Key Infection: Smart Trust for Smart

safflowerpepperoniMobile - Wireless

Nov 24, 2013 (3 years and 6 months ago)


Ross Anderson

Haowen Chan

Adrian Perrig

University of Cambridge

Carnegie Mellon Uni.

Carnegie Mellon Uni.

Presented by

Key Infection: Smart Trust for Smart



Previous Works



Multihop and Multipath Key Establishment

Economic Issues



A sensor is a device that measures a physical quantity and
converts it into a signal which can be read by an observer or
by an instrument.


Mercury thermometer

Converts the measured temperature into expansion and contraction of a
liquid which can be read on a calibrated glass tube.

Cars, machines, aerospace, medicine, manufacturing and

Constraints of Sensors

Should be small, lightweight, inexpensive and low

Energy efficiency of network communications.

Computational energy consumption

Communications energy consumption


Sleep patterns

Transmission range


Location sensing

Tamper protection

Sensor Networks

Sensor Network

Is a wireless network consisting of spatially distributed
autonomous devices using sensors to cooperatively monitor
physical or environmental conditions.

Sensor Networks

Security for sensor networks is important

Managing cryptographic key

cost nodes are neither tamper
proof nor capable of
performing public key cryptographic efficiently.

Sensor Networks

Typical sensor networks

consist of a large number of small, low
cost nodes that use
to peer communication to form of a self

use multi
hop routing algorithms based on dynamic network
and resource discovery protocols.

do not have tamper
proof hardware.


Small fraction of nodes in the network may be compromised by an
adversary over time.

Security Issues of Sensor Networks

Physical destruction

Barrage jamming

Network flooding

Byzantine Attack

An arbitrary fault during the execution of an algorithm by a
distributed system.

When it occurs, the system may response in any unpredictable way.

The results of such attacks

Loss of personal privacy

Loss of service of critical sensor systems


Smart dust

Smart dust

A network of tiny wireless microelectromechanical systems
sensors, robots, or devices, installed with wireless

Can detect

Light, temperature, vibration, heat, pressure, sound, etc..

The goal

Make sensors so small and cheap

Distribute them in large numbers over an area by random

Previous Work

In a typical sensor network, when a node (
) broadcasts its
identity, if j hears it, it replies. Then these two nodes set RF
power at just the level needed for communication.

To save power: the nodes turn off their communications, only
waking up and listening for radio signals intermittently.

The routing architecture

Rely on shared symmetric key

Initial keys are diversified from master keys:

Still vulnerable

An opponent can use direction from finding locate them, then
either destroy them or subvert them

Possible countermeasures

Use normal nodes as base stations and have other nodes
replace them after random periods of time.

For the first generation of base stations to possess master
keys that are destroyed once a network has been established
and link keys have been set up between neighboring nodes.

Enough symmetric keys are pre
loaded on each node that any
two nodes will probably share a key after deployment.

Require pre
computation phase

And a lot of memory to store keys

A Real World Attacker Model

Previous works have assumed highly capable and motivated

World War II

Consider a tactical deployment of 10,000 smart dust motes air
dropped into enemy territory.

Use KM to generate to a session key:


Some motes are broken on impact

The enemy can probe out KM




critical commodity sensor networks

Require pre
deployment step must be minimal

Less valuable as targets and little damage if security shell is

House or bank??


Design a lightweight security protocol suitable for non
critical commodity sensor networks.

Key Infection

The attacker can monitor only a fixed percentage

of communication

Relaxed attacker model

Low computation overhead

No memory overhead

No prior key setup

It is suitable for implementation in low
cost commodity sensor


Identify a more realistic attacker model that is applicable to
critical commodity sensor networks.

Key Infection

A light
weight key
distribution mechanism that is so efficient
that is applicable even to smart dust sensor nodes.

Analyze the security of key infection, and design Secrecy

An additional mechanism to strengthen the security of key
infection in the presence of an active attacker.


Assume the attacker….

Does not have physical access to the deployment site during
the deployment phase

Is able to monitor only a small proportion

of the
communications of the sensor network during the
deployment phase. After key exchange is complete, attacker
is able to monitor all communications at will

Is unable to execute active attacks (such as jumming or
flooding) during the deployment phase. After key exchange is
complete, attacker is free to launch any kind of attack.

Requirements for adversary

He has to have the foresight to deploy surveillance equipment
or adversarial nodes at the target site before the sensor
network is deployed there.

His eavesdropping devices must remain in place, operational
an undetected, until the sensor perform key exchange

He needs to be able to identify, retrieve and process the
relevant eavesdropped product in order to extract the key
exchange messages.

Too expensive to maintain anticipatory.

Key Infection

Each node simply chooses a key and broadcasts it in plaintext
to its neighbors.

range transmission

Maximum range is 10 meters

Half a dozen within range

Key Infection (cont.)

Assume that

signal heard by node j.

J generate a

key and send it to

Use minimum power necessary for the link.

The key can be used to protect traffic between

and j.



Key Infection (cont.)

Even if there are opponents already present at the time of
deployment, it will still give significant protection

For example;

There is 1 black (hostile) dust sensor node for every 100 white

Each node has an average 4 neighbors within range,

Only 2.4% of link will be compromised.

Key whispering protocol

The probability falls to 0.8%


We are OK, if the attacker arrives after the key infection

Let’s see, what happens if attacker has already some black
dust nodes installed, before we install the white nodes.

We compute the upper bound on the ratio communication
links that the black dust nodes may compromise.

Assume the maximum range of the radio is R

Smart dust nodes distributed in the area of size s

is the number of black nodes

is the number of white nodes

Compute upper bound

The effective eavesdropping area is at most:

If the link is bad, i.e. can be eavesdropped by at least a black
node, the area at most:

Whispering case

If a link has length r, then both nodes will transmit their
signals at strength that exactly reaches distance r.

The effective eavesdropping area is thus at most the area of
this intersection which is:

The link is compromised is at most:


This table compares the standard key infection with the
mode key infection

d, the average number of neighbors of a node.

Remaining columns list the ratio of compromised links

Multihop and Multipath Key Establishment

Secrecy Amplification

A technique that utilizes multipath key establishment to make
her job significantly harder.

Combine keys propagated along different paths.

Secrecy Amplification(cont.)

To amplify the secrecy of key , can ask to change
additional key with .


is a unpredictable nonce generated by

is a unique nonce generated by (used for confirmation
of key ).

SA over the basic key infection

The table list the ratio of compromised links for a varying

of black dust.

So, three party secrecy amplification gives an improvement
of about 20%.

SA over the basic key infection

In this case, the basic key infection uses whispering

…with the multipath extension

Secrecy amplification undertaken using a

return path.

This is significantly better

where complexity and other
constraints permit it.

Multihop keys

It supports end
end cryptography

Multihop keying also protects multihop secrecy amplification
against node compromise.

Interaction with routing algorithms

Some works on secure ad
hoc routing assumes a particular
routing strategy.

This work does not…

This key infection protocol can also support other mechanisms.

Automatically discovers paths that may be used for this as


In biology, the immune response normally stops you catching
the same disease twice

If you are a smart dust mote, the more keys you ‘catch’ from a
colleague, the better.


The authors proposed a novel and quite counterintuitive way of
managing key sensor networks.

Each nodes bootstraps itself by broadcasting an initial key in the clear.

Exchange keys and build up trust structures as they do network and
resource discovery.

This is almost as secure as using pre
loaded initial keys.

This paper shows how the benefits of initial keying can be analyzed
separately from the benefits of later stage key management

key updating,

the use of alternative trust routes, and

the invocation of backups