security and cooperation in wireless ... - people.kth.se

1

Security and Cooperation in Wireless Networks

Tutorial at ACM MobiCom/MobiHoc 2007

Jean-Pierre Hubaux and Panos Papadimitratos{firstname.lastname}@epfl.ch

2


Part 1: New Wireless Networks andNew Challenges

Jean-Pierre [email protected]


Thwarting Malicious and Selfish Behavior in the Age of Ubiquitous Computing

Levente Buttyan and Jean-Pierre Hubaux

With contributions from N. Ben Salem, M. Cagalj,S. Capkun, M. Felegyhazi, T. Holczer,

P. Papadimitratos, P. Schaffer, and M. Raya

http://secowinet.epfl.ch

4


1. Introduction2. Thwarting malicious behavior3. Thwarting selfish behavior

5

The Internet : something went wrong

Network deploymentNetwork deployment

Observationof new misdeeds

(malicious or selfish)

Observationof new misdeeds

(malicious or selfish)

Install security patches(anti-virus, anti-spam, anti-spyware,

anti-phishing, firewalls,…)

Install security patches(anti-virus, anti-spam, anti-spyware,

anti-phishing, firewalls,…)

“The Internet is Broken”MIT Technology Review,Dec. 2005 – Jan. 2006

NSF FIND, GENI, etc.

6

Where is this going ?

What if tomorrow’s wireless networks are even more unsafe than today’s Internet ?What if tomorrow’s wireless networks are even more unsafe than today’s Internet ?

The Economist, April 28, 2007MIT Technology Review,Dec. 2005 – Jan. 2006

7

Upcoming wireless networks• New kinds of networks

– Personal communications• Small operators, community networks• Cellular operators in shared spectrum• Mesh networks• Hybrid ad hoc networks (also called “Multi-hop cellular networks”)• “Autonomous” ad hoc networks• Personal area networks

– Vehicular networks– Sensor and RFID networks– …

• New wireless communication technologies– Cognitive radios– MIMO– Ultra Wide Band– Directional antennas– …

8

Upcoming wireless networks• New kinds of networks

– Personal communications• Small operators, community networks• Cellular operators in shared spectrum• Mesh networks• Hybrid ad hoc networks (also called “Multi-hop cellular networks”)• “Autonomous” ad hoc networks• Personal area networks

– Vehicular networks– Sensor and RFID networks– …

• New wireless communication technologies– Cognitive radios– MIMO– Ultra Wide Band– Directional antennas– …

9

Community networks

• Centralized solution: FON, http://en.fon.com/

• Distributed solution:E. Pantelis, A. Frangoudis, and G. PolyzosStimulating Participation in Wireless Community NetworksINFOCOM 2006

• Incentive technique based on proof of contribution

Example: service reciprocation in community networks

10

Mesh Networks

Transit Access Point (TAP)

11

Mesh Networks: node compromise

12

Mesh Networks: jamming

More on mesh networks: • IEEE Wireless Communications, Special Issue on Wireless Mesh Networking,

Vol. 13 No 2, April 2006

13

Vehicular networks: why?

• Combat the awful side-effects of road traffic– In the EU, around 40’000 people die yearly on the roads;

more than 1.5 millions are injured– Traffic jams generate a tremendous waste of time and of fuel

• Most of these problems can be solved by providing appropriate information to the driver or to the vehicle

14

Example of attack : Generate “intelligent collisions”

SLOW DOWN

The way is clear

For more information: http://ivc.epfl.chhttp://www.sevecom.org

• All carmakers are working on vehicular comm.• Vehicular networks will probably be the largestincarnation of mobile ad hoc networks

15

Sensor networks

Vulnerabilities:• Theft reverse engineered and compromised, replicated • Limited capabilities risk of DoS attack, restriction on

cryptographic primitives to be used• Deployment can be random pre-configuration is difficult• Unattended some sensors can be maliciously moved around

16

RFID• RFID = Radio-Frequency Identification

• RFID system elements– RFID tag + RFID reader + back-end database

• RFID tag = microchip + RF antenna– microchip stores data (few hundred bits)– Active tags

• have their own battery expensive– Passive tags

• powered up by the reader’s signal• reflect the RF signal of the reader modulated with stored data

