Network Working Group L. Wang Internet-Draft L. Chen Intended status: Informational SoutnEast University Expires: December 21, 2014 J. Huang SouthEast University June 19, 2014 A Secure Data Aggregation Scheme Based on Key Vector Sharing in Wireless Sensor Network draft-wang-cfrg-sda-wsn-00 Abstract This document specifies a secure data aggregation scheme based on key vector sharing. New key set is negotiated among sink and sensor nodes, and then each sensor node uses one key in the set to encrypt and decrypt sensory data. A key vector structure is constructed and shared among them. Since the size of the shared key vector structure is constant, the transmission overhead is saved in the proposed scheme while security is ensured. Moreover, MAC integrity mechanism is also included in the proposed scheme. The recommended scheme reduces the transmitted overhead so as to save the energy consumption of each sensor node.Meanwhile, the scheme is data-loss resilient. Distribution of this memo is unlimited. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 21, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. Wang, et al. Expires December 21, 2014 [Page 1] Internet-Draft CTA June 2014 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements of the secure data aggregation in WSNs . . . 3 1.2. Meaning of Symbols . . . . . . . . . . . . . . . . . . . 4 2. Network model and specify methods . . . . . . . . . . . . . . 4 2.1. Network model . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Secure data aggregation . . . . . . . . . . . . . . . . . 4 2.3. MAC processing . . . . . . . . . . . . . . . . . . . . . 5 3. Secure data aggregation scheme based on Key Vector Sharing . 5 3.1. Preparation of the scheme . . . . . . . . . . . . . . . . 6 3.2. Process for the node . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Overhead Considerations . . . . . . . . . . . . . . . . . . . 8 6. iana consideration . . . . . . . . . . . . . . . . . . . . . 9 7. Robustness analysis . . . . . . . . . . . . . . . . . . . . . 9 8. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction As an important part of Internet of Things (IOT), Wireless Sensor Networks (WSNs) are used in collecting useful information by means of deploying mounts of sensors in the real scene.Then, the sink and data center can use this information for further analysis and process. Nowadays WSNs are widely applied in many fields, such as military surveillance, factory or environmental monitoring, battlefield and health care. Due to limited energy of sensor node in WSNs, data aggregation technology is widely used in wireless sensor networks. The privacy preserving of sensor node and secure transmission of WSNs have become two of the key problems needed to be solved in data aggregation.More information of constrained-node networks could be found in RFC 7228[RFC7228]. [RFC7228] Wang, et al. Expires December 21, 2014 [Page 2] Internet-Draft CTA June 2014 In typical WSNs, large numbers of nodes are distributed in a particular area and self-organize into a network. Each sensor node sends its own sensory data to a parent node. Then the parent node performs the aggregation on its own sensory data and the data received from its child node, and sends the aggregated result to its own parent node too. After layer by layer uploading, ultimate aggregated data reach the sink. In many practical applications, the sink node is only interested in the statistics of those sensor data, such as sum of the data, average and variance of those data, etc. As these results can be all obtained in a SUM model of data aggregation with some additional compute, we will mainly consider the addition model of data aggregation.have been proposed and used, and can basically meet the corresponding requirements. But due to the open feature of WSNs, the exposure of context information can cause the user's secret leak to the attacker, especially attacker can locate the source node or destination node (base station) through traffic analysis and hop track packet stream. The location of source node and base station are very sensitive in many WSN applications such as in precious animals detection system, the position of animals (source node) can't be exposed to illegal hunters; in battlefield information collection system, the position of soldier (sink node) who accepts a variety of information can't be exposed to the enemy. Because of the importance and necessity of location privacy, this paper has a research on principles, advantages and disadvantages of current main location privacy protection agreement. 1.1. Requirements of the secure data aggregation in WSNs In the worst case, the attacker eavesdropped or captured an aggregation node, more valuable data will be achieved. This document aims to recommend a secure data aggregation scheme to meet the following requirements. 1) Security: the proposed scheme should protect the data collected by the sensor nodes from being easily obtained by eavesdroppers or attackers. 