delle lezioni di Network security e studio autonomo di eventuali libri di riferimento in preparazione dell'esame finale o della tesi. Non devono intendersi come materiale ufficiale dell'università Trento - Unitn o del prof De Natale Fancesco.

Acquista con carta o conto PayPal

Scarica il file tutte le volte che vuoi

Paga con un conto PayPal per usufruire della garanzia Soddisfatto o rimborsato

Ti è piaciuto questo appunto? Valutalo!

Altri appunti di Corso di laurea in ingegneria industriale

Impianti Industriali
Fondamenti di elettronica
Scienza dei materiali
Appunti Lezioni Sistemi meccanici e modelli