Secure Data Aggregation in Sensor Networks Sanjay Madria and Sriram Chellappan Department of Computer Science Missouri University of Science and Technology, Rolla, MO
[email protected] 1. Introduction In this white paper, we aim to address the critical issue of secure aggregation of data streams in wireless sensor networks. Wireless sensor networks (WSNs) have permeated numerous applications, and are increasingly being relied upon for many mission-critical services like volcanic monitoring, forest fires monitoring, battlefield surveillance, agriculture monitoring, and railroad tunnels. In all these missions, hundreds or even thousands of sensors, self-organize themselves into a network for sensing, processing and transmitting information via multi-hop to a remote server (called a base-station). While a spectrum of research topics have garnered the attention of the WSNs community in the past, two of the most critical are lifetime and security. Sensors are almost always battery powered, which in turn decides network lifetime. At peak load, a typical sensor would last approximately 30 hours on one AA battery. Furthermore, in mission critical applications, recharging or redeployment of sensors is not always feasible, and maximizing lifetime is hence a very challenging problem in WSNs. While each of sensing, processing and communication drains energy, it has been well documented that communication via radio is the most expensive for sensors in terms of the energy expenditure. A well known approach in order to reduce communication costs and achieve energy/ lifetime savings in WSNs is to calculate required data aggregates such as sum or min/max as the data is routed to the base station. With aggregation, each node only transmits one aggregated packet for each round, ensuring that the network lives longer. Another important issue in mission-critical sensor networks is security. Security in WSNs can manifest in many forms like authentication, confidentiality, integrity, reliability and availability. In many missions, it is likely that sensors and their readings are corrupted due to environmental factors such as water, wind or sand acting on the sensor. It may also happen that in hostile environments, sensors may deliberately be corrupted by an attacker. Such corrupted sensors may appear to participate in the mission of the network, but may falsify sensor readings, improperly apply aggregation functions, exclude legitimate messages from the aggregate result or create fictitious results. Such sensors behave in this way in order to get the base station to accept an incorrect result that is favorable to the attacker. Note that a critical challenge here stems from the fact that providing security to sensor data streams always incurs additional energy consumption (e.g., during encryption/ decryption), and could degrade lifetime. Hence, designing application adaptive security schemes (from a security vs. energy efficiency perspective), encrypting/ decrypting aggregated data, and designing in-network distributed security approaches are critical requirements today when considering security and aggregation together in WSNs. While there are a host of existing works focusing on security and aggregation in WSNs, they have clear limitations from the perspective of not being adaptive to application needs and types, incurring more energy consumption at many stages of secure aggregation operation, lack of distributed in-network approaches, and inability to handle rapid data streams. We aim to design schemes for (1) adaptive and energy efficient data stream security based on application and message types (2) secure aggregation of data and aggregator’s security using multiparty computation to enhance network lifetime, and simultaneously provide integrity and confidentiality (3) distributed in-network verification of aggregator node’s integrity, all of which will be validated via extensive theoretical analysis and real experiments. 1.1 Challenges and Existing Work The small size and limited computational power of sensors makes some security protocols such as asymmetric key cryptography difficult to realize. All communication in a WSN uses RF and so it is easy for an attacker to eavesdrop, spoof or inject false messages into the WSN. Recently, there has been many works on providing security services to WSNs. TinySec provides security through traditional link layer
encryption and authentication schemes using the RC5 or SkipJack ciphers, which does not allow for calculating of aggregate functions on encrypted data. Due to the amount of time required for the encryption and decryption operations, queues in the network can overflow, leading to dropped packets. As with any cryptographic security scheme, TinySec increases the payload size of the packet which results in increased energy consumption. Other drawbacks are that TinySec is based on private key cryptography, which leads to problems such as key distribution, key management, and that digital signatures are not possible to be integrated with. Elliptic Curve Cryptography has been implemented in TinyOS for sensors and can be used with TinySec to distribute necessary keys. Those mechanisms will provide security services like confidentiality, integrity and authenticity, but only for end-to-end security case. They also consume more energy as packet size increases which can restrict service availability of (i.e., ability to securely process) high-rate sensor data streams. As we know in traditional link-layer cryptography, data is encrypted, decrypted at the receiver, the aggregation function is applied and the result is encrypted again before being sent to the next hop and so on. This approach can lead to overflowing queues, and restricts availability. Homomorphic encryption is one technique to solve this problem, as it allows certain aggregation functions such as sum and average to be performed on encrypted data. In this approach, intermediate sensors can perform aggregation without having to decrypt/ encrypt data. The base station receives the encrypted aggregate result and subsequently decrypts it. While homomorphic schemes do provide confidentiality along with aggregation in one step, existing homomorphic encryption and decryption operations are still computationally very energy and time consuming.. Also, there is a lack of any in-network verification schemes that can help detect compromised aggregators in existing homomorphic based techniques. Considering the distributed nature of WSNs, data integrity is of concern. Without some security scheme, messages can easily be injected into the network or be modified along routing paths. Numerous existing work have appeared focusing on data integrity using key management techniques that are computationally viable for WSNs. Such works typically focus on integrity on a hop-by-hop basis. During aggregation, the notion of integrity needs to be clarified. In aggregation, integrity implies that any aggregate result is made up of only legitimate data without inclusions or additions, and that corrupted sensors cannot interfere with aggregation operations. In this realm, apart from sensor level integrity, ensuring that the aggregator does not compromise integrity is paramount. This is important, as in hostile environments, it is always likely that aggregators are corrupt. Consequently, apart from the issue of aggregators verifying integrity of data from individual sensors, it is equally (if not more) critical to assure the base station of the integrity of aggregated data. Note that providing integrity and confidentiality simultaneously can be very challenging in WSNs. If we insist on total data confidentiality, then little can be done to reduce amount of data to be transmitted if nodes along the routing path are prevented from accessing the data. While we want to allow trusted nodes to view the data, we do not want the data to be seen by adversaries, and we also do not want any modification of legitimate data by intermediate nodes. The algorithm introduced in [1] provides concealed data aggregation. The algorithm provides data confidentiality only, the authors refer to other papers for solutions providing data integrity and authenticity. A new protocol for provably secure data aggregation in WSNs is proposed in [2]. The algorithm guarantees the detection of aggregate modification by the aggregator. However, the proposed algorithm will fail in those cases where the aggregator injects false data in to the aggregate. Achieving end-to-end integrity along with confidentiality and data aggregation in an energy efficient manner is clearly challenging. On an orthogonal, albeit important note, service availability is another big concern in WSNs. The rates at which data are produced may be much faster than the rates at which security schemes process data. While there will be a need to tightly encrypt some classes of ‘critical’ data, other data classes may only require a lighter security scheme. Such an approach will clearly have desired levels of security, with minimal impacts to overall service availability. While many security schemes have considered different approaches for different data regions in the sensor network, they have not considered a unified scheme adaptable towards differentiated security levels for different classes of application data in WSNs.
