Upload
dora
View
43
Download
0
Embed Size (px)
DESCRIPTION
An overview of Trust, Naming and Addressing and Establishment of security associations. trust assumptions; attacker models; n aming and addressing; key establishment in sensor networks; key establishment in ad hoc networks exploiting physical contact node mobility vicinity. Trust. - PowerPoint PPT Presentation
Citation preview
Security and Cooperation in Wireless NetworksSecurity and Cooperation in Wireless Networks Georg-August University Göttingen
An overview of Trust, Naming and An overview of Trust, Naming and Addressing and Establishment of security Addressing and Establishment of security
associationsassociations
• trust assumptions;trust assumptions;• attacker models;attacker models;• naming and naming and
addressing;addressing;• key establishment in key establishment in
sensor networks;sensor networks;• key establishment in key establishment in
ad hoc networks ad hoc networks exploitingexploiting
physical contactnode mobilityvicinity
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Trust Trust: The belief that another party will behave according to a set of
well-established rules and thus meet one’s expectations.
The trust model of current wireless networks is rather simple– subscriber–service provider model– subscribers trust the service provider for providing the service, charging
correctly, and not misusing transactional data– service providers usually do not trust subscribers, and use security measures
to prevent or detect fraud
In the upcoming wireless networks the trust model will be much more complex– entities play multiple roles (users can become service providers)– number of service providers will dramatically increase– user–service provider relationships will become transient– how to build up trust in such a volatile and dynamic environment?
1
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Reasons to trust organizations and individuals Moral values
– Culture + education, fear of bad reputation Experience about a given party
– Based on previous interactions Rule enforcement organization
– E.g. police or spectrum regulator Usual behavior
– Based on statistical observation Rule enforcement mechanisms
– Prevent malicious behavior by appropriate security mechanisms and encourage cooperative behavior
– It is much easier to encrypt the communication than to deploy police force everywhere to check that no one is eavesdropping
2
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Trust vs. security and cooperation trust pre-exists security
– all security mechanisms require some level of trust in various components of the system
– E.g. if I trust that my computer is not compromised and the security mechanisms I am using is not (yet) broken --> then I can do my online transactions with the legitimate belief of not being defrauded.
cooperation reinforces trust– trust is about the ability to predict the behavior of another
party– I see the other party’s cooperative behavior --> so I would
believe that she will continue being cooperative --> this encourages me to be cooperative --> she will trust in me
3
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Misbehaviors: Malice and selfishness Malice: willingness to do harm no matter what Selfishness: overuse of common resources (network, radio
spectrum, etc.) for one’s own benefit
A misbehavior consists in deliberately departing from the prescribed behavior in order to reach a specific goal
A misbehavior is selfish (or greedy, or strategic) if it aims at obtaining an advantage that can be quantitatively expressed in the units (bitrate, joules, or coverage) or in a related incentive system (e.g., micropayments); any other misbehavior is considered to be malicious.
traditionally, security is concerned only with malice but in the future, malice and selfishness must be
considered jointly if we want to seriously protect wireless networks
4
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Who is malicious? Who is selfish?
5
Security mechanisms: to thwart malicious behavior Game theory: to model and prevent selfish behavior
There is no watertight boundary between malice and selfishness Both security and game theory approaches can be useful
Examples of malice and selfish behavior:• A technique aiming at increasing one’s share of the bandwidth (in
general at the expense of other users) is selfish.• An attack aiming at obtaining information about another user of the
network is malicious.• The attack aiming at dropping another node’s packets in order to save
own power is selfish.
