Threshold MACs

In this section, we introduce threshold MACs that combines a secure MAC and a combinational object, called a cover-free-family (CFF). This mechanism is proposed by K.

M. Martin, J. Pieprzyk, R. S. Naini, H. Wang, and P. R. Wild [13].

Definition 3.2.1 [14]

A set system(X,Β) with X ={x₁,...,x_v} and Β={Β_i ⊆ X |i=1,...,n} is called an (n, v, t)-cover free-family (or (n, v, t)- CFF for short) if for any subset Δ⊆{1,...,n} with

=t

Δ and any i∈Δ,

. 1

\ Β ≥

Βⁱ

∪

_j^j∈≠Δ_i ^j

The elements of X are called points and elements of Β are called blocks. In other words, in a (n, v, t)-CFF (X,Β) the union of any t-1 blocks in Β cannot cover any other remaining one. Cover-free families were introduced by P. Erd¨os, P. Frankl, and Z.

Furedi[14].

Threshold CFF MAC. [14]

Suppose (X,Β) is an (n, v, t)-CFF and is a secure MAC, we construct a (t ,n) threshold MAC

l L

F :{0,1}k×{0,1} →{0,1}

[ ]

ⁿt =^{(KGEN ,MAC ,VF)}

Μ as follows:

1. KGEN：The receiver randomly chooses v keys in } , and securely sends a subset

}k senders in A first compute the set of indices for their keys, that is, they compute

} the keys , to verify the authenticity of that message.

)

Definition 3.2.2 [14]

Let be l disjoint subsets of a set X such that . Let

generalized cumulative array (GCA) if the following conditions are satisfied：

1. For any t blocks B ,...,_i B_it in

1 Β , there exists an j such that X_j⊆U^t_s=1B_js. 2. For any t-1 blocks B ,...,_i1 B_it−1, and for any j, 1≤ j≤l, X_j⊄ U^t_s⁻₌¹₁B_js. If X₁ =…= X_l =α for some integer α, we say

(

X₁,X₂,…,X_l;Β

)

is an

(

n,α,l,t

)

−GCA

It is easy to see that a GCA is a CFF. Now we slightly modify the previous threshold CFF MAC scheme as follows, if the underlying CFF is a GCA.

Threshold GCA MAC. [14]

Let

(

X₁,X₂,…,X_l;Β

)

is an

(

^n,α^,l,t

)

^−GCA and be a MAC. We construct a threshold MAC, called threshold GCA MAC, as follows.

l L

F:{0,1}k×{0,1} →{0,1}

1. KGEN：The receiver randomly chooses a set of lα keys from , , and partitions X into l disjoint subsets with

{ }

0,1^k }

,..., {k k _l

X = _{1 α} X₁,…,X_l X_i =α

for all i. The receiver then securely gives to sender a subset of keys in such a way that

Pi B_i ⊆ X

(

X₁^,X₂^,…^,Xl^;Β

)

is an

(

n,α,l,t

)

−GCA, where

{

^B_i ^1≤i≤n

}

=

Β ,

2. MAC：Suppose a t-subset of Ρ , A=

{

Pi₁,…,Pit

}

, wants to authenticate a message m. For each index j, 1≤ j≤l, they determine the set of indices of their keys

and put J equal to the smallest index j such that Ij

Xi

{

ki |i∈Ij

}

= Xj. Note that

since

(

^X₁^,X₂^,…,X_l^;Β

)

is a GCA, such J exists. They then compute F( mk, )

Xj

k∈⊕

σ = ,

and send

(

m ,,σ J

)

to the receiver.

3. VF：The receiver uses keys from Xj to verify the authenticity of

(

m,σ

)

by checking the equality F( mk, )

Xj

k∈⊕

σ = .

Chapter 4 System Architecture

4.1 Concept

In this chapter, we will introduce a (w, q²) threshold signature scheme with shared verification. This scheme can mitigate the node- compromised attacks, and it also adapts to the wireless sensor network.

We utilize perfect hash families’ properties to design the key distribution protocol in this scheme. Furthermore, we use threshold MAC mechanism to implement the threshold signature and the verification. Below we will introduce our network system and the operational procedure for our proposed mechanism in details.

4.2 Network Assumptions

4.2.1 Trust Requirements

Since a base station serves as a gateway between a sensor network and the outside world, if a base station is compromised, then it may cause the entire network to crash. For this reason, we operate under the assumption that base stations, indeed, are credible entities.