2) Energy-saving: the proposed scheme should ensure not only that the computation complexity in sensor nodes and aggregation nodes is as simple as possible, but also the size of transmitted data among nodes is short enough too. 3) Robustness: Since the sensor nodes in WSNs are often deployed in the scene where nodes can't be replaced or charged artificially, attack and steal is unavoidable. The proposed scheme should still have the flexibility to work in the case of several node failure or data loss. Wang, et al. Expires December 21, 2014 [Page 3] Internet-Draft CTA June 2014 In order to meet the above requirements, this document recommends a Key Vector Sharing data aggregation scheme, which uses additional homomorphic algorithm to encrypt each node's data and Key Vector Sharing to achieve secure data aggregation. 1.2. Meaning of Symbols N:Number of nodes in the whole network; Ni:The ith Node; P:Maximum number of child nodes in one aggregation node; M:Modulus of modular arithmetic in the scheme; G:Number of keys in overall key pool; K:Number of keys in one key group; ki:The ith key in the key group; seed:Random number shared by sink and nodes; Hash1:Hash function 1; Hash2:Hash function 2 (different from Hash1). 2. Network model and specify methods 2.1. Network model Firstly, we present the network model of secure data aggregation. It is a multi-level tree topology, and has one sink to collect the aggregation data result. Each parent node can have p child node at most. Here, we assume there are 7 levels in total and p=3. Thus the total number of nodes is N, while N=3279. 2.2. Secure data aggregation In encryption process, we assume there are plaintext m [0, M-1], random generated key stream k [0, M-1], then, ciphertext c=Enc(m, k, M) =(m+ k) mod M. In decryption process, the plaintext m=Dec(c, k, M) =(c-k) mod M. When the encrypted data reaches the aggregation node, c1=Enc(m1, k1, M), c2=Enc(m2, k2, M), the aggregated data is C=c1+c2=Enc(m1+m2, k1+k2, M). However, when the sink receives the aggregation data, it Wang, et al. Expires December 21, 2014 [Page 4] Internet-Draft CTA June 2014 makes the decryption as Dec(c1+c2, k1+k2, M) =m1+m2. Then, we get the aggregated plaintext. Here, mod means a modulo operation, Enc(m, k, M) is the function which uses k as a key to encrypt plaintext m. Dec(c, k, M) represents the function to decrypt ciphertext c with the key k. Obviously we have got an additional homomorphic scheme now. However, we must know that if n different ciphertexts are added together, module M has to be larger than the summary of all the mi, otherwise the decryption will fail. In practical applications, assuming that m=max(mi), then M can be chosen as M= N*m. For example, if we have N=3279 nodes in our network, M should be not less than 3279*m. 2.3. MAC processing In end to end data aggregation scheme, integrity verification is a good method to resist attacks. There are some schemes which have been proposed to realize integrity verification in data aggregation. The SIE scheme requires each node to compute the MAC [RFC2104] [RFC2104]value (e.g. SHA hash value) of the key shared with sink, and transmit the MAC value together with the encrypted sensor data to the aggregation nodes and sink. The sink then calculates the sum of response nodes' MAC, and compares the sum value with the received hash value to verify integrity. Although this scheme has realized integrity verification for CMT scheme, it does not address the ID expansion problem and data-loss problem yet. For example, in CMT scheme, since the sink just receives those nodes' IDs which don't need to respond, then sink does not know the node IDs which drops down suddenly or when data loss problems happen, this will result to erroneous verification. In this document, we improved the scheme as follows. Each node appends the used key's MAC to the sensory data, aggregation nodes only need to simply add these MACs. The sum result of the MACs will be received by the sink finally. Meanwhile, vector V is send to the sink too. V shows the used times of each key in the topology. Since the sink knows all the shared keys, it can calculate the MAC value based on the keys vector V. Therefore the sink compares the calculated MAC with the MAC received to make sure that the data hasn't been modified. 3. Secure data aggregation scheme based on Key Vector Sharing Wang, et al. Expires December 21, 2014 [Page 5] Internet-Draft CTA June 2014 3.1. Preparation of the scheme Initially, the sink will randomly choose K keys from a big key pool to build a new key group, here G is a great number but K need not be set too big (e.g. G=2100, K=16). Then, each node will get one unique key from the sink, which is randomly chosen from the key group. Besides, the key of one node gotten from the sink is unknown to another. The proposed secure data aggregation based on key vector sharing has the following processing phases. Phase 2: When an aggregating round begins, both the leaf nodes and aggregation nodes collect the sensory data and encrypt their own data, then leaf nodes send their encrypted data to aggregation nodes, aggregation nodes perform aggregation over the encrypted data. The processing details are shown as follows: If Ni is a leaf node, it first calculates Hash1(seed,ki), here ki is the unique key assigned from the sink. Then it uses the hash value as the encryption key to be added with collected data di, the result of the addition