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
6
Naming and Addressing naming and addressing are fundamental for networking
– notably, routing protocols need addresses to route packets– services need names in order to be identifiable, discoverable, and
useable
attacks against naming and addressing– address stealing
• adversary starts using an address already assigned to and used by a legitimate node
– Sybil attack• a single adversarial node uses several invented addresses• makes legitimate nodes believe that there are many other
nodes around– node replication attack
• dual of the Sybil attack• the adversary introduces replicas of a single compromised
node using the same address at different locations of the network
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
7
Illustration of the Sybil and node replication attacks
Sybil nodesABC
D
X
Y
Z
X
X
A
C
B D
E
G
F
H
I
J
replicated nodes
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
8
Cryptographically Generated Addresses (CGA) aims at preventing address stealing general idea:
– generate node address from a public key– corresponding private key is known only by the legitimate
node– prove ownership of the address by proving knowledge of the
private key example in case of IPv6:
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
9
Thwarting the Sybil attack note that CGAs do prevent an attacker from stealing or
spoofing an address already chosen by another node CGAs do not prevent the Sybil attack
– an adversary can still generate addresses for herself
a solution based on a central and trusted authority– the central authority vouches for the one-to-one mapping
between an address and a device– e.g., a server can respond to requests concerning the legitimacy
of a given address
other solutions take advantage of some physical aspects– e.g., identify the same device (when it is using a new fake
address) based on radio fingerprinting or using geographic location
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
10
Thwarting the node replication attack (1/2) a centralized solution
– each node reports its neighbors’ claimed locations to a central authority (e.g., the base station in sensor networks)
– the central authority detects if the same address appears at two different locations
– assumes location awareness of the nodes
base station
A
B
C
A
D E
A @ (x1, y1)
A @ (x2, y2)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
11
Thwarting the node replication attack (2/2) a decentralized variant
– neighbors’ claimed location is forwarded to witnesses– witnesses are randomly selected nodes of the network– if a witness detects the same address appearing at two
different locations then it broadcast this information and the replicated nodes are revoked
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
12
Analysis of the decentralized variant total number of nodes in the network is n average number of neighbors is d (network degree) A broadcasts its location to its neighbors each neighbor of A forwards A’s location claim with probability p
to g randomly selected witnesses average number of witnesses receiving A’s location claim is p.d.g Assume the attacker inserts L replicas of node A The probability that p.d.g recipients of claim l1 do not receive any
of the p.d.g copies of claim l2 is:Pnc1 =(1-(p.d.g)/n) (p.d.g)
The probability that the 2 p*d*g recipients of claims l1 and l2 do not receive any of the p.d.g copies of claim l3 is:
Pnc2 =(1-(2p.d.g)/n) (p.d.g)
In the same way, the probability of no collisions is:Pnc =П(1-(i.p.d.g)/n)(p.d.g) (1 <= i <= (L-1))
Using (1+x)<=e^x we have: Pnc <=exp( - L(L-1)(p.d.g)2 / 2n)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Analysis of the decentralized variant
then for the probability of detection:
(1- Pnc =)Pdet > 1 – exp( - L(L-1)(p.d.g)2 / 2n)
numerical example:n = 10000, d = 20, g = 100, p = 0.5 L = 2 Pdet ~ 0.63L = 3 Pdet ~ 0.95
13
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
14
Establishment of security associations: Outline
Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
15
Key establishment in sensor networks After identification, authentication and key establishment are
necessary for starting secure communication authentication and key establishment are related to each other:
– Once authenticated the two nodes can establish a session key – An already established key can be used for future authentication
A possible solution is public key cryptography: each device carries a certificate issued by the trusted authority
But due to resource constraints, asymmetric key cryptography should be avoided in sensor networks: asymmetric encryption is usually harder (more complicated computation and requiring the central organization)
we aim at setting up symmetric keys
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Key establishment in sensor networks
requirements for key establishment depend on – communication patterns to be supported
• unicast• local broadcast• global broadcast
– need for supporting in-network processing: data aggregation on packets received from downstream nodes to make the data more impact
– need to allow passive participation: e.g. a node decides not to report an event to the sink if it hears another node is doing the same needs decryption
necessary key types– node keys – shared by a node and the base station to protect packets
exchanged between a node and the base station (no aggregation)– link keys – pairwise keys shared by neighbors (used for hop-by-hop encryption,
message authentication and integrity)– cluster keys – shared by a node and all its neighbors (hop-by-hop encryption for
local broadcast, makes passive participation possible)– network key – a key shared by all nodes and the base station (global broadcast)
16
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
17
Setting up node, cluster, and network keys node key