All sensor nodes may be deployed to unattended or insecure environments, including aggregation points. Thus the attackers may try to dispose malicious aggregation points, try to turn compromised nodes into aggregation points, or directly attempt to capture

aggregation points. Aggregation points are, therefore, regarded as incredible entities.

4.2.2 Intrusion model

In this section, we briefly discuss the type of intrusion models that our scheme can resist. There are many kinds of attacks in wireless sensor networks. Some people consider attacks as inside attacks and outside attacks. In outside attacks, the attack nodes do not have authorized information to participant in the sensor network as legitimate nodes. They might just passively eavesdrop on radio transmissions or actively inject bogus data to consume network resources.

Different from outside attacks, inside attacks refer to the adversary having full control over the sensor nodes, including their cryptographic keys. With node compromised, an adversary can perform an inside attack. In contrast to disabled node, compromised nodes activity seeks to disrupt the network. A compromised node may a subverted sensor node or a more powerful device, like laptop, with more computational power, memory, and powerful radio. It may be running some malicious code and seek to steal secrets from the sensor network or inject a lot of bogus reports to the sensor network. Then, our scheme aims to tolerate the node-compromised attack, which is fatal attack in wireless sensor networks.

Finally, we assume that the intrusion attacker has more power to tamper, eavesdrop, or even drop any information he obtains.

4.3 Details and Protocols

This section is divided based on the following four stages. In 4.3.1 initialization phase, the first stage, we define the network environments, by, for example, defining some

variables. Then, the base station divides key shares among sensor nodes by utilizing the

PHF characteristics. Finally, these key shares and hash values are preloaded to sensor nodes prior to deploying these nodes. In 4.3.2 deployment phase, the second stage, we describe the method of deploying these sensor nodes.

In 4.3.3 signature phase, the third stage, sensor nodes perform in a cooperative

monitoring environment and report the sensed events to the base station. A base station is a data collection center within the entire sensor network and reports the data to an end user.

It also has a sufficient amount of powerful processing capabilities and resources.

We will depict how these detecting nodes use the threshold MAC concept to endorse messages when an event has happened. In 4.3.4 verification phase, the fourth stage, all sensor nodes can act as forwarding nodes. We will describe the forwarding nodes and illustrate how the base station verifies signature messages.

4.3.1 System initialization

In our scheme, we assume that the network system consists of many blocks. Therefore, we divide sensor nodes into many blocks and assign each block an index number, starting at one and going up from there. Each sensor node is marked with two index numbers. One represents the block that the sensor node belongs to; the other is the serial number of that sensor node. For example, the network system is comprised of four blocks, and each block has four sensor nodes. We assign each of the four blocks with index B1, B2, B3, and B4

respectively. Furthermore, we mark the index of sensor nodes in the B1 block as n1,1, n1,2, n1,3, n1,4, those in the B2 block as n2,1, n2,2, n2,3, n2,4, and so on and so forth.

From section 3.1.2, we know that for any prime power q, there exists an affine plane of order q. In addition, an affine plane of order q can construct a (q², q(q+1), q+1, q, 1) — BIBD. Let w be an integer such that w≥2. Suppose q is a prime power and

⎟⎟⎠

⎜⎜ ⎞

⎝

>⎛ +1 w2

q . Then, based on Corollary 3.1.8, there exists a PHF (q+1; q², q, w). When we want to initialize the system, we therefore first consider the prime power q, which is related to the block size. Then, another important parameter is the security parameter , which means how many sensor nodes in a block will sign the message when an event happens. After both variables are determined, we get a suitable prime power q such that

. Then, we use this prime power q to create a PHF (q+1; q

w

⎟⎟⎠

⎜⎜ ⎞

⎝

>⎛ +1 w2

q ², q, w).

Below, we focus on the design of a block. In our scheme, every parameter in the PHF (q+1; q², q, w) is explained as follows： q² means the number of sensor nodes in each block. (q+1) indicates that the PHF has (q+1) key sets, and there are q key shares per set.

Besides, it also represents the number of key shares that each sensor node should hold.

These key shares belong to different key sets separately. Finally, w implies the number of sensor nodes needed to endorse the message when an event happens. If less than w sensor nodes sign it, the message would be an invalid one.

Since each block has different key shares, in order to clearly identify them, we will mark all key shares. Each key share has three index numbers; the first index indicates that the key share belongs to which block, the second index represents the key share belongs to which key set, and the third index means that the key share belongs to which key share.

