an overview of trust, naming and addressing and establishment of security associations

Security and Cooperation in Wireless NetworksSecurity and Cooperation in Wireless Networks Georg-August University Göttingen

An overview of Trust, Naming and An overview of Trust, Naming and Addressing and Establishment of security Addressing and Establishment of security

associationsassociations

• trust assumptions;trust assumptions;• attacker models;attacker models;• naming and naming and

addressing;addressing;• key establishment in key establishment in

sensor networks;sensor networks;• key establishment in key establishment in

ad hoc networks ad hoc networks exploitingexploiting

physical contactnode mobilityvicinity

Georg-August University GöttingenThe security of existing wireless The security of existing wireless networksnetworks

Trust Trust: The belief that another party will behave according to a set of

well-established rules and thus meet one’s expectations.

The trust model of current wireless networks is rather simple– subscriber–service provider model– subscribers trust the service provider for providing the service, charging

correctly, and not misusing transactional data– service providers usually do not trust subscribers, and use security measures

to prevent or detect fraud

In the upcoming wireless networks the trust model will be much more complex– entities play multiple roles (users can become service providers)– number of service providers will dramatically increase– user–service provider relationships will become transient– how to build up trust in such a volatile and dynamic environment?

1


Reasons to trust organizations and individuals Moral values

– Culture + education, fear of bad reputation Experience about a given party

– Based on previous interactions Rule enforcement organization

– E.g. police or spectrum regulator Usual behavior

– Based on statistical observation Rule enforcement mechanisms

– Prevent malicious behavior by appropriate security mechanisms and encourage cooperative behavior

– It is much easier to encrypt the communication than to deploy police force everywhere to check that no one is eavesdropping

2


Trust vs. security and cooperation trust pre-exists security

– all security mechanisms require some level of trust in various components of the system

– E.g. if I trust that my computer is not compromised and the security mechanisms I am using is not (yet) broken --> then I can do my online transactions with the legitimate belief of not being defrauded.

cooperation reinforces trust– trust is about the ability to predict the behavior of another

party– I see the other party’s cooperative behavior --> so I would

believe that she will continue being cooperative --> this encourages me to be cooperative --> she will trust in me

3


Misbehaviors: Malice and selfishness Malice: willingness to do harm no matter what Selfishness: overuse of common resources (network, radio

spectrum, etc.) for one’s own benefit

A misbehavior consists in deliberately departing from the prescribed behavior in order to reach a specific goal

A misbehavior is selfish (or greedy, or strategic) if it aims at obtaining an advantage that can be quantitatively expressed in the units (bitrate, joules, or coverage) or in a related incentive system (e.g., micropayments); any other misbehavior is considered to be malicious.

traditionally, security is concerned only with malice but in the future, malice and selfishness must be

considered jointly if we want to seriously protect wireless networks

4


Who is malicious? Who is selfish?

5

Security mechanisms: to thwart malicious behavior Game theory: to model and prevent selfish behavior

There is no watertight boundary between malice and selfishness Both security and game theory approaches can be useful

Examples of malice and selfish behavior:• A technique aiming at increasing one’s share of the bandwidth (in

general at the expense of other users) is selfish.• An attack aiming at obtaining information about another user of the

network is malicious.• The attack aiming at dropping another node’s packets in order to save

own power is selfish.


6

Naming and Addressing naming and addressing are fundamental for networking

– notably, routing protocols need addresses to route packets– services need names in order to be identifiable, discoverable, and

useable

attacks against naming and addressing– address stealing

• adversary starts using an address already assigned to and used by a legitimate node

– Sybil attack• a single adversarial node uses several invented addresses• makes legitimate nodes believe that there are many other

nodes around– node replication attack

• dual of the Sybil attack• the adversary introduces replicas of a single compromised

node using the same address at different locations of the network


7

Illustration of the Sybil and node replication attacks

Sybil nodesABC

D

X

Y

Z

X

X

A

C

B D

E

G

F

H

I

J

replicated nodes


8

Cryptographically Generated Addresses (CGA) aims at preventing address stealing general idea:

– generate node address from a public key– corresponding private key is known only by the legitimate

node– prove ownership of the address by proving knowledge of the

private key example in case of IPv6:


9

Thwarting the Sybil attack note that CGAs do prevent an attacker from stealing or

spoofing an address already chosen by another node CGAs do not prevent the Sybil attack

– an adversary can still generate addresses for herself

a solution based on a central and trusted authority– the central authority vouches for the one-to-one mapping

between an address and a device– e.g., a server can respond to requests concerning the legitimacy

of a given address

other solutions take advantage of some physical aspects– e.g., identify the same device (when it is using a new fake

address) based on radio fingerprinting or using geographic location


10

Thwarting the node replication attack (1/2) a centralized solution

– each node reports its neighbors’ claimed locations to a central authority (e.g., the base station in sensor networks)

– the central authority detects if the same address appears at two different locations

– assumes location awareness of the nodes

base station

A

B

C

A

D E

A @ (x1, y1)

A @ (x2, y2)


11

Thwarting the node replication attack (2/2) a decentralized variant

– neighbors’ claimed location is forwarded to witnesses– witnesses are randomly selected nodes of the network– if a witness detects the same address appearing at two

different locations then it broadcast this information and the replicated nodes are revoked


12

Analysis of the decentralized variant total number of nodes in the network is n average number of neighbors is d (network degree) A broadcasts its location to its neighbors each neighbor of A forwards A’s location claim with probability p

to g randomly selected witnesses average number of witnesses receiving A’s location claim is p.d.g Assume the attacker inserts L replicas of node A The probability that p.d.g recipients of claim l1 do not receive any

of the p.d.g copies of claim l2 is:Pnc1 =(1-(p.d.g)/n) (p.d.g)

The probability that the 2 p*d*g recipients of claims l1 and l2 do not receive any of the p.d.g copies of claim l3 is:

Pnc2 =(1-(2p.d.g)/n) (p.d.g)

In the same way, the probability of no collisions is:Pnc =П(1-(i.p.d.g)/n)(p.d.g) (1 <= i <= (L-1))

Using (1+x)<=e^x we have: Pnc <=exp( - L(L-1)(p.d.g)2 / 2n)


Analysis of the decentralized variant

then for the probability of detection:

(1- Pnc =)Pdet > 1 – exp( - L(L-1)(p.d.g)2 / 2n)

numerical example:n = 10000, d = 20, g = 100, p = 0.5 L = 2 Pdet ~ 0.63L = 3 Pdet ~ 0.95

13


14

Establishment of security associations: Outline

Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link


15

Key establishment in sensor networks After identification, authentication and key establishment are

necessary for starting secure communication authentication and key establishment are related to each other:

– Once authenticated the two nodes can establish a session key – An already established key can be used for future authentication

A possible solution is public key cryptography: each device carries a certificate issued by the trusted authority

But due to resource constraints, asymmetric key cryptography should be avoided in sensor networks: asymmetric encryption is usually harder (more complicated computation and requiring the central organization)

we aim at setting up symmetric keys


Key establishment in sensor networks

requirements for key establishment depend on – communication patterns to be supported

• unicast• local broadcast• global broadcast

– need for supporting in-network processing: data aggregation on packets received from downstream nodes to make the data more impact

– need to allow passive participation: e.g. a node decides not to report an event to the sink if it hears another node is doing the same needs decryption

necessary key types– node keys – shared by a node and the base station to protect packets

exchanged between a node and the base station (no aggregation)– link keys – pairwise keys shared by neighbors (used for hop-by-hop encryption,

message authentication and integrity)– cluster keys – shared by a node and all its neighbors (hop-by-hop encryption for

local broadcast, makes passive participation possible)– network key – a key shared by all nodes and the base station (global broadcast)

16


17

Setting up node, cluster, and network keys node key

– can be preloaded into the node before deployment

cluster key– can be generated by the node and sent to each neighbor individually

protected by the link key shared with that neighbor

network key– can also be preloaded in the nodes before deployment– needs to be refreshed from time to time (due to the possibility of node

compromise)• neighbors of compromised nodes generate new cluster keys• the new cluster keys are distributed to the non-

compromised neighbors• the base station generates a new network key• the new network key is distributed in a hop-by-hop manner

protected with the updated cluster keys (not available to compromised node)