– can be preloaded into the node before deployment
cluster key– can be generated by the node and sent to each neighbor individually
protected by the link key shared with that neighbor
network key– can also be preloaded in the nodes before deployment– needs to be refreshed from time to time (due to the possibility of node
compromise)• neighbors of compromised nodes generate new cluster keys• the new cluster keys are distributed to the non-
compromised neighbors• the base station generates a new network key• the new network key is distributed in a hop-by-hop manner
protected with the updated cluster keys (not available to compromised node)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
18
Setting up link keys What remains to solve is establishing link keys They can not be pre-loaded before network
deployment:
– no a priori knowledge of post-deployment topology• it is not known a priori who will be neighbor to whom
– gradual deployment• need to add new sensors after deployment
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
19
Link key setup using a short-term master key– Sensor networks: stationary nodes, neighborhood of a node
does not change frequently
Link key establishment protocol in four phases:– Master key pre-loading– Neighbor discovery– Link key computation– Master key deletion
Master key pre-loading:– Before deployment– Master key Kinit is loaded into the nodes– Each node u computes Ku = fKinit (u)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
20
Link key setup using a short-term master key Neighbor discovery:
– After the deployment node u initializes a timer– Discovers its neighbors: by broadcasting HELLO message– Neighbor v responds with ACK– ACK: identifier of v, authenticated with Kv (u still has the
master key and can compute Kv)– u verifies ACK
link key computation:– link key: Kuv=fKv (u).
Master key deletion:– When timer expires: u deletes Kinit and all Kv s
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Pairwise key establishment in sensor networks
1. Initialization
Keypool
(k keys)
m (<<k) keys in each sensor (“key ring of the node”)
2. Deployment
Do we have a common key?
Probability for any 2 nodes to have a common key:
)!2(!))!((1
2
mkkmkp
21
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
22
Random key pre-distribution – PreliminariesGiven a set S of k elements, we randomly choose two subsets S1 and S2 of m1 and m2 elements, respectively, from S. The probability of S1 S2 is
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
23
The basic random key pre-distribution scheme initialization phase
– a large pool S of unique keys are picked at random– for each node, m keys are selected randomly from S and pre-loaded
in the node (key ring)
direct key establishment phase– after deployment, each node finds out with which of its neighbors it
shares a key (e.g., each node may broadcast the list of its key IDs)– two nodes that discover that they share a key verify that they both
actually posses the key (e.g., execute a challenge-response protocol)
path key establishment phase– neighboring nodes that do not have a common key in their key
rings establish a shared key through a path of intermediate nodes where each link of the path is already secured in the direct key establishment phase
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
24
Setting the parameters connectivity of the graph resulting after the direct key
establishment phase is crucial a result from random graph theory [Erdős-Rényi]: in order for a
random graph to be connected with probability c (e.g., c = 0.9999), the expected degree d of the vertices should be (n is the number of nodes):
(1)
in our case, d = pn’ (2), where p is the probability that two nodes have a common key in their key rings, and n’ is the expected number of neighbors (for a given deployment density)
p depends on the size k of the pool and the size m of the key ring
(3)
c d p k, m(1) (2) (3)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
25
Setting the parameters – an example number of nodes: n = 10000 expected number of neighbors: n’ = 40 required probability of connectivity after direct key
establishment: c = 0.9999
using (1): required node degree after direct key establishment: d =
18.42 using (2):
required probability of sharing a key: p = 0.46 using (3):
appropriate key pool and key ring sizes:k = 100000, m = 250k = 10000, m = 75…
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
26
Qualitative analysis advantages:
– parameters can be adopted to special requirements– no need for intensive computation– path key establishment have some overhead …
• decryption and re-encryption at intermediate nodes• communication overhead
– but simulation results show that paths are not very long (2-3 hops)– no assumption on topology– easy addition of new nodes
disadvantages:– node capture affects the security of non-captured nodes too
• if a node is captured, then its keys are compromised• these keys may be used by other nodes too
– if a path key is established through captured nodes, then the path key is compromised
– no authentication is provided
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
27
Improvements: q-composite rand key pre-distribution basic idea:
– two nodes can set up a shared key if they have at least q common keys in their key rings
– the pairwise key is computed as the hash of all common keys
advantage:– in order to compromise a link key, all keys that have been
hashed together must be compromised
disadvantage:– probability of being able to establish a shared key directly is
smaller (it is less likely to have q common keys, than to have one)
– key ring size should be increased (but: memory constraints) or key pool size should be decreased (but: effect of captured nodes)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
28
Improvements: Multipath key reinforcement basic idea:
