A Game Based Model of A Game Based Model of Security for Key Security for Key

Predistribution Schemes Predistribution Schemes in Wireless Sensor in Wireless Sensor

NetworkNetwork

Debapriyay Mukhopadhyay and Debapriyay Mukhopadhyay and Suman RoySuman Roy

OUTLINEOUTLINE• MotivationMotivation• PreliminariesPreliminaries -- Probabilistic Turn Based 2½ Player -- Probabilistic Turn Based 2½ Player

GameGame -- Message Authentication Code-- Message Authentication Code• Security Framework for Key Security Framework for Key

PredistributionPredistribution• An Example Key PredistributionAn Example Key Predistribution -- Polynomial Based Scheme-- Polynomial Based Scheme -- Security Analysis-- Security Analysis• Security ModellingSecurity Modelling -- Modelling Key Predistribution-- Modelling Key Predistribution -- Analysis-- Analysis• ConclusionConclusion

MotivationMotivation• Cryptographic ProtocolsCryptographic Protocols – required – required

to be formally analyzed.to be formally analyzed.• Random Key Predistribution Random Key Predistribution

SchemesSchemes – for key establishment in – for key establishment in sensor networks.sensor networks.

• Formal modelFormal model to analyze these Key to analyze these Key Predistribution schemes is missing.Predistribution schemes is missing.

• Formal specification of the propertyFormal specification of the property – also needed to formally verify that – also needed to formally verify that protocol meets the security need.protocol meets the security need.

MotivationMotivation• GamesGames provide rich models of provide rich models of

computation – can capture the interplay computation – can capture the interplay between two or more players.between two or more players.

• Cryptographic protocols can be seen as a Cryptographic protocols can be seen as a game where adversary is one of the player game where adversary is one of the player – thus can help in achieving powerful – thus can help in achieving powerful notion of security.notion of security.

• New direction of research.New direction of research.• We use We use Probabilistic Turn Based 2½ Probabilistic Turn Based 2½

Player GamePlayer Game to model random key to model random key predistribution schemes.predistribution schemes.

• We show that We show that this model can also be of this model can also be of useuse in formal specification of a property of in formal specification of a property of key predistribution schemes. key predistribution schemes.

Probabilistic Turn Based 2½ Probabilistic Turn Based 2½ Player GamePlayer Game

• Defined on a game graph G = ((S,E); (S1,S2,SO); δ),

where where (S,E)(S,E) is a directed graph and is a directed graph and (S1,S2,SO) is a partition of set of states S and δ : SO

→ D(S) is a probabilistic transition function. D(S) stands for probability distributions over state space S.

• Player 1 plays from the states in S1.

Player 2 plays from the states in S2.

States in SO are probabilistic states and successor is chosen following δ.

• Game graph is denoted as GS0 , if s0 is the start state of the game. Player i starts the game if s0 ε Si.

Plays and StrategiesPlays and Strategies

• An An infinite sequenceinfinite sequence of the form of the form <s<s00, s, s11, …., s, …., skk, , ssk+1k+1, ….>, ….> of states such that of states such that (s(sk k , s, sk+1k+1) ) ε E for all k, is called a play in the game graph GS0.

• ΩS0 the set of all plays that start from s0.

• Player 1 strategy – ρ : S*.S1 → D(S) assigns a

probablilty distribution to all finite sequences ending in S1. Player 2 strategy can be equivalently defined.

• Memoryless strategy for Player 1 - ρ : S1 → D(S)

• Pure menoryless strategy for Player 1 - ρ : S1 → S

• If Player 1 follows pure menoryless strategy, then game gets reduced to 1½ Player Game played on GS0

ρ.

Objectives / Winning Condition Objectives / Winning Condition (WC)(WC)

• Who wins a play in the game Who wins a play in the game GS0 is given by Ф ΩS0 , and is called winning condition.

• If Ф ΩS0 is the WC for player 1, then ΩS0 / Ф is the WC for player 2 – complementary WCs.

• For a play For a play αα = <s = <s00, s, s11, …, s, …, skk,…>,…>, define , define Inf(Inf(αα) ) = { s = { s ε S : s = ssk k for infinitely many k > = 0}.for infinitely many k > = 0}.

• F : Set of final states. F : Set of final states.

• (Reachability) Reach ReachF F == {{αα ε ΩS0 : ssk k ε F for F for some k > = 0}some k > = 0}

• (Büchi) Büchi BüchiF F == {{αα ε ΩS0 : Inf(Inf(αα))∩ F ≠ F ≠ }.}.

Quantitative AnalysisQuantitative Analysis - Set of all strategies for Player 1 - Set of all strategies for Player 1 - Set of all strategies for Player 2- Set of all strategies for Player 2• ValVal11(Reach(ReachFF)(s)(s00)) = sup = supρ ε inf infπ π ε PrPrρ,

ππs0s0(Reach(ReachFF) – max. probability with which ) – max. probability with which

player 1 can meet his WC Reachplayer 1 can meet his WC ReachF F from from start state sstart state s00..

