Security Services

Since the considered adversarial model in current cryptographic-based secure data aggrega- tion schemes varies from one scheme to another, as discussed in Section 2.3, each scheme provides different security services to defeat the expected type of adversary. This section investigates which security services, discussed in Section 2.1.1, are provided in each of the cryptographic-based secure data aggregation schemes discussed in this chapter. It is obvious from Table 2.1 that schemes designed with a type I adversary in mind, such as Castelluccia et al.’s scheme [17] and Sanli et al.’s scheme [110], do not provide entity authentication service, which is a must in most schemes that aim to defeat active adversaries (type III or type IV) as in [22, 40, 43, 53, 58, 75, 99, 131, 136]. This is because active adversaries can launch, for example, Sybil attacks where the adversary is able to present more than one node and then interact with the network. Adversaries can successfully inject fake identities to affect aggregation results and

mislead the base station. Security Services discussed in this section are as follows:

Data Confidentiality

Data confidentiality is provided in cryptographic-based secure data aggregation schemes when- ever the privacy of the data is required. Some of the schemes in which a type II adversary is expected, such as Castelluccia et al.’s scheme [17] and Sanli et al.’s scheme [110], aimed to secure raw data and aggregation results from revelation by a passive adversary. Thus, they focused on providing data confidentiality only. This level of security is acceptable, because a type II adversary has no interest in destroying the overall performance but it is only interested in knowing the content of the reported information. Other schemes, which consider type III or type IV adversaries, may or may not provide data confidentiality. This depends on whether the privacy of aggregation results is important for WSN applications. For example, Jadia & Mathuria’s [62], Mahimkar & Rappaport’s [75], Przydatek et al.’s [99], Yang et al.’s [136], and Westhoff et al.’s [131] schemes provide data confidentiality with other security services.

Data Integrity

Data integrity is provided in some cryptographic-based secure data aggregation schemes in which active adversaries (type III or type IV) are expected in the deployment area. These two types of adversary, as discussed in Section 2.2.2, can launch node compromise attacks and then they are able to alter the content of data received from downstream nodes before it is forwarded to upper stream nodes. If data integrity service is not offered by a scheme, upper stream nodes would have no knowledge of this alteration. Table 2.1 shows that most cryptographic-based secure data aggregation schemes that have at least a type III adversary in mind [22, 40, 43, 53, 58, 62, 75, 99, 136] provide data integrity service. However, Westhoff et al.’s scheme [131] does not offer data integrity although it is built with type III adversary in mind. This is because the authors of this scheme limited their discussion to offering data confidentiality only.

Data Freshness

Active adversaries (type III or IV) can launch different types of attack such as Replay attacks. They can affect the aggregation result by simply replaying old messages into networks that do not have data freshness provided. Not surprisingly, each scheme where active adversaries are expected, ensures data freshness. However, data freshness is not provided in schemes such as Du et al.’s [40], Mahimkar & Rappaport’s [75], and Westhoff et al.’s [131]. Witnesses in Du et al.’s scheme help the base station (or the querier) to validate the aggregation results but the freshness of the aggregation is left unconsidered. Therefore, the aggregator - if compromised - can mislead the base station by replaying old messages with valid (but old) proofs from the witnesses. Westhoff et al.’s scheme also does not offer data freshness, although was built with a type III adversary in mind. This is because the authors of this scheme limited their discussion to offering data confidentiality only. Table 2.1 shows that data freshness is ensured in Chan et al.’s scheme [22], Hu & Evans’s scheme [58], Jadia & Mathuria’s scheme [62], Przydatek et al.’s scheme [99], and Yang et al.’s scheme [136].

Table 2.2: Attacks vulnerabilities in current secure data aggregation schemes

Robust √ Vulnerable

Scheme NC SY SF RE AT

Castelluccia et al. [17] √ II

Sani et al. [110] √ II

Westhoff et al. [131] √ √ III

Hu & Evans [58] √ √ III

Przydatek et al. [99] √ √ III

Chan et al. [22] √ √ III

Du et al. [40] √ √ √ √ III

Mahimkar & Rappaport [75] √ √ √ III

Yang et al. [136] √ √ III

Jadia & Mathuria [62] √ √ III

Frikken & Dougherty [43] √ √ III

Haghani et al. [53] √ III

SF Selective Forwarding RE REplay

SY SYbil NC Node Compromise

AT Adversary Type

Data Availability

Recently, data availability has gained some attention in cryptographic-based secure data ag- gregation schemes. Detecting the inconsistency in aggregation results with no further action to determine the node that caused this inconsistency is not enough. An adversary could keep manipulating aggregation results in order to bring the network down by consuming the energy resources of intermediate sensor nodes. Table 2.1 shows that Haghani et al.’s scheme is the only scheme that provides data availability [53]. This scheme allows the identification of nodes that caused the inconsistency in the aggregation result (or the aggregation disruption) and then allows the removal of malicious nodes. These nodes can be detected through successive polling of the layers on a commitment tree. However, the energy consumption of successive polling is questionably high.

Entity Authentication

As discussed in Section 2.1.1, entity authentication ensures the reliability of a message by ver- ifying its origin. Table 2.1 shows that cryptographic-based secure data aggregation schemes that provide data integrity also provide entity authentication. This is because the message authentication code (MAC) is used to verify both data authenticity and data integrity. Note that, entity authentication is partially provided in Du et al.’s scheme, because only communi- cations between an aggregator and a querier are authenticated. Communications between leaf nodes and the aggregator are not authenticated.