is the ciphertext C. Here, the addition is based on modular M. Meanwhile, the node generates a vector V=(v1,...vi- 1,vi,...vK), which represents each key's used times, here vi will be set 1 and others will be set 0 because node has just used ki one time. The value of Hash2(seed,ki) will also be calculated by the node, and denoted by H. In the end, the node connects C, V and H to a data structure(C,V,H), which will be sent to its parent node. If Nj is an aggregation node, it first calculates Hash1(seed,kj), here kj is the unique key assigned to this node. Then it uses the hash value as the encryption key to add with collected data dj, thus ciphertext C is obtained. Meanwhile, the aggregation node generates a vector V=(v1,...vi-1,vi,...vK) which represents each key's used times, here vj will be set 1 and others will be set 0 because the node has just used kj one time. The Hash2(seed,kj) value will also be calculated by the node, and denoted by H. Then, the aggregation node adds its own C with other Cs received from its children nodes, adds its own V vector with other Vs received from its children nodes, and adds its own H with other Hs received from its children modes. When addition of Hs is computed, the overflow bits in the modular addition can be ignored. Phase 3: After receiving the aggregated data, the sink first calculates all the values of Hash1(seed,kj)(i=1,2,...K) and Hash2(seed,kj)(i=1,2,...K), because it has all the keys in the key group. According to the received vector V, the sink can retrieve the sum of all sensed data' sum d1+d2+...dN. The plaintext of aggregation data result will be regained by modular subtracting vi times of each Hash1(seed,kj) from the received ciphertext C. Wang, et al. Expires December 21, 2014 [Page 6] Internet-Draft CTA June 2014 Meanwhile, the sink sums vi times of each Hash2(seed,kj) to get a value denoted as H'. Then it compares the H'value with the received H to verify the transmitted data integrity. 3.2. Process for the node Phase 1: In the beginning, the sink broadcasts a request to all sensors to generate network topology (same as TAG scheme). After that, the sink broadcasts a seed for a new aggregating round. However, it's optional. As we can use the synchronous time or a serial number as the seed, which needn't be broadcast every round. Phase 2: When an aggregating round begins, both the leaf nodes and aggregation nodes collect the sensory data and encrypt their own data, then leaf nodes send their encrypted data to aggregation nodes, aggregation nodes perform aggregation over the encrypted data. The processing details are shown as follows: If Ni is a leaf node, it first calculates Hash1(seed,ki), here ki is the unique key assigned from the sink. Then it uses the hash value as the encryption key to be added with collected data di, the result of the addition is the ciphertext C. Here, the addition is based on modular M. Meanwhile, the node generates a vector V=(v1,...vi- 1,vi,...vK), which represents each key's used times, here vi will be set 1 and others will be set 0 because node has just used ki one time. The value of Hash2(seed,ki) will also be calculated by the node, and denoted by H. In the end, the node connects C, V and H to a data structure(C,V,H), which will be sent to its parent node. If Nj is an aggregation node, it first calculates Hash1(seed,kj), here kj is the unique key assigned to this node. Then it uses the hash value as the encryption key to add with collected data dj, thus ciphertext C is obtained. Meanwhile, the aggregation node generates a vector V=(v1,...vi-1,vi,...vK) which represents each key's used times, here vj will be set 1 and others will be set 0 because the node has just used kj one time. The Hash2(seed,kj) value will also be calculated by the node, and denoted by H. Then, the aggregation node adds its own C with other Cs received from its children nodes, adds its own V vector with other Vs received from its children nodes, and adds its own H with other Hs received from its children modes. When addition of Hs is computed, the overflow bits in the modular addition can be ignored. Phase 3: After receiving the aggregated data, the sink first calculates all the values of Hash1(seed,kj)(i=1,2,...K) and Hash2(seed,kj)(i=1,2,...K), because it has all the keys in the key group. According to the received vector V, the sink can retrieve the sum of all sensed data' sum d1+d2+...dN. The plaintext of Wang, et al. Expires December 21, 2014 [Page 7] Internet-Draft CTA June 2014 aggregation data result will be regained by modular subtracting vi times of each Hash1(seed,kj) from the received ciphertext C. Meanwhile, the sink sums vi times of each Hash2(seed,kj) to get a value denoted as H'. Then it compares the H'value with the received H to verify the transmitted data integrity. 