• ValVal22((ΩS0 / ReachReachFF)(s)(s00)) can be analogously can be analogously defined for player 2.defined for player 2.

• (Determinacy Result)(Determinacy Result) Val Val11(Reach(ReachFF)(s)(s00) + ) + ValVal22((ΩS0 / ReachReachFF)(s)(s00) = 1, for a game ) = 1, for a game GS0

with reachability objective.• Quantitative 1½ Player Game – can be

solved in polynomial time.

Message Authentication Code (MAC)

• MACMAC – Keyed hash functions. A hash family – Keyed hash functions. A hash family is written as is written as (X, Y , K, H). For each . For each k k ε KK, , there is a function h hkk: : X X → Y and h Y and hkk ε HH..

• If hk(x) = y, then (x,y) is called valid under the key k.

• Security of MAC is studied under a Random Oracle model where adversary is allowed to obtain q valid pairs under an known key by querying the oracle.

• Pdq : Probability of deception, i.e., max. prob. with which adversary is successful in generating a valid pair.

Security Framework for Key Security Framework for Key PredistributionPredistribution

• Each Each node i is given is given ki as secret keying info derived from the master secret S.info derived from the master secret S.

• Two nodes Two nodes ii and and j j uses their keying infouses their keying info k kii

and and kkj j to derive the to derive the shared key Kshared key Kij ij

between thembetween them..• Assume adversary has compromised x Assume adversary has compromised x

randomly selected nodes. randomly selected nodes. I = {(i1,ki1); (i2,ki2);….; (ix,kix)}.

• Adversary is allowed to make msg. Adversary is allowed to make msg. Authentication requests Authentication requests ĥ(m, i′, j′) with with the effect that node i′ authenticates m for j′ the effect that node i′ authenticates m for j′ and sends and sends tag = tag = hki′j′i′j′

(m) to the adversary.

Security Framework for Key Predistribution (Contd..)

• Adversary attempts to output Adversary attempts to output (i, j, m*, tag*) and gets success if 1) and gets success if 1) tag* = tag* = hkijij

(m*) and and

2) 2) had never requested had never requested ĥ(m*, i, j) or ĥ(m*, j, i).

• Scheme will be called (λ, ε, δ)-secure predistribution scheme, if for any adversary running in time T we have,

PrPrS,IS,I

[Pr[Succ | S, I] <= [Pr[Succ | S, I] <= ε] >= 1 –

δ, as long as the number of compromised

nodes is less than λ.• This property is of our interest in this study.

Blom’s SchemeBlom’s Scheme

• A A t-degree symmetrict-degree symmetric bi-variate bi-variate polynomial polynomial

f(x, y) = ti,j = 0 aijx

i yj over a finite field Fq, where , where q is a large primeq is a large prime..

• Each sensor node has a unique Id.• Each node i, is given f(i, y) as its keying

information.• Nodes i and j establishes the key by

evaluating f(i, j) = f(j, i).

Random Key Predistribution Based Random Key Predistribution Based on Blom’s Schemeon Blom’s Scheme

• Pool S of randomly genrated bi-variate t degree Pool S of randomly genrated bi-variate t degree symmetric polynomials over symmetric polynomials over Fq is chosen with |S|= s.

• For each i, Si S is chosen with |Si|= s′, and for each f ε Si, assigns the polynomial share f(i, y) to node i.

• Key establishment is done through -- Direct Key Establishment -- Indirect (or Path) Key Establishment• Key Sharing Graph : Nodes as vertices and edges

iff 1) two nodes can establish a direct key, and 2) they are within wireless communication range of each other.

Security AnalysisSecurity Analysis

• We assume key sharing graph is fully We assume key sharing graph is fully connected with connected with connectivity prob = p..

• Direct Key:Direct Key: Adversary can get success 1) by Adversary can get success 1) by compromising the common bi-variate compromising the common bi-variate polynomialpolynomial, 2) by , 2) by launching a successful launching a successful attack on MACattack on MAC..

• PPcdcd is the probability that common bi-variate is the probability that common bi-variate polynomial is compromised = polynomial is compromised = 1 - 1 - t

i = 0 P[i compromised shares] [Follows from Blom’s Scheme]

• Prob. A direct key is not compromised = p(1 – Pcd)(1 – Pq).

Security Analysis (Contd..)

• Indirect Key : Similar Analysis Similar Analysis• Probability that any secure link Probability that any secure link

(direct or indirect) is not (direct or indirect) is not compromised is given by,compromised is given by,

PPsecure secure = = (1 – Pcd)(1 – Pq){p + (1 – p)(1 – x/N) (1 – Pcd)},,

where where xx is the number of nodes is the number of nodes compromised out of compromised out of NN nodes in the nodes in the network.network.