1.2 Objectives The broad motivation is to designing energy efficient, adaptive and secure schemes for aggregating fast sensor data streams, and verifying integrity of aggregator nodes in wireless sensor networks. Towards this extent, contributions of this project are: Adaptive watermarking-like techniques to provide confidentiality and integrity verification of high speed sensor data streams. The proposed technique is tailored towards energy efficiency to enhance lifetime, minimal computational overhead to enhance availability, while simultaneously being adaptive in order to meet application demands on desired security levels. Homomorphic encryption and additive digital signature schemes (based on public key cryptography) for providing confidentiality of sensor data during aggregation in WSNs. We will use public key elliptic curve cryptography and digital signatures to provide integrity. Note that digital signature schemes are not homomorphic and therefore, we propose the use of an encryption scheme which will allow for homomorphic signature generation and integrity verification. Adaptive and Dynamic multi party computation schemes to ensure that aggregated results (generated by aggregators) can be trusted by base station. The designed scheme is distributed, energy efficient, adaptive and (most importantly) allows in-network verification of aggregator integrity. 1.3 Our proposed research will contribute to the following areas in sensor networks research: A. Watermark-like techniques for Secure Data Streams: We are particularly interested in providing a secure data processing environment which is lightweight in computational and time complexity for fast data processing, yet still provides desired amount of protection against attacks, such as changing data in midstream and eavesdropping. The work in [3] uses watermarking to provide copyright protection to data stream owners and authorized users. It inserts only a single bit watermark to prove ownership. However, it provides no confidentiality as streams are visible to others and their values do not change in a single hop network considered there. We propose [4] to use dynamic watermarking technique to achieve secure data streams with high rates in sensor networks for both confidentiality and integrity verification. The protocol designed is adaptive to fulfill the objective of handling dynamic key to change the number of bytes to be encrypted as desired by the application depending on amount of security needed. B. Secure Aggregation of Data: In order to provide greater and variable degree of security to reduce key management overhead at each intermediate node and still provide data aggregation, we will design an efficient secure data aggregation protocol. Since data transmission is via wireless, any adversary can intercept messages. An attacker can spoof messages by first intercepting the message, modifying it and then re-insert it into the network or simple inject false messages. Traditional encryption algorithms such as RC5 or RSA are designed for end-to-end confidentiality and do not allow for fast in-network aggregation. Our approach is to allow fast in-network aggregation for achieving energy savings using homomorphic encryption techniques. C. Multi Party Computation Protocols for Verifying Aggregator Node Integrity: During aggregation it is important to ensure that corrupt/faulty aggregators cannot change the aggregate result, or that such an illegitimate change is detected either by other sensors or the base station. This assures the base station that the aggregate result it receives is a fair representation of network state at time of sensing. We will investigate and design secure aggregator protocols that will allow the base station to accept an aggregate result with high confidence. An attacker may compromise one or more nodes and tries to operate them without being detected with the intention of affecting the WSN results WSN. If a corrupted sensor acts as an aggregator, the attacker has the possibility to change the aggregated result. Since the data comes from a legitimate node and was not modified during transmission, the receiving node and the base station need to have some other reassurance that the aggregate result is correct. We propose additive digital signatures and multi-party computation among neighboring sensors to achieve confidentiality, integrity and availability for in-network aggregation in wireless sensor networks.
References [1] Dirk Westho, Joao Girao, and Mithun Acharya. Concealed data aggregation for reverse multicast traffic in sensor networks: Encryption, key distribution, and routing adaptation. IEEE Transactions on Mobile Computing, 5(10):1417-1431, 2006. [2] Haowen Chan, Adrian Perrig, and Dawn Song. Secure hierarchical in-network aggregation in sensor networks. In Proceedings of the 13th ACM conference on Computer and communications security (CCS '06), pp. 278-287, New York, NY, USA, 2006. ACM Press. [3] R. Sion, M. Atallah, and S Prabhakar. Resilient rights protection for sensor streams. In VLDB, pages 732–743, 2004. [4] Julia Albath, Sanjay Kumar Madria: Practical algorithm for data security (PADS) in wireless
sensor networks. MobiDE 2007: 9-16
