Smart Trust for Smart Dust

Future distributed systems may include large selforganizing networks of locally communicating sensor nodes, any small number of which may be subverted by an adversary. Providing security for these sensor networks is important, but the problem is complicated by the fact that managing cryptographic key material is hard: low-cost nodes are neither tamper-proof nor capable of performing public key cryptography effi- ciently.
In this paper, we show how the key distribution problem can be dealt with in environments with a partially present, passive adversary: a node wishing to communicate securely with other nodes simply generates a symmetric key and sends it in the clear to its neighbours. Despite the apparent insecurity of this primitive, we can use mechanisms for key updating, multipath secrecy amplification and multihop key propagation to build up extremely resilient trust networks where at most a fixed proportion of communications links can be eavesdropped. We discuss applications in which this assumption is sensible. Many systems must perforce cope with principals who are authenticated weakly, if at all; the resulting issues have often been left in the ‘too hard’ tray. One particular interest of sensor networks is that they present a sufficiently compact and tractable version of this problem. We can perform quantitative analyses and simulations of alternative strategies, some of which we present here. We also hope that this paper may start to challenge the common belief that authentication is substantially about bootstrapping trust. We argue that, in distributed systems where the opponent can subvert any small proportion of nodes, it is more economic to invest in resilience than in bootstrapping.
1. Introduction
Wireless sensor networks are becoming increasingly important for a wide variety of applications such as factory instrumentation, climate control, environmental monitoring, and building safety. As sensor networks become cheaper and more commoditised, they will become attractive to home users and small businesses, and for other new applications. A typical sensor network consists of a large number of small, low-cost nodes that use wireless peer-to-peer communication to form a self-organized network. They use multi-hop routing algorithms based on dynamic network and resource discovery protocols. To keep costs down and to deal with limited battery energy, nodes have fairly minimal computation, communication, and storage resources. They do not have tamper-proof hardware. We can thus expect that some small fraction of nodes in a network may be compromised by an adversary over time.

Free download research paper