RFID tagRFID reader

back-enddatabase

tagged object

detailedobject

information

readingsignal

IDID

17

Trends and challenges in wireless networks

• From centralized to distributed to self-organized Security architectures must be redesigned

• Increasing programmability of the devicesincreasing risk of attacks and of greedy behavior

• Growing number of tiny, embbeded devices Growing vulnerability, new attacks

• From single-hopping to multi-hoppingIncreasing “security distance” between devices and

infrastructure, increased temptation for selfish behavior• Miniaturization of devices Limited capabilities• Pervasiveness Growing privacy concerns

… Yet, mobility and wireless can facilitate certain security mechanisms

18

Grand Research Challenge

Prevent ubiquitous computing from becoming

a pervasive nightmare

19

Reasons to trust organizations and individuals

• Moral values– Culture + education, fear of bad reputation

• Experience about a given party– Based on previous interactions

• Rule enforcement organization– Police or spectrum regulator

• Usual behavior– Based on statistical observation

• Rule enforcement mechanisms– Prevent malicious behavior (by appropriate security

mechanisms) and encourage cooperative behavior

}Will lose relevance

Scalability challenge

Can be misleading

20

Upcoming networks vs. mechanisms

X X X X X X

X X X X

X

X

?

X

X

X X X X X X ?

X X X X X X X X

X X X X X X X X

X X X X X ? ? ?

X X X X X ? ?

X ? X X ?

Small operators, community networksCellular operators in shared spectrumMesh networks

Naming and addressing

Discouraging

greedy op.

Security

associa

tions

Securin

g neighbor disc

overy

Secure ro

uting

Privac

yEnforci

ng PKT FWing

Enforcing fa

ir MAC

Hybrid ad hoc networksSelf-organized ad hoc networks

Vehicular networks

Sensor networks

RFID networks

Upcomingwireless

networks

Ruleenforcement

mechanisms

Behavior

enforc.

Security Cooperation

21


1. Introduction2. Thwarting malice: security mechanisms

2.1 Naming and addressing2.2 Establishment of security associations2.3 Secure neighbor discovery2.4 Secure routing in multi-hop wireless networks2.5 Privacy protection2.6 Secure positioning

3. Thwarting selfishness: behavior enforcement3.0 Brief introduction to game theory3.1 Enforcing fair bandwidth sharing at the MAC layer 3.2 Enforcing packet forwarding3.3 Wireless operators in a shared spectrum3.4 Secure protocols for behavior enforcement

22

2.1 Naming and addressing• Typical attacks:

– Sybil: the same node has multiple identities– Replication: the attacker captures a node and replicates it

several nodes share the same identity• Distributed protection technique in IPv6: Cryptographically Generated

Addresses (T. Aura, 2003; RFC 3972))

Public key

Hash function

Interface IDSubnet prefix

64 bits 64 bits

For higher security (hash function outputbeyond 64 bits), hashextension can be used

Parno, Perrig, and Gligor. Detection of node replication attacks in sensor networks. IEEE Symposium on Security and Privacy, 2005

IPv6 address

23

2.2 Pairwise key establishment in sensor networks

1. Initialization

Keyreservoir(k keys)

m (<<k) keys in each sensor (“key ring of the node”)

2. Deployment

Do we have a common key?

Probability for any 2 nodes to have a common key:

)!2(!))!((1

2

mkkmkp−−

−=

24

Probability for two sensors to have a common key

Eschenauer and Gligor, ACM CCS 2002See also:• Karlof, Sastry, Wagner: TinySec, Sensys 2004• Westhoff et al.: On Digital Signatures in Sensor Networks, ETT 2005

25

2.3 Securing Neighbor Discovery:Thwarting Wormholes

• Routing protocols will choose routes that contain wormhole links– typically those routes appear to be shorter– Many of the routes (e.g., discovered by flooding based routing

protocols such as DSR and Ariadne) will go through the wormhole• The adversary can then monitor traffic or drop packets (DoS)

