Image Processing Reference
In-Depth Information
endorsements
MAC
i
for at least
n
−
witnesses. As the probability of correctly guessing one
MAC
i
is
k
, the authors compute the chance of correctly guessing at least
n
p
=
/
−
valuesto
m
∑
m
i
)
p
i
m
−
i
P
S
=
(
(
−
p
)
i
=
n
−
After some computation they yield:
m
(
k
/
−
)≥
δ
From this, Du et al. conclude that it is sufficient if
mk
≥
(
δ
+
m
)
, and give an example how to apply
this. If δ
=
so that the probability of accepting an invalid result is /, and there are
m
=
witnesses,
k
should be chosen so that
k
≥
. This observation is supposed to enable economizing
transmission effort.
Incasethatadatafusionnodeiscorrupted,Duetal.proposetoobtainaresultasfollows:Ifthe
verification at the base station fails, the base station is supposed to poll witness stations as data fusion
nodes, and to continue trying until the
n
out of
m
+
scheme described above succeeds. Further-
more, the expected number of polling messages
T
(
m
+
,
n
)
to be transmitted before the base station
receives a valid result is computed.
Regarding the security of the proposed scheme, however, it has to be considered if an attacker actu-
ally needs to guess MACs to send an invalid result? As all messages are transmitted in clear, an eaves-
dropper
E
could easily obtain valid message authentication codes
MAC
i
.If
E
later on
wants to act as a bogus data fusion node sending an (at this time) incorrect result
s
i
,itcanreplay
MAC
i
to support this value. As Ref. [DDHVb] assumes a binary decision result, an attacker only
needs to eavesdrop until it has received enough
MAC
i
supporting either value of
s
i
. hus, the scheme
fails completely to provide adequate protection against attackers forging witness endorsements.
The main reason for this vulnerability is the missing verification of the actuality of an
MAC
i
at
the base station. One could imagine as a quick fix letting the base station regularly send out random
numbers
r
B
that have to be included in the MAC computations. In such a scheme, every
r
B
should
only be accepted for one result, requiring the generation and exchange of large random numbers. A
potential alternative could make use of time stamps, which would require synchronized clocks.
However, there are more open issues with this scheme. For example, it is not clear what should
happen if some witness nodes cannot receive enough readings? Also, it is not clear why the
MAC
i
are
not sent directly from the witness nodes to the base station? his would at least allow for a direct
n
out of
m
=
h
(
s
i
,
w
i
,
k
i
)
voting scheme, avoiding the polling procedure described above in case of a compromised
data fusion node. Furthermore, the suffix mode MAC construction
h
(message, key) selected by the
authors is considered to be vulnerable [MOV, note .].
A further issue is how to defend against an attacker flooding the network with “forged”
MAC
i
(forged meaning arbitrary garbage that looks like a MAC)? This would allow an attacker to launch
a DoS attack as an honest fusion node could not know which values to choose. One more “hotfix”
for this could be using a local MAC among neighbors to authenticate the
MAC
i
. Nevertheless, this
would imply further requirements (e.g., shared keys among neighbors, replay protection), and the
“improved scheme” nevertheless would not appear to be mature enough to rely on it.
Some more general conclusions that can be drawn from this are that first optimization (e.g., econ-
omizing on MAC size, message length) can be considered as being one of the attacker's best friends,
and that second in security, we often learn (more) from failures. Nevertheless, the article of Du et al.
allows to discuss the need and the difficulties of constructing a secure data aggregation scheme that
does not consume too many resources and is efficient enough to be deployed in sensor networks.
As such it can be considered as a useful contribution despite its security deficiencies.
In Ref. [Wag], Wagner studied the problem of the influence compromised sensor nodes can
have on an aggregated result in a more fundamental way. He assumes all
n
sensors to report their
+
