Structure of this Dissertation

This dissertation is organized as follows: In Chapter2we present our system model, the re-quirements for our key exchange scheme, and the design rationale for our approach. In the following chapters we then present our our approach, i.e. the key distribution schemes. To present our approach more comprehensibly we divide its description in three parts.

In the first part, we consider passive attackers only. We call this our basic key establishment scheme since the two other parts are based on it. This approach is described in Chapter3.

In the second part we extend the basic approach to a fault tolerant approach in order to cope also with device failures and a stronger attacker type – the active attacker. This approach is described in Chapter4.

The basic approach relies on path search algorithms. Since such a path search might not be efficient enough in order to be usable on highly resource-constrained devices we extend our approach in the third and final part in order to cope also with such devices. This approach is described in Chapter5.

After presenting our three key exchange schemes, we evaluate them in Chapter6. In Chapter7 we present other existing approaches for key establishment and compare them to our approach.

Finally, we conclude this dissertation in Chapter8with a summary and an outlook on future work.

2

Foundations

In this chapter we provide the foundations to develop our novel approach for establishing pair-wise keys between arbitrary devices in a wireless network. Our approach is well suited for highly resource-constrained devices and works in a fully decentralized way, i.e. there is no single point of failure.

In Section2.1we formalize the system model used throughout the rest of this work. The re-quirements regarding our approach are discussed in Section2.2. We then present in Section2.3 the design rationale of our approach. In Section2.4we present some definition and basic data structures which are needed for the description of our approach.

2.1 System Model

Our system model comprises four parts. We start with our network model by describing the characteristics of our network. The properties of our devices are given next in the description of our device model. After that the assumed failure and attacker models are presented.

Network Model

For the purpose of this work we assume that the network consists of a multitude of independent devices that communicate over a wireless channel. The channel itself is insecure, i.e. anyone can listen and send to the channel.

Due to the wireless nature the channel is error-prone. We therefore assume the existence of a transport layer that recovers from packet loss. However, we analyze the effects of different error-rates under a very simply error recovery transport layer in Chapter6.

31

We further assume a non-partitioned network so that communication between any two devices is always possible (direct or indirect via ad-hoc routing). One possibility to achieve a non-partitioned network is to deploy the devices with a high density in a certain area – in ideal case they would all be in the communication range of each other, hence no partitioning can happen.

Also each device has its network wide unique device ID, through which it can be uniquely addressed.

The number of devices in our network is not predetermined or constrained in any way, and may change due to the introduction of new devices, device deactivation or failure.

Device Model

Our devices are independent with their own memory and processor. We assume that they have some sort of energy source e.g. batteries. Due to the huge amount of such devices – and their usage as sensor- or actuator-devices in daily life items – they must be inexpensive and have therefore very limited resources. Typical devices are for instance based on eight bit micro-controller with only a few hundred bytes of RAM and a few kilobytes of program memory (e.g.

flash memory).

We further assume that such devices are not in any way tamper resistant. This assumption is based on the fact that tamper resistance is very hard to achieve [AK96] and even harder if the used devices must be very cheap. This means, that having physical access to such a device, it is highly probable that all data stored on it can be recovered from its memory. This means that any secrets that are stored on such a device, e.g. cryptographic keys for communication can be retrieved by a person who is able to gain physical access to the device.

Failure Model

In order to formalize our failure model we introduce the notion of a process. On each device di

our protocol is executed by a process pi(Figure2.1). The process piis responsible for sending and receiving messages on the network. For the purpose of this work we assume that pifor all ishows a fail-stop behavior in case of an failure. For instance, a device which batteries died, exhibits a fail-stop behavior.

Attacker Model

We formalize our adversary as a process ai running on a subverted device di. The attacker model is presented in Figure2.2. In this model process ai only communicates with process pi, which executes the communication protocol. Therefore, ai never communicates directly with

2.1 SYSTEMMODEL 33 failure_model

Device d

p

Process p

Communication

115 591 399 756

Figure 2.1: Failure Model

any other process pj on a device dj for all j. However we assume, that all processes ai may communicate with each other in order to reach their goal of compromising secrets, i.e. newly established keys. For this communication any means are possible. For instance an attacker may place several subverted devices in our network, where the subverted devices additionally communicated over a wired high speed network.

attacker_model

p_j

Device d

p_i

Process p

Communication

Process p

Device d

a_i a_j

Attacker a

Attacker a

Attacker communication

121 562 496 762

Figure 2.2: Attacker Model

In security applications an attacker can be classified by two main categories, i.e. his objective or goal and his ability. With his objective we describe the intentions of an attacker, e.g. gathering secret knowledge. The ability of an attacker describes what an attacker is able to do in order to reach his goal. With this model in our mind, we define the following types of attackers by presenting for each attacker type his objective and ability:

1. The passive eavesdropping attacker (Eve). The objective of this attacker is to eavesdrop on communication between devices. This attacker is only interested in learning about secrets of other devices, e.g. newly established keys. The ability of this attacker can be

modeled as a process ai on a subverted device di, where ai has reading access to the process pi. This means, that ai can learn about any messages sent or received by piand even all memory contents of pi. However, ai can never trigger pito send any malicious messages.

2. The active intruding attacker (Trudy). The objective of this attacker is also – just like the eavesdropping attacker – to learn about new secrets of other devices, i.e. newly es-tablished keys. However, unlike the eavesdropping attacker, this attacker may trigger the injection of messages into the network in order to reach his/her goal. Hence, the ability of this attacker can be modeled as a process ai on a subverted device di, where ai has full, i.e. read/write access to the process pi. He therefore can additionally to the passive eavesdropping attacker also trigger pi to send messages in order to gain access to se-crets while having the same objective. This attacker subsumes the passive eavesdropping attacker class.

3. The active malicious attacker (Mallory). The objective of this attacker is to hinder correct execution of the networks purpose while having the same abilities as Trudy. Hence, the ability of this attacker can be modeled exactly as Trudy. However, due to the different goal of this attacker he becomes a very powerful denial-of-service attacker. This attacker subsumes both attacker classes from above.

In Figure2.3 we summarize the abilities and the goals of our three attacker types. Note that Eve and Trudy have a common goal while Trudy and Mallory have the same abilities.

Eve Trudy

Ability

Goal Capture new keys

Listen

Capture new keys

Listen/Send

Mallory

Denial-of-Service

Listen/Send

Figure 2.3: Attacker Classification

For the purpose of this work we assume only Eve- and Trudy-type attackers with their common goal of learning about new secrets and their different abilities. Mallory-type attackers are be-yond the scope of this work and subject of future research. Note that Mallory-type attackers are