Modeling Key PredistributionModeling Key Predistribution

• x (<= N)x (<= N) out of total N nodes are out of total N nodes are compromisedcompromised by an adversary. by an adversary.

• U={1,2, …, k} where k = N- xU={1,2, …, k} where k = N- x, denote the , denote the set of set of uncompromised uncompromised nodes in the network.nodes in the network.

• Adversary attempts to cheat Adversary attempts to cheat node knode k by by sending bogus message – this can be seen sending bogus message – this can be seen as a as a game between adversary and U – {k}game between adversary and U – {k}..

• Adversary – Player 1 , Set of nodes in U – {k} –

As Player 2, Adversary’s target (node k) – Player Random.

Game GraphGame Graph

s0

s3

s1

s2

ĥ(m, j, k)

tag = tag = hkjkjk

(m)

(m*, tag*)Rejects

with prob. Psecure

ĥ(m, j, k)

tag = tag = hkjkjk

(m)

Accepts

with prob. 1 - Psecure

SS11={s={s00, s, s11}; S}; S22={s={s22}; S}; SOO = {s = {s33} } δ(ss33) = ) = μμ ((ε D(S)) s.t. D(S)) s.t. μμ(s(s00)= P)= Psecure secure && μμ(s(s11)=1 - )=1 -

PPsecuresecure

Immediate AnalysisImmediate Analysis

• Player 2 is following a Player 2 is following a pure memoryless pure memoryless strategystrategy..

• Player 1 can adopt Player 1 can adopt randomized strategyrandomized strategy..• Discrimination in strategy will help in Discrimination in strategy will help in

analyzing robustness of the key analyzing robustness of the key predistribution scheme.predistribution scheme.

• Game is Game is determined.determined.• Quantitative version of the game is solvable Quantitative version of the game is solvable

in in polynomial timepolynomial time and this holds when each and this holds when each play in the game corresponds to an infinite play in the game corresponds to an infinite sequence.sequence.

• Required to solve: Quantitative version of the game for Time Bounded Reachability.

Analysis (Contd ..)Analysis (Contd ..)

• Time used by player 1Time used by player 1, and not player 2 or , and not player 2 or player random, is counted.player random, is counted.

• Player 1 spends unit time in choosing Player 1 spends unit time in choosing successor state from Ssuccessor state from S11..

• Partition the WC ReachPartition the WC ReachF F as as ReachReachFF≤T≤T

(Reach(ReachF F – Reach– ReachFF≤T≤T ). ).

• ValVal11(Reach(ReachFF≤T≤T)(s)(s00)) can then be analogously can then be analogously

defined.defined.• Computing the value of ValComputing the value of Val11(Reach(ReachFF

≤T≤T)(s)(s00) ) for any probabilistic for any probabilistic 2½ player game and also to decide whether optimal strategies exist for that or not is an interesting problem.

Analysis (Contd..)Analysis (Contd..)

• For different values of For different values of x x εε [0, N] [0, N], we have , we have different values of different values of ValVal11(Reach(ReachFF

≤T≤T)(s)(s00))..

• ValVal11(Reach(ReachFF≤T≤T)(s)(s00): probability of adversary’s ): probability of adversary’s

success within time bounded by T.success within time bounded by T.

• PrPrS,IS,I

[Pr[Succ | S, I] > [Pr[Succ | S, I] > ε] = fraction of the

values of x x εε [0, N] for which [0, N] for which ValVal11(Reach(ReachFF≤T≤T))

(s(s00) > ) > ε.

• PrPrS,IS,I

[Pr[Succ | S, I] ≤ [Pr[Succ | S, I] ≤ ε] >= 1 – δ

PrPrS,IS,I

[Pr[Succ | S, I] > [Pr[Succ | S, I] > ε] ≤≤ δ.

• Therefore, y / (N+1) ≤≤ δ 0 ≤ y ≤ ≤ y ≤ δ(N+1).

Analysis (Contd ..)Analysis (Contd ..)

• Probability of adversary’s success Probability of adversary’s success monotonically increasesmonotonically increases with each with each additional node being compromised.additional node being compromised.

• For each For each 0 ≤ y ≤ ≤ y ≤ δ(N+1), there is a set Xy of values of x for which Pr[Succ | Pr[Succ | S, I] > S, I] > ε.

• Note that, X0 = and Xy-1 Xy for all y.

• Average of the values of x εε Xδ(N+1) can then be considered as an estimate for λ.

ConclusionConclusion

• We have been able to show how We have been able to show how Probabilistic Turn Based 2½ Player Game can be used in modeling random key predistribution scheme.

• We have also been able to show how quantitative analysis can be of help in formally specifying the (λ, ε, δ)-security property of such a scheme.

• Left the question of quantitatively solving Time bounded reachability of 2½ Player Game as open.

• We haven’t been able to answer how good this estimate for λ is.

Thank YouThank You