4. Security Considerations We take the tree network topology with seven levels for instance. In this network topology, each parent node can have 3 child nodes at most, so the whole network has not more than 3279 nodes in total. We assume that key group's size is 16(K=16). Thus, for the sink, there are 16 numbers in the final V it received, and each number could be anyone range between 1 and 3279. Since different V represents different used times of each key in the encryption process, the vector's space is so huge (more than 2200) for an attacker to crack the ciphertext. Due to the addition of V in the aggregation process, two adjacent aggregation nodes have totally different V vector, thus one node cannot decrypt the other node's ciphertext. Moreover, for a leaf node, because it does not know which key its adjacent node has got from the key group and it holds only one key, it can't decrypt the data of an adjacent node too. In summary, the proposed scheme provides good privacy protection for the nodes and the transmitted data. Furthermore, if an attacker captures a node, all he can get is the data structure (C,V,H) of the node. What he may want is to find another node with the same vector V which will help him to analysis the ciphertext C. In the worst case, assuming that the attacker can eavesdrop on all nodes in the entire network and get all nodes' transmitted data, there will be two cases when the attacker looks for the nodes having the same key vector V: 1) If the attacker captures a leaf node, then he may find 1/16 of all the leaf nodes, which is just 4% of the nodes in whole network. Because these nodes are randomly located in the area, they don't represent any actually useful information. 2) If the attacker captures an aggregation node, the probability of finding other nodes having the same vector V will be greatly reduced. For example, the probability is 1/103 in layer 6, and is 1/106 in layer 5. It is very hard for the attacker to find another aggregation node having same vector V. 5. Overhead Considerations The recommended scheme only requires a vector V having a limited number of bits instead of transmission of all nodes' ID. Vector V won't rapidly expand in the process of aggregation. For example, based on the communication overhead discussion of CMT scheme, transmission overhead of each node increases from 75 bits in bottom Wang, et al. Expires December 21, 2014 [Page 8] Internet-Draft CTA June 2014 level to 950 bits in level 1 in the case that 10% nodes didn't respond. It becomes worse in the case that 30% nodes didn't respond, while communication overhead increases from 75 bits to 2700 bits. However, in this document, the communication overhead ranges from 75 bits to 187 bits, and most of the nodes' overhead is not larger than 75 bits. Since the sensory data's measure range is m=27, in order to decrypt the ciphertext properly, modulus M should be at least N*m. Hence each node's encrypted data segment needs 12+7=19bits (here we assume n=212=4096>3279). For consistency, we also plus 56 additional load bits like the CMT scheme, thus the basic data segment is 56+19=75bits in size. In CMT scheme, each node in the highest level of the aggregation tree will transmit at least 950 bits in the case that 10% nodes didn't respond. However, in the proposed scheme, each node in the highest level only transmits at most 187 bits in the average case. Because the average using times of ki after the last aggregation is:3276(1-10%)/3*16=61<26<<27, each vi in the V needs 7 bits at most to represent the number of used times, V's length is 7*16=112 bits, and the total bits required for transmitting is 75+112=187 bits. Obviously, the proposed scheme saves over 80% of the overhead in the high level, and for the nodes in other lower levels, the length of transmitted data is also shorter than those related schemes too. 6. iana consideration To be completed. 7. Robustness analysis The recommended scheme has solved the data-loss problem as well. For example, when a node dropped due to a sudden accident, the sink didn't need to know its ID. Because once there is a node dropped or data lost in the transferring process, we will lose not only C but also V and H, the lost data's V and H will not reach the aggregation node, so the correctness of the decrypted data is guaranteed. Thus, the proposed scheme is robust, which is very important for a sensor network which changes topology frequently. 8. Conclusions In this document, the recommended secure data aggregation scheme based on Key Vector Sharing overcomes the problem of rapid expansion of transferred IDs, reduces the additional overhead due to transferring of ID information, and improves the endurance of the network. Moreover, by using hash function, the scheme guarantees the Wang, et al. Expires December 21, 2014 [Page 9] Internet-Draft CTA June 2014 integrity of the aggregation. In addition, solving the data-loss problem makes the proposed scheme more robust and practical. 9. References [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained-Node Networks", May 2014. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", February 1997. Authors' Addresses Likun Wang SoutnEast University N0.9, Mo Zhoudong street Nan Jing, Jiang Su Province 210096 Phone: +86 18795858986 Email: kunliw@aliyun.com Liquan Chen SoutnEast University N0.9, Mo Zhoudong street Nan Jing, Jiang Su Province 210096 Phone: +86 13813852253 Email: Lqchen@seu.edu.cn Jie Huang SouthEast University N0.9, Mo Zhoudong street Nan Jing, Jiang Su Province 210096 Phone: +86 13675178016 Email: jhuang@seu.edu.cn Wang, et al. Expires December 21, 2014 [Page 10]