18

Setting up link keys What remains to solve is establishing link keys They can not be pre-loaded before network

deployment:

– no a priori knowledge of post-deployment topology• it is not known a priori who will be neighbor to whom

– gradual deployment• need to add new sensors after deployment


19

Link key setup using a short-term master key– Sensor networks: stationary nodes, neighborhood of a node

does not change frequently

Link key establishment protocol in four phases:– Master key pre-loading– Neighbor discovery– Link key computation– Master key deletion

Master key pre-loading:– Before deployment– Master key Kinit is loaded into the nodes– Each node u computes Ku = fKinit (u)


20

Link key setup using a short-term master key Neighbor discovery:

– After the deployment node u initializes a timer– Discovers its neighbors: by broadcasting HELLO message– Neighbor v responds with ACK– ACK: identifier of v, authenticated with Kv (u still has the

master key and can compute Kv)– u verifies ACK

link key computation:– link key: Kuv=fKv (u).

Master key deletion:– When timer expires: u deletes Kinit and all Kv s


Pairwise key establishment in sensor networks

1. Initialization

Keypool

(k keys)

m (<<k) keys in each sensor (“key ring of the node”)

2. Deployment

Do we have a common key?

Probability for any 2 nodes to have a common key:

)!2(!))!((1

2

mkkmkp

21


22

Random key pre-distribution – PreliminariesGiven a set S of k elements, we randomly choose two subsets S1 and S2 of m1 and m2 elements, respectively, from S. The probability of S1 S2 is


23

The basic random key pre-distribution scheme initialization phase

– a large pool S of unique keys are picked at random– for each node, m keys are selected randomly from S and pre-loaded

in the node (key ring)

direct key establishment phase– after deployment, each node finds out with which of its neighbors it

shares a key (e.g., each node may broadcast the list of its key IDs)– two nodes that discover that they share a key verify that they both

actually posses the key (e.g., execute a challenge-response protocol)

path key establishment phase– neighboring nodes that do not have a common key in their key

rings establish a shared key through a path of intermediate nodes where each link of the path is already secured in the direct key establishment phase


24

Setting the parameters connectivity of the graph resulting after the direct key

establishment phase is crucial a result from random graph theory [Erdős-Rényi]: in order for a

random graph to be connected with probability c (e.g., c = 0.9999), the expected degree d of the vertices should be (n is the number of nodes):

(1)

in our case, d = pn’ (2), where p is the probability that two nodes have a common key in their key rings, and n’ is the expected number of neighbors (for a given deployment density)

p depends on the size k of the pool and the size m of the key ring

(3)

c d p k, m(1) (2) (3)


25

Setting the parameters – an example number of nodes: n = 10000 expected number of neighbors: n’ = 40 required probability of connectivity after direct key

establishment: c = 0.9999

using (1): required node degree after direct key establishment: d =

18.42 using (2):

required probability of sharing a key: p = 0.46 using (3):

appropriate key pool and key ring sizes:k = 100000, m = 250k = 10000, m = 75…


26

Qualitative analysis advantages:

– parameters can be adopted to special requirements– no need for intensive computation– path key establishment have some overhead …

• decryption and re-encryption at intermediate nodes• communication overhead

– but simulation results show that paths are not very long (2-3 hops)– no assumption on topology– easy addition of new nodes

disadvantages:– node capture affects the security of non-captured nodes too

• if a node is captured, then its keys are compromised• these keys may be used by other nodes too

– if a path key is established through captured nodes, then the path key is compromised

– no authentication is provided


27

Improvements: q-composite rand key pre-distribution basic idea:

– two nodes can set up a shared key if they have at least q common keys in their key rings

– the pairwise key is computed as the hash of all common keys

advantage:– in order to compromise a link key, all keys that have been

hashed together must be compromised

disadvantage:– probability of being able to establish a shared key directly is

smaller (it is less likely to have q common keys, than to have one)