– establish link keys through multiple disjoint paths– assume two nodes have a common key K in their key rings– one of the nodes sends key shares k1, …, kj to the other through j secured
disjoint paths (encrypted hop-by-hop using the key links already established in the direct key establishment phase)
– the key shares are protected during transit by keys that have been discovered in the direct key establishment phase
– the link key is computed as K + k1 + … + kj
– If no K is common in the two nodes’ key rings the key would be k1 + … + kj
radio connectivity shared key connectivity
k2
K
multipath key reinforcement
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
29
Improvements: Multipath key reinforcement advantages:
– in order to compromise a link key, at least one link on each path must be compromised increased resilience to node capture
disadvantages:– increased overhead
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
30
Establishment of security associations: Outline
Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
31
Exploiting physical contact target scenarios
– modern home with multiple remotely controlled devices• DVD, VHS, HiFi, doors, air condition, lights, alarm, …
– modern hospital• mobile personal assistants and medical devices, such as thermometers,
blood pressure meters, …
common in these scenarios– transient associations between devices – physical contact is possible for initialization purposes
the resurrecting duckling security policy– at the beginning, each device has an empty soul– each empty device accepts the first device to which it is physically
connected as its master (imprinting)– during the physical contact, a device key is established– the master uses the device key to execute commands on the
device, including the suicide command– after suicide, the device returns to its empty state and it is ready to
be imprinted again
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
32
Establishment of security associations: Outline
Key establishment in sensor networksExploiting physical contactExploiting mobilityExploiting the properties of vicinity and of the radio link
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
33
Does mobility increase or reduce security ? Authentication and security association between two devices is not
always convenient through physical contact, because the devices do not necessarily provide the appropriate interface or the users do not always carry the required cable with them
Mobility is usually perceived as a major security challenge – Wireless communications – Unpredictable location of the user/node– Not regularly availability of the user/node– Higher vulnerability of the device – Reduced computing capability of the devices
However, very often, people gather and move to increase security– Face to face meetings– Transport of assets and documents– Authentication by physical presence
In spite of the popularity of PDAs and mobile phones, this mobility has not been exploited to provide digital security
So far, client-server security has been considered as a priority (e-business)
Peer-to-peer security is still in its infancy
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
34
Mobile ad hoc networks with a central authority– off-line or on-line authority – nodes or authorities generate keys– authorities certify keys and node ids– authorities control network security settings and membership
Fully self-organized mobile ad hoc networks – no central authority (not even in the initialization phase !)– each user/node generates its own keys and negotiates keys with other
users– membership and security controlled by users themselves
trust trust
trusttrust
CA
trust
trusttrust
trust
trust
Fully self organizedAuthority-based
Two scenarios
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
35
Existing solutions: – Preloading all pairs of keys into nodes (it makes it
difficult to introduce new keys and to perform rekeying)– On-line authentication servers (problematic availability
and rekeying)
Routing cannot work until security associations are set up
Security associations cannot be set up via multi-hop routes because routing does not work
Routing – security interdependence
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
36
{ A, PuKA }
Wireless channel - Relatively long distance- No integrity- No confidentiality
PrKCA
A B
Certificate that binds B’s public key with its id, issued and signed by the central authority
Each node holds a certificate that binds its id with its public key, signed by the CA
{ B, PuKB }PrKCA
The establishment of security associations within power range breaks the routing-security interdependence cycle
Mobility helps security of routing: authority-based security systems
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
37
Mobile ad hoc networks with authority-based security systems– breaks the routing-security dependence circle – automatic establishment of security associations– no user involvement– associations can be established in power range – only off-line authorities are needed – straightforward re-keying
Advantages of the mobility approach (1/2)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
38
Infrared link
(Alice, PuKAlice, XYZ)
(Bob, PuKBob , UVW)
Visual recognition, conscious
establishment of a two-way security association
Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required
Alice Bob
Fully self-organized scenarios: Public-key security association approaches
Secure side channel mechanism:
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Secure side channel mechanism The node can easily verify the validation of the name
because the name should correspond to the person present at the encounter
The node can verify that the other node really possesses the private key corresponding to the received public key using a simple challenge-response protocol.