Next, our scheme uses one-way hash functions. The hash function takes key shares as input and produces a fixed-length hash value as output. Each hash value also has three index numbers, which is the same as the key share. For instance, we use a one-way hash function to calculate the hash value hi,j,k from the key share Ki,j,k. Finally, we use the PHF to distribute key shares and hash values to sensor nodes in each block.

Take the PHF (4; 9, 3, 3) in Table 4.3.1 that we mentioned above as an example. From this PHF, each block has nine sensor nodes. Then, we randomly generate three key shares for each key set and there are four key sets for each block. We, thus, create a total of 12

(equal 3*4) key shares for each block. Each node would have four key shares from

different key sets. According to the PHF, we distribute key shares to the nine sensor nodes.

Table 4.3.1 is a simple example.

Table 4.3.1 PHF (4; 9, 3, 3)

In the B1 block, we assume the four key sets are S1,1, S1,2, S1,3, and S1,4. Furthermore, we mark the key shares in S1,1 as K1,1,1, K1,1,2, K1,1,3, those in S1,2 as K1,2,1, K1,2,2, K1,2,3,

those in S1,3 as K1,3,1, K1,3,2, K1,3,3, and finally those in S1,4 as K1,4,1, K1,4,2, and K1,4,3. In the B^B2 block, we assume another four key sets as S2,1, S2,2, S2,3, and S2,4. Similarly, we also mark the key shares in S2,1 as K2,1,1, K2,1,2, K2,1,3, those in S2,2 as K2,2,1, K2,2,2, K2,2,3, those in S2,3 as K2,3,1, K2,3,2, K2,3,3, and those in S2,4 as K2,4,1, K2,4,2, and K2,4,3. In other blocks, we use the same method to label the key sets and key shares.

Next, we describe how to distribute these key shares to sensor nodes. In B1 block, supposing the distribution of the key shares in S1,1 corresponds to f1(x), and those in S1,2, S1,3 and S1,4 are based on f2(x), f3(x) and f4(x) respectively. Also, in B2 block, the key shares in S2,1, S2,2, S2,3 and S2,4 correspond to f1(x), f2(x), f3(x) and f4(x) and are orderly to be distributed. In other blocks, we use the same way to perform the distribution of the key shares. Then, the value of X represents the number of sensor nodes. In other words, it means that ni,1 implies ‘x = 1’ and ni,2 implies ‘x = 2’ in the Bi block (i =1, 2, …). Table

4.3.1 shows that for the polynomial function f1(x) (corresponds to key set S i,1) , X = 1 (corresponds to n i,1 sensor node), X = 2 (corresponds to n i,2 sensor node), and X = 3 (corresponds to n i,3 sensor node) map to the same number — that is, 1 (corresponds to Ki,1,1 key share). Consequently, these three sensor nodes have the same key share K i,1,1

from S i,1. For the same reason, sensor nodes n i,4, n i,5 and n i,6 map to the same number of the key set S i,1, which is 2, so they get the same key share K i,1,2 from S i,1. Sensor nodes n i,7, n i,8 and n i,9 have the same key share K i,1,3 from S i,1, because these sensor nodes have the same number of S i,1, which is 3.

Table 4.3.2 describes the relationship between each block and the PHF. We can clearly understand the distribution of key shares. In Bi block, node ni,1 has four key shares, Ki,1,1, Ki,2,1, Ki,3,1 , and Ki,4,1, and node ni,6 has four key shares, Ki,1,2, Ki,2,3,Ki,3,2,and Ki,4,1.

Table 4.3.2 Block i corresponds to PHF (4; 9, 3, 3)

Next, we focus on the distribution of hash values. An one-way hash function takes an input Ki,j,k and returns a fixed-size string, which is called the hash value hi,j,k (that is, hi,j,k = H(Ki,j,k) ). The hash values that correspond to the key shares in certain block will be stored in other blocks. With respect to the distribution of these hash values, it is related with the PHF; The hash values generated for the key shares of sensor node ni,p in Bi block will be distributed to sensor node nj,p of Bj block (i ≠ ) . Following up with the aforementioned j example, we assume that there are three blocks of B1, B2, B3 in the network. In B1 block,

node n1,1 has key shares of K1,1,1, K1,2,1, K1,3,1, and K1,4,1. Then, the hash values of h1,1,1, h1,2,1, h1,3,1, and h1,4,1 are held by node n2,1 of B2 block and node n3,1 of B3 block. In B2

block, node n2,1 has key shares of K2,1,1, K2,2,1, K2,3,1, and K2,4,1. The hash values of h2,1,1, h2,2,1, h2,3,1, and h2,4,1 are distributed to node n1,1 of B1 block and node n3,1 of B3 block. In B^B3 block, node n3,1 has key shares of K3,1,1, K3,2,1, K3,3,1, and K3,4,1. The hash values of h3,1,1, h3,2,1, h3,3,1, and h3,4,1 are distributed to node n1,1 of B1 block and node n2,1 of B2 block.

