Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks

Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux

SECURECOMM, 2009

2

Wireless Trends• Phones

– Always on (Bluetooth, WiFi)– Background apps

• New hardware going wireless– Cars, passports, keys, …

3

Peer-to-Peer Wireless Networks

1

MessageIdentifier

2

• Share information with other users• Authenticate message sender

Certificate

4

Examples

• Urban Sensing networks• Delay tolerant networks• Peer-to-peer file exchange

MiFiSocial networks

5

Anonymity Problem

Adversary can track activities of pseudonymous users

Passive adversary monitors identifiers used in peer-to-peer communications

MessageJulienFreudiger CertificatePseudonym

6

Reputation

Privacy

Anonymous Authentication

7

Previous Work (1)Multiple Pseudonyms

[1] A. Beresford and F. Stajano. Mix Zones: User Privacy in Location-aware Services. Pervasive Computing and Communications Workshop, 2004

MessagePseudonym 1 Certificate 1

+ Simple for users- Costly for operator (pseudonym management)- Limited privacy- Sybil attacks

Pseudonym 2Pseudonym 3Pseudonym 4 Certificate 2Certificate 3Certificate 4

Nodes change pseudonyms

8

Previous Work (2)Group Signatures

+ Good anonymity- Central management- Traceable

[2] D. Boneh, X. Boyen and H. Shacham. Short Group Signatures. Crypto, 2004

[3] D. Chaum and E. van Heyst. Group Signatures. EuroCrypt, 1991

MessageGroup Identifier

Group Certificate

CentralAuthority

9

+ No need for infrastructure+ Exploit inherent redundancy of mobile networks - Privacy?

New ApproachSelf-Organized Anonymity

MessageRandomIdentifier

Many Certificates

Network-generated privacy

10

Outline

1. Ring Signatures

2. Anonymity Analysis

3. Evaluation

11

Cryptographic PrimitiveRing Signatures

• Procedure1. Select a set of pseudonyms (including yours) in a ring2. Sign messages with ring

• Properties– Anonymity: Signer cannot be distinguished– Unlinkable: Signatures cannot be linked to same signer– Setup free: Knowledge of others’ pseudonym is sufficient

Anonymous authentication: Member of ring signed the message

[4] R. L. Rivest , A. Shamir , Y. Tauman. How to Leak a Secret. Communications of the ACM, 2001

12

Ring Signatures Explained

vz =+

Ek

+

Ek

+

Ek

+

Ek

…

…

+

y1=g( )

y2=g( )

xs=g-1( )

yr-1=g( )y0=g( )x0

x1

x2

ys

xr-1

ys=g( )xs

k=H(m)v is the glue valuexi are random values

13

Ring Construction in MANETs• Nodes record pseudonyms in rings of neighbors– Store pseudonyms in history – Node i creates ring by selecting pseudonyms

from with strategy

• Rings are dynamically and independently created

14

Illustration

1

3

4

2 6

5

t1: S1 = [] R1 = [P1]

t2: S1 = [2, 3, 4] R1 = [P1, P2, P4]

t3: S1 = [2, 3, 4, 6]R1 = [P1, P4, P6]

15

Outline

1. Ring Signatures

2. Anonymity Analysis

3. Evaluation

16

Anonymity

• Adversary should not infer user i from Ri

…

Pj

…

Pi

User i

Ri

Attack: Given all rings, adversary can infer most

probable ring owner

17

Anonymity Analysis

• Bipartite graph model

is set of nodes

is set of pseudonyms

is set of edges

Captures relation between nodes and rings

18

Attacking Ring Anonymity (1)Example

Find a perfect matching: Assignment of nodes to pseudonyms

19

Attacking Ring Anonymity (2)Analysis

• Find most likely perfect matching– Weight edges– Max weight perfect matching

• Bayesian inference– A priori weights– A posteriori weights

• Entropy metric

20

Optimal Construction

• Maximize anonymity

Theorem: Anonymity is maximum iif• Graph is regular• All subgraphs

are isomorphic to each other

21

Outline

1. Ring Signatures

2. Anonymity Analysis

3. Evaluation

22

Validation of Theoretical Results

• LEDA C++ library for graph manipulation• 10 nodes• K=4 (ring size)

u1

Random graphs

P1

P2

P10

u2

u10

… …

u1

K-out graphs

P1

P2

P10

u2

u10

… …

u1

Regular graphs

P1

P2

P10

u2

u10

… …

23

Entropy Distribution of Random Graphs with edge density p

24

Minimum & Mean Entropy Distribution for Random and Regular Graphs

25

Entropy distribution of random, K-out and regular graphs

26

Fraction of matched nodes for various graph constructions

27

Evaluation in Mobile Ad Hoc Network

• 100 nodes• K=4 (ring size)• Static– Learn pseudonyms as far as graph connectivity allows– Select pseudonyms randomly

• Mobile: Restricted Random Waypoint– Least popular: Select leas popular pseudonyms– Most popular: Select most popular pseudonyms– Random: Randomly select pseudonyms

28

Average Anonymity Set size over time

Least

Random

Static

Mobile

29

Conclusion

• Self-organized anonymous authentication– Network generated anonymity– Analysis with graph theory

• Results– Regular constructions near optimal– K-out constructions perform well– Mobility helps anonymity– Knowledge of popularity of pseudonyms helps

30

Future Work• Stronger adversary model– Active adversary

• Self-Organized Location Privacy– Linkability Breaks Anonymity

31

BACKUP SLIDES

32

Compute Weights• A priori weight• Probability of an assignment

• Probability of an assignment given all assignments

• A posteriori weight of an edge between ui and pj

33

Revocation

• Keys can be black listed using traditional CRLs• Misbehaving nodes can be excluded by

revoking all keys in a ring– Nodes can reclaim their key to CA– Nodes misbehaving several times would be

detected• Accountability of group of users

34

Cost

• Computation overhead

• Transmission overhead– Group of prime order q– q = 283 (128-bit security), M = log2(q)

35

CDF of the average anonymity set size