Finally the node address can be verified against the public key, e.g. by using Cryptographically Generated Addresses Assumption: NodeId = h(PuK)
39
Alice
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
40
IR
Colin
Bob(Colin’s friend)
Alice
(Alice, PuKAlice, XYZ)
(Alice, PuKAlice, XYZ)
- Bob knows the triplet of Alice -Colin and Bob are friends: They have established a Security Association at initialisation, and they faithfully share with each other the Security Associations with other users (trust)- Bob can issue fresh certificate for Alice and send it to Colin- Colin knows the public key of Bob and trusts it: can verify the received information and accept it if verified
Friends mechanism
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
41
Friendship : nodes know each others’ triplets
Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter
i j i knows the triplet of j ; the triplet has been obtained from a friend of i
i
f
j i
f
j
i
f
j i
f
j
i j i ja) Encounter
b) Mutual friend
c) Friend + encounter
Mechanisms to establish Security Associations
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
Symmetric-key security association approaches
42
Friendship : nodes know each others’ triplets
Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter
i j i knows the triplet of j ; the triplet has been obtained from a friend of i
i
f
j i
f
j
u
f
vu
f
v
i j i ja) Encounter: when i and j are in each other’s vicinity they exchange through the side channel their user names and addresses and the data to generate a key (must be confidential)
b) Mutual friend: i and j both have a shared key with f and also trust it; f can act as a trusted server or relay to help I and j to share a secret key
c) Friend + encounter: when two nodes have no common friend or do not want the friend to know thier secrets shared with others:f is u’s friend and has set up an association withV; g is v’s friend and has set up an associationwith u. u generates a key contribution, k_u, andSends it to v via g and v send its key contribution, k_v,to u via f. Then both u and v generate the k_uv using k_u and k_v.
gg
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
43
Fully self-organized mobile ad hoc networks – There are no central authorities– Each user/node generates its own public/private key pairs– Intuitive for users– Useful for setting up security associations for secure routing
in smaller networks or peer-to-peer applications – Requires some time until network is fully secure– User/application oriented
Advantages of the mobility approach (2/2)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
44
Conclusion on security associations using mobility Mobility can help security in mobile ad hoc networks Mobility “breaks” the security-routing
interdependence cycle The pace of establishment of the security
associations is strongly influenced by the area size, the number of friends, and the speed of the nodes
The proposed solution also supports re-keying The proposed solution can easily be implemented
with both symmetric and asymmetric crypto
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
45
Establishment of security associations: Outline
Key establishment in sensor networksExploiting physical contactExploiting mobilityExploiting the properties of vicinity and of the radio link
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
46
Exploiting vicinity problem
– how to establish a shared key between two PDAs (using the radio link when no infrared connection is available)?
assumptions– no CA– PDAs can use short range radio communications (e.g.,
Bluetooth)– PDAs have a display– PDAs are held by human users
Example: two people get together at a meeting and want to exchange their business card using their PDAs in a secure way.
idea– use the Diffie-Hellman key agreement protocol– ensure key authentication by the human users
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
The Diffie-Hellman protocol
47
BobAlice
select random xcompute gx mod p
select random ycompute gy mod p
gx mod p
gy mod p
compute k = (gy)x mod p compute k = (gx)y mod p
assumptions: p is a large prime, g is a generator of subgroup Zp*, both are publicly known system
parameters
Diffie-Hellman with String Comparison: a protocol to ensure the integrity of the exchanged randoms (the two users will only need to trigger the protocol and justcompare two strings of characters)
Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks
48
Summary of establishment of security associations it is possible to establish pairwise shared keys in ad
hoc networks without a globally trusted third party mobility, secure side channels, and friends are
helpful in sensor networks, we need different types of keys
– node keys, cluster keys, and network keys can be established relatively easily using the technique of key pre-loading and using already established link keys
– link keys can be established using a short-term master key or with the technique of random key pre-distribution