104 Icdcit05


Published on

A game based model of security for WSN

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

104 Icdcit05

  1. 1. A Game Based Model of Security for Key Predistribution Schemes in Wireless Sensor Network Debapriyay Mukhopadhyay and Suman Roy
  2. 2. OUTLINE <ul><li>Motivation </li></ul><ul><li>Preliminaries </li></ul><ul><li>-- Probabilistic Turn Based 2½ Player Game </li></ul><ul><li>-- Message Authentication Code </li></ul><ul><li>Security Framework for Key Predistribution </li></ul><ul><li>An Example Key Predistribution </li></ul><ul><li>-- Polynomial Based Scheme </li></ul><ul><li>-- Security Analysis </li></ul><ul><li>Security Modelling </li></ul><ul><li>-- Modelling Key Predistribution </li></ul><ul><li>-- Analysis </li></ul><ul><li>Conclusion </li></ul>
  3. 3. Motivation <ul><li>Cryptographic Protocols – required to be formally analyzed. </li></ul><ul><li>Random Key Predistribution Schemes – for key establishment in sensor networks. </li></ul><ul><li>Formal model to analyze these Key Predistribution schemes is missing. </li></ul><ul><li>Formal specification of the property – also needed to formally verify that protocol meets the security need. </li></ul>
  4. 4. Motivation <ul><li>Games provide rich models of computation – can capture the interplay between two or more players. </li></ul><ul><li>Cryptographic protocols can be seen as a game where adversary is one of the player – thus can help in achieving powerful notion of security. </li></ul><ul><li>New direction of research. </li></ul><ul><li>We use Probabilistic Turn Based 2½ Player Game to model random key predistribution schemes. </li></ul><ul><li>We show that this model can also be of use in formal specification of a property of key predistribution schemes. </li></ul>
  5. 5. Probabilistic Turn Based 2½ Player Game <ul><li>Defined on a game graph G = ((S,E); (S 1 ,S 2 ,S O ); δ ) , </li></ul><ul><li>where (S,E) is a directed graph and (S 1 ,S 2 ,S O ) is a partition of set of states S and δ : S O -> D(S) is a probabilistic transition function. D(S) stands for probability distributions over state space S. </li></ul><ul><li>Player 1 plays from the states in S 1 . </li></ul><ul><li>Player 2 plays from the states in S 2 . </li></ul><ul><li>States in S O are probabilistic states and successor is chosen following δ . </li></ul><ul><li>Game graph is denoted as G S0 , if s0 is the start state of the game. Player i starts the game if s0 ε S i . </li></ul>
  6. 6. Plays and Strategies <ul><li>An infinite sequence of the form <s 0 , s 1 , …., s k , s k+1 , ….> of states such that (s k , s k+1 ) ε E for all k, is called a play in the game graph G S0 . </li></ul><ul><li>Ω S0 the set of all plays that start from s0. </li></ul><ul><li>Player 1 strategy – ρ : S * .S 1 -> D(S) assigns a probablilty distribution to all finite sequences ending in S 1 . Player 2 strategy can be equivalently defined. </li></ul><ul><li>Memoryless strategy for Player 1 - ρ : S 1 -> D(S) </li></ul><ul><li>Pure menoryless strategy for Player 1 - ρ : S 1 -> S </li></ul><ul><li>If Player 1 follows pure menoryless strategy , then game gets reduced to 1½ Player Game played on G S0 ρ . </li></ul>
  7. 7. Objectives / Winning Condition (WC) <ul><li>Who wins a play in the game G S0 is given by Ф  Ω S0 , and is called winning condition . </li></ul><ul><li>If Ф  Ω S0 is the WC for player 1 , then Ω S0 / Ф is the WC for player 2 – complementary WCs . </li></ul><ul><li>For a play α = <s 0 , s 1 , …, s k ,…> , define Inf( α ) = { s ε S : s = s k for infinitely many k > = 0}. </li></ul><ul><li>F : Set of final states. </li></ul><ul><li>(Reachability) Reach F = { α ε Ω S0 : s k ε F for some k > = 0} </li></ul><ul><li>(Büchi) Büchi F = { α ε Ω S0 : Inf( α ) ∩ F ≠  }. </li></ul>