Other hash values are distributed by the same method.

Finally, each node contains the following information (Assuming the network has nb blocks):

1. Block number, node ID.

2. The key table is stored in (q+1) key shares.

3. The hash value table records(nb−1)×(q+1) hash values.

4.3.2 Deployment Phase

B

1

B

₂

B

4

B

3

Figure 4.3.1 Deploying sensor nodes by blocks

Since wireless sensor network is expected to consist of hundreds, or even thousands of sensor nodes, it is unrealistic and uneconomical to deploy these sensors one by one.

For this reason, we came up with a workable alternative method by dividing sensor nodes into many blocks, and then deploy these blocks one by one. Therefore, each block monitors one field. Figure 4.3.3 shows that some sensor blocks are deployed at a woodland location. The sensing range of blocks could overlap.

4.3.3 Signature Phase

: Sensor node – senses an event (detecting node) : The sensing range of a block

: Sensor node (acts as forwarding node) : Base station

Figure 4.3.2 An event occurs

When an event occurs, some sensor nodes in some blocks may detect the event. We call these sensor nodes that can sense an event happened as detecting nodes. If the event occurs close to the block boundary, these detecting nodes may be in different adjacent blocks. Then, only the nodes in the same block could sign this event by themselves.

Therefore, there might have many different blocks to sign the same event. Figure 4.3.4 illustrates a fire event occurred and one block has sensed it. In this block (shown as the red block), the detecting nodes can come to a consensus on a massage, called m which

contains application-dependent information such as the type, occurrence time and the location of the event.

Now, we discuss the detecting nodes in Bi block. These nodes are required to select an

AP (aggregation point) among themselves.We already know that each node has (q+1) key shares. Except for the AP, other detecting nodes will generate (q+1) shares, which are

( )

j,k ||h(m,h(m,K_b,j,k))||h(m,K_b,j,k),that K_b,j,k ∈thedetectingnode. Then these detecting nodes send these shares to AP. Figure 4.3.5 depicts this process.

AP

Figure 4.3.3 Sending shares to AP

In our scheme, based on the PHF characteristic of Proposition 3.1.4 and Corollary 3.18, there are (q+1) key sets and each key set has q key shares in a block. Additionally, according to the PHF, we distribute keys to each node. For any subset X of nodes with

w

X = , there exists at least one key set that the nodes of subset X have no identical key shares. Therefore, the AP receives shares from more than detecting nodes, and it can pick shares among them. These shares are generated by different key shares from the same key set, and it means that (q+1) shares are

w w

( )

j,k ||h(m,h(m,K_b,j,k))||h(m,K_b,j,k ) ,

and that b is the number of blocks, j is the number of key sets, and ,

S } K ,..., K

, {K

K_b,j,k ∈ _{b,j,k1 b,j,k2 b,j,kw} ⊆ _b,j ∀m≠n,km≠kn,1≤km,kn≤q. Then, we get

) K

h(m, _b,j,k parts of the share and calculate h(m,K_b,j,k1)⊕…⊕h(m,K_b,j,kw), which called Threshold MAC. Finally, we generate the threshold-signature report Λ, that is

MAC

of is index parameters whose purpose is used while forwarding

nodes verify the . Forwarding nodes check to

determine whether the report is indeed correct. Finally, the base station verifies the kw)

by Threshold MAC.

4.3.4 Verification Phase

Figure 4.3.4 The forwarding phase

In our scheme, all sensor nodes can function as forwarding nodes. In Figure 4.3.4, blue nodes could act the role of forwarding nodes. The AP sends a report Λ to the base

station along a multi-hop path. The content of such a report is

The verifications of a forwarding node and the base station are different. Now, we describe the verification of a forwarding node. The operation is performed as follows:

1. Upon receipt of a report Λ to be forwarded, an intermediate node, say A, correct and then would forward it to the next hop.