– key ring size should be increased (but: memory constraints) or key pool size should be decreased (but: effect of captured nodes)


28

Improvements: Multipath key reinforcement basic idea:

– establish link keys through multiple disjoint paths– assume two nodes have a common key K in their key rings– one of the nodes sends key shares k1, …, kj to the other through j secured

disjoint paths (encrypted hop-by-hop using the key links already established in the direct key establishment phase)

– the key shares are protected during transit by keys that have been discovered in the direct key establishment phase

– the link key is computed as K + k1 + … + kj

– If no K is common in the two nodes’ key rings the key would be k1 + … + kj

radio connectivity shared key connectivity

k2

K

multipath key reinforcement


29

Improvements: Multipath key reinforcement advantages:

– in order to compromise a link key, at least one link on each path must be compromised increased resilience to node capture

disadvantages:– increased overhead


30


Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link


31

Exploiting physical contact target scenarios

– modern home with multiple remotely controlled devices• DVD, VHS, HiFi, doors, air condition, lights, alarm, …

– modern hospital• mobile personal assistants and medical devices, such as thermometers,

blood pressure meters, …

common in these scenarios– transient associations between devices – physical contact is possible for initialization purposes

the resurrecting duckling security policy– at the beginning, each device has an empty soul– each empty device accepts the first device to which it is physically

connected as its master (imprinting)– during the physical contact, a device key is established– the master uses the device key to execute commands on the

device, including the suicide command– after suicide, the device returns to its empty state and it is ready to

be imprinted again


32


Key establishment in sensor networksExploiting physical contactExploiting mobilityExploiting the properties of vicinity and of the radio link


33

Does mobility increase or reduce security ? Authentication and security association between two devices is not

always convenient through physical contact, because the devices do not necessarily provide the appropriate interface or the users do not always carry the required cable with them

Mobility is usually perceived as a major security challenge – Wireless communications – Unpredictable location of the user/node– Not regularly availability of the user/node– Higher vulnerability of the device – Reduced computing capability of the devices

However, very often, people gather and move to increase security– Face to face meetings– Transport of assets and documents– Authentication by physical presence

In spite of the popularity of PDAs and mobile phones, this mobility has not been exploited to provide digital security

So far, client-server security has been considered as a priority (e-business)

Peer-to-peer security is still in its infancy


34

Mobile ad hoc networks with a central authority– off-line or on-line authority – nodes or authorities generate keys– authorities certify keys and node ids– authorities control network security settings and membership

Fully self-organized mobile ad hoc networks – no central authority (not even in the initialization phase !)– each user/node generates its own keys and negotiates keys with other

users– membership and security controlled by users themselves

trust trust

trusttrust

CA

trust

trusttrust

trust

trust

Fully self organizedAuthority-based

Two scenarios


35

Existing solutions: – Preloading all pairs of keys into nodes (it makes it

difficult to introduce new keys and to perform rekeying)– On-line authentication servers (problematic availability

and rekeying)

Routing cannot work until security associations are set up

Security associations cannot be set up via multi-hop routes because routing does not work

Routing – security interdependence


36

{ A, PuKA }

Wireless channel - Relatively long distance- No integrity- No confidentiality

PrKCA

A B

Certificate that binds B’s public key with its id, issued and signed by the central authority

Each node holds a certificate that binds its id with its public key, signed by the CA

{ B, PuKB }PrKCA

The establishment of security associations within power range breaks the routing-security interdependence cycle

Mobility helps security of routing: authority-based security systems


37

Mobile ad hoc networks with authority-based security systems– breaks the routing-security dependence circle – automatic establishment of security associations– no user involvement– associations can be established in power range – only off-line authorities are needed – straightforward re-keying

Advantages of the mobility approach (1/2)


38

Infrared link

(Alice, PuKAlice, XYZ)

(Bob, PuKBob , UVW)

Visual recognition, conscious

establishment of a two-way security association

Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required

Alice Bob

Fully self-organized scenarios: Public-key security association approaches

Secure side channel mechanism:


Secure side channel mechanism The node can easily verify the validation of the name

because the name should correspond to the person present at the encounter

The node can verify that the other node really possesses the private key corresponding to the received public key using a simple challenge-response protocol.