  8. 8. Quantitative Analysis <ul><li> - Set of all strategies for Player 1 </li></ul><ul><li> - Set of all strategies for Player 2 </li></ul><ul><li>Val 1 (Reach F )(s 0 ) = sup ρ ε  inf π ε  Pr ρ , π s0 (Reach F ) – max. probability with which player 1 can meet his WC Reach F from start state s 0 . </li></ul><ul><li>Val 2 ( Ω S0 / Reach F )(s 0 ) can be analogously defined for player 2. </li></ul><ul><li>(Determinacy Result) Val 1 (Reach F )(s 0 ) + Val 2 ( Ω S0 / Reach F )(s 0 ) = 1, for a game G S0 with reachability objective. </li></ul><ul><li>Quantitative 1½ Player Game – can be solved in polynomial time. </li></ul>
  9. 9. Message Authentication Code (MAC) <ul><li>MAC – Keyed hash functions. A hash family is written as (X, Y , K, H) . For each k ε K , there is a function h k : X -> Y and h k ε H . </li></ul><ul><li>If h k (x) = y , then (x,y) is called valid under the key k. </li></ul><ul><li>Security of MAC is studied under a Random Oracle model where adversary is allowed to obtain q valid pairs under an known key by querying the oracle. </li></ul><ul><li>Pd q : Probability of deception , i.e., max. prob. with which adversary is successful in generating a valid pair. </li></ul>
  10. 10. Security Framework for Key Predistribution <ul><li>Each node i is given k i as secret keying info derived from the master secret S. </li></ul><ul><li>Two nodes i and j uses their keying info k i and k j to derive the shared key K ij between them . </li></ul><ul><li>Assume adversary has compromised x randomly selected nodes. I = {(i1,k i1 ); (i2,k i2 );….; (ix,k ix )}. </li></ul><ul><li>Adversary is allowed to make msg. Authentication requests ĥ(m, i′, j′) with the effect that node i′ authenticates m for j′ and sends tag = h k i′j′ (m) to the adversary . </li></ul>
  11. 11. Security Framework for Key Predistribution (Contd..) <ul><li>Adversary attempts to output (i, j, m*, tag*) and gets success if 1) tag* = h k ij (m*) and 2) had never requested ĥ(m*, i, j) or ĥ(m*, j, i). </li></ul><ul><li>Scheme will be called ( λ , ε , δ )-secure predistribution scheme, if for any adversary running in time T we have, </li></ul><ul><li>Pr S,I [Pr[Succ | S, I] <= ε ] >= 1 – δ , </li></ul><ul><li>as long as the number of compromised nodes is less than λ . </li></ul><ul><li>This property is of our interest in this study . </li></ul>
  12. 12. Blom’s Scheme <ul><li>A t-degree symmetric bi-variate polynomial </li></ul><ul><li>f(x, y) =  t i,j = 0 a ij x i y j over a finite field F q , where q is a large prime . </li></ul><ul><li>Each sensor node has a unique Id . </li></ul><ul><li>Each node i, is given f(i, y) as its keying information. </li></ul><ul><li>Nodes i and j establishes the key by evaluating f(i, j) = f(j, i) . </li></ul>
  13. 13. Random Key Predistribution Based on Blom’s Scheme <ul><li>Pool S of randomly genrated bi-variate t degree symmetric polynomials over F q is chosen with |S|= s. </li></ul><ul><li>For each i, S i  S is chosen with |S i |= s′ , and for each f ε S i , assigns the polynomial share f(i, y) to node i. </li></ul><ul><li>Key establishment is done through </li></ul><ul><li>-- Direct Key Establishment </li></ul><ul><li>-- Indirect (or Path) Key Establishment </li></ul><ul><li>Key Sharing Graph : Nodes as vertices and edges iff 1) two nodes can establish a direct key, and 2) they are within wireless communication range of each other. </li></ul>
  14. 14. Security Analysis <ul><li>We assume key sharing graph is fully connected with connectivity prob = p . </li></ul><ul><li>Direct Key: Adversary can get success 1) by compromising the common bi-variate polynomial , 2) by launching a successful attack on MAC . </li></ul><ul><li>P cd is the probability that common bi-variate polynomial is compromised = 1 -  t i = 0 P[i compromised shares] [Follows from Blom’s Scheme] </li></ul><ul><li>Prob. A direct key is not compromised = p(1 – P cd )(1 – P q ). </li></ul>