) h

h(m, _b,j,z h(m,h(K_b,j,z ) Λ

z Otherwise – node A would conclude that report Λ is a fabricated one and then would simply disregard it.

3. If no, node A does not have the hash share to verify report . It only forwards it to the next hop.

Λ

4. Repeat the first step to the third step with other nodes until report is received by the base station.

Λ

Since a base station is a data collection center with sufficiently powerful processing capabilities and resources, we assume that the base station stores all key shares that are eventually distributed to sensor nodes. When the base station receives report , it verifies whether the report is valid or not. Then, the base station does the following operations:

Λ

1. It fetches b|| j||(k1,k2,...,kw) from the report Λ , gets , and calculates

,

K_b,j,k1 K_b,j,k2,...,

b,j,kw

K X =h(m,K_b,j,k1)⊕h(m,K_b,j,k2)⊕...⊕h(m,K_b,j,kw).

2. Compare the value of X and Threshold MAC from the report Λ

z If equal – report Λ is valid.

z Otherwise – report Λ is a fabricated one, and it then is thrown away.

Chapter 5 Evaluation and Analysis

In the current chapter, we discuss the evaluation and analysis of our scheme. We first introduce the environment of our implementation. Second, in our scheme, the bogus report may be verified correct and be forwarded by several forwarding nodes. The bogus report is not always instant filtered. So we discuss the probability of filtering one bogus report.

5.1 Evaluation

5.1.1 Hardware Specifications

At present, manufactures of the sensor network devices include Crossbow Motes, Berkeley Piconodes, Sensoria WINS, MIT uAMPs, Smart Mesh Dust Mote, Intel iMote, Intel Xscale Nodes, and others.

We use Crossbow’s MIB510 Programming board and MicaZ motes which include sensor boards and programming boards. The characteristics of MicaZ motes are as follows：[15]

z Wireless platform for low-power sensor networks z 2.4 GHz, IEEE 802.15.4 compliant

z Offers a 250 kbps high data rate and utilizes a direct sequence spread spectrum radio that is resistant to RF interference

z Wireless communications with every node as router capability

z An 8-bit Atmel ATmega processor, 128KB instruction memory (FLASH) and

4KB RAM. The CPU is clocked at 7.37MHz.

Figure 5.1.1 MicaZ mote

MIB510 Programming board specifications are as follows：

z It allows for the aggregation of sensor network data on a PC as well as other

standard computer platforms. It also provides a serial programming interface for all MicaZ hardware platforms.

z It can act as a base station for wireless sensor networks via standard MicaZ processor radio board

Figure 5.1.2 MIB510 Programming board

5.1.2 TinyOS

TinyOS[19] is an open-source operating system designed for wireless embedded sensor networks. It is designed by the component-based architectures that are able to incorporate rapid innovation and operate with very limited resources. TinyOS's component library includes network protocols, distributed services, sensor drivers, and data

acquisition tools – all of which can be used as-is or be further refined for a custom application.

TinyOS uses the NesC language, an extension of C, with similar syntax, that attempts to embody the structuring concepts and execution model [16]. As an embedded operating system, the TinyOS is event-driven concurrency model at interrupts and tasks

5.1.3 Performance Evaluation

In this section, we evaluate the performance of our scheme.

(1) Analysis of the size of the stored data：

Our scheme requires that each node needs to store the materials which are (q+1) key shares and (q+1) *(number of blocks -1) hash values. We assume the size of key share is 64 bytes. We assume that one-way hash function h

implemented using SHA-1[17] with a 20-byte output. So the size of hash value is 20 bytes; n is the number of sensor nodes of the network, q² is the number of sensors in each block, so the number of blocks is ₂

q

n . S means the size of the

materials that each sensor stores.

bytes 20

1) q

-n

2 q 1 q 1 64

S =( ×( + )× +( + )×

0 2 4 6 8 10 12

0 150 300 450 600 750 900 1050

n

S (KB)

block size=9 block size=16 block size=25

Figure 5.1.3 the relation with n, q², and stored data in each node

Figure 5.1.3 shows that as the number of sensors in the network increases, each sensor node also needs to store more materials. If the number of sensor

Figure 5.1.3 shows that as the number of sensors in the network increases, each sensor node also needs to store more materials. If the number of sensor

在文檔中 降低node-compromised攻擊法衝擊性 (頁 29-0)