Finally the node address can be verified against the public key, e.g. by using Cryptographically Generated Addresses Assumption: NodeId = h(PuK)

39

Alice


40

IR

Colin

Bob(Colin’s friend)

Alice



- Bob knows the triplet of Alice -Colin and Bob are friends: They have established a Security Association at initialisation, and they faithfully share with each other the Security Associations with other users (trust)- Bob can issue fresh certificate for Alice and send it to Colin- Colin knows the public key of Bob and trusts it: can verify the received information and accept it if verified

Friends mechanism


41

Friendship : nodes know each others’ triplets

Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter

i j i knows the triplet of j ; the triplet has been obtained from a friend of i

i

f

j i

f

j

i

f

j i

f

j

i j i ja) Encounter

b) Mutual friend

c) Friend + encounter

Mechanisms to establish Security Associations


Symmetric-key security association approaches

42

Friendship : nodes know each others’ triplets

Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter

i j i knows the triplet of j ; the triplet has been obtained from a friend of i

i

f

j i

f

j

u

f

vu

f

v

i j i ja) Encounter: when i and j are in each other’s vicinity they exchange through the side channel their user names and addresses and the data to generate a key (must be confidential)

b) Mutual friend: i and j both have a shared key with f and also trust it; f can act as a trusted server or relay to help I and j to share a secret key

c) Friend + encounter: when two nodes have no common friend or do not want the friend to know thier secrets shared with others:f is u’s friend and has set up an association withV; g is v’s friend and has set up an associationwith u. u generates a key contribution, k_u, andSends it to v via g and v send its key contribution, k_v,to u via f. Then both u and v generate the k_uv using k_u and k_v.

gg


43

Fully self-organized mobile ad hoc networks – There are no central authorities– Each user/node generates its own public/private key pairs– Intuitive for users– Useful for setting up security associations for secure routing

in smaller networks or peer-to-peer applications – Requires some time until network is fully secure– User/application oriented

Advantages of the mobility approach (2/2)


44

Conclusion on security associations using mobility Mobility can help security in mobile ad hoc networks Mobility “breaks” the security-routing

interdependence cycle The pace of establishment of the security

associations is strongly influenced by the area size, the number of friends, and the speed of the nodes

The proposed solution also supports re-keying The proposed solution can easily be implemented

with both symmetric and asymmetric crypto


45


Key establishment in sensor networksExploiting physical contactExploiting mobilityExploiting the properties of vicinity and of the radio link


46

Exploiting vicinity problem

– how to establish a shared key between two PDAs (using the radio link when no infrared connection is available)?

assumptions– no CA– PDAs can use short range radio communications (e.g.,

Bluetooth)– PDAs have a display– PDAs are held by human users

Example: two people get together at a meeting and want to exchange their business card using their PDAs in a secure way.

idea– use the Diffie-Hellman key agreement protocol– ensure key authentication by the human users


The Diffie-Hellman protocol

47

BobAlice

select random xcompute gx mod p

select random ycompute gy mod p

gx mod p

gy mod p

compute k = (gy)x mod p compute k = (gx)y mod p

assumptions: p is a large prime, g is a generator of subgroup Zp*, both are publicly known system

parameters

Diffie-Hellman with String Comparison: a protocol to ensure the integrity of the exchanged randoms (the two users will only need to trigger the protocol and justcompare two strings of characters)


48

Summary of establishment of security associations it is possible to establish pairwise shared keys in ad

hoc networks without a globally trusted third party mobility, secure side channels, and friends are

helpful in sensor networks, we need different types of keys

– node keys, cluster keys, and network keys can be established relatively easily using the technique of key pre-loading and using already established link keys

– link keys can be established using a short-term master key or with the technique of random key pre-distribution

an overview of trust, naming and addressing and establishment of security associations

Documents