  15. 15. Security Analysis (Contd..) <ul><li>Indirect Key : Similar Analysis </li></ul><ul><li>Probability that any secure link (direct or indirect) is not compromised is given by, </li></ul><ul><li>P secure = (1 – P cd )(1 – P q ){p + (1 – p)(1 – x/N) (1 – P cd )} , </li></ul><ul><li>where x is the number of nodes compromised out of N nodes in the network. </li></ul>
  16. 16. Modeling Key Predistribution <ul><li>x (<= N) out of total N nodes are compromised by an adversary. </li></ul><ul><li>U={1,2, …, k} where k = N- x , denote the set of uncompromised nodes in the network. </li></ul><ul><li>Adversary attempts to cheat node k by sending bogus message – this can be seen as a game between adversary and U – {k} . </li></ul><ul><li>Adversary – Player 1 , Set of nodes in U – {k} – </li></ul><ul><li>As Player 2, Adversary’s target (node k) – Player Random. </li></ul>
  17. 17. Game Graph s 0 s 3 s 1 s 2 ĥ(m, j, k) tag = h k jk (m) (m*, tag*) Rejects with prob. P secure ĥ(m, j, k) tag = h k jk (m) Accepts with prob. 1 - P secure S 1 ={s 0 , s 1 }; S 2 ={s 2 }; S O = {s 3 } δ ( s 3 ) = μ ( ε D(S)) s.t. μ (s 0 )= P secure & μ (s 1 )=1 - P secure
  18. 18. Immediate Analysis <ul><li>Player 2 is following a pure memoryless strategy . </li></ul><ul><li>Player 1 can adopt randomized strategy . </li></ul><ul><li>Discrimination in strategy will help in analyzing robustness of the key predistribution scheme. </li></ul><ul><li>Game is determined. </li></ul><ul><li>Quantitative version of the game is solvable in polynomial time and this holds when each play in the game corresponds to an infinite sequence. </li></ul><ul><li>Required to solve: Quantitative version of the game for Time Bounded Reachability. </li></ul>
  19. 19. Analysis (Contd ..) <ul><li>Time used by player 1 , and not player 2 or player random, is counted. </li></ul><ul><li>Player 1 spends unit time in choosing successor state from S 1 . </li></ul><ul><li>Partition the WC Reach F as Reach F ≤T  (Reach F – Reach F ≤T ). </li></ul><ul><li>Val 1 (Reach F ≤T )(s 0 ) can then be analogously defined. </li></ul><ul><li>Computing the value of Val 1 (Reach F ≤T )(s 0 ) for any probabilistic 2½ player game and also to decide whether optimal strategies exist for that or not is an interesting problem. </li></ul>
  20. 20. Analysis (Contd..) <ul><li>For different values of x ε [0, N] , we have different values of Val 1 (Reach F ≤T )(s 0 ) . </li></ul><ul><li>Val 1 (Reach F ≤T )(s 0 ): probability of adversary’s success within time bounded by T. </li></ul><ul><li>Pr S,I [Pr[Succ | S, I] > ε ] = fraction of the values of x ε [0, N] for which Val 1 (Reach F ≤T )(s 0 ) > ε . </li></ul><ul><li>Pr S,I [Pr[Succ | S, I] ≤ ε ] >= 1 – δ  Pr S,I [Pr[Succ | S, I] > ε ] ≤ δ . </li></ul><ul><li>Therefore, y / (N+1) ≤ δ  0 ≤ y ≤ δ (N+1). </li></ul>
  21. 21. Analysis (Contd ..) <ul><li>Probability of adversary’s success monotonically increases with each additional node being compromised. </li></ul><ul><li>For each 0 ≤ y ≤ δ (N+1), there is a set X y of values of x for which Pr[Succ | S, I] > ε . </li></ul><ul><li>Note that, X 0 =  and X y-1  X y for all y. </li></ul><ul><li>Average of the values of x ε X  δ (N+1)  can then be considered as an estimate for λ . </li></ul>
  22. 22. Conclusion <ul><li>We have been able to show how Probabilistic Turn Based 2½ Player Game can be used in modeling random key predistribution scheme. </li></ul><ul><li>We have also been able to show how quantitative analysis can be of help in formally specifying the ( λ , ε , δ )-security property of such a scheme. </li></ul><ul><li>Left the question of quantitatively solving Time bounded reachability of 2½ Player Game as open. </li></ul><ul><li>We haven’t been able to answer how good this estimate for λ is. </li></ul>
  23. 23. <ul><li>Thank You </li></ul>