26

Wormholes are not specific to ad hoc networks

access control system:gate equipped with contactless smart card reader

contactlesssmart card

contactlesssmart cardemulator

smart cardreader emulator

fastconnection

wormhole

user may befar away from the building

Hu, Perrig, and Johnson Packet leashes: a defense against wormhole attacks in wireless networksINFOCOM 2003

27

2.4 Secure routing in wireless ad hoc networks

A

B

C

D

E

F

G

H

A *: [req,A,H; -] B, C, D, EB *: [req,A,H; B] AC *: [req,A,H; C] AD *: [req,A,H; D] A, E, GE *: [req,A,H; E] A, D, G, FF *: [req,A,H; E,F] E, G, HG *: [req,A,H; D,G] D, E, F, H

H A: [H,F,E,A; rep; E,F]

Exchange of messages in Dynamic Source Routing (DSR):

• Routing disruption attacks– routing loop– black hole / gray hole– partition– detour– wormhole

• Resource consumption attacks– injecting extra data packets in the network– injecting extra control packets in the network

28

Operation of Ariadne illustrated

A *: [req, A, H, MACKAH, (), ()]E *: [req, A, H, h(E|MACKAH), (E), (MACKE,i)]F *: [req, A, H, h(F|h(E|MACKAH)), (E, F), (MACKE,i, MACKF,i)]

H F: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, ()]F E: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, (KF,i)]E A: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, (KF,i, KE,i)]

A

B

C

D

E

F

G

H

29

Secure route discovery with the Secure Routing Protocol (SRP)

Route Reply (RREP): QID, T, V3, V2, V1, S, MAC(KS,T, QID, QSEQ, T, V3, V2, V1, S) (5) T → V3 : RREP; (6) V3 → V2 : RREP; (7) V2 → V1 : RREP; (8) V1 → S : RREP;

S V1 V3 V2 T

1 2 3 4

8 7 6 5

Route Request (RREQ): S, T, QSEQ, QID, MAC(KS,T, S, T, QSEQ, QID) (1) S broadcasts RREQ; (2) V1 broadcasts RREQ, V1; (3) V2 broadcasts RREQ, V1, V2; (4) V3 broadcasts RREQ, V1, V2, V3;

QSEQ: Query Sequence NumberQID : Query Identifier

30

More on secure routing

Secure Data Communication

Secure Route Discovery

Hu, Perrig, and Johnson: Ariadne, Sept. 2002, SEAD, Jun. 2002

Zapata and Asokan: S-AODV, Sept. 2002

Papadimitratos and Haas: Secure Single Path (SSP) and Secure Multi-path (SMT) protocols, Jul./Sept. 2003, Feb. 2006

Papadimitratos and Haas: Secure Routing Protocol (SRP), Jan. 2002

Sangrizi, Dahill, Levine, Shields, and Royer: ARAN, Nov. 2002

All above proposals are difficult to assessG. Ács, L. Buttyán, and I. Vajda:

Provably Secure On-demand Source RoutingIEEE Transactions on Mobile Computing, Nov. 2006

Cross-layerattacks

Aad, Hubaux, Knightly: Jellyfish attacks, 2004

31

2.5 Privacy: the case of RFID• RFID = Radio-Frequency Identification

• RFID system elements– RFID tag + RFID reader + back-end database

• RFID tag = microchip + RF antenna– microchip stores data (few hundred bits)– Active tags

• have their own battery expensive– Passive tags

• powered up by the reader’s signal• reflect the RF signal of the reader modulated with stored data

RFID tagRFID reader

back-enddatabase

tagged object

detailedobject

information

readingsignal

IDID

32

RFID privacy problems• RFID tags respond to reader’s query automatically,

without authenticating the readerclandestine scanning of tags is a plausible threat

• Two particular problems:1. Inventorying: a reader can silently determine what objects

a person is carrying• books• medicaments • banknotes• underwear• …

2. Tracking: set of readers can determine where a given person is located• tags emit fixed unique identifiers• even if tag response is not unique it is possible

to track a set of particular tags

watch: Casio

book:Wireless Security

shoes: Nike

suitcase: Samsonite

jeans: Lee Cooper

Juels A., RFID Security and Privacy: A Research Survey, IEEE JSAC, Feb. 2006

33

2.6 Secure positioning

m1

v2

v1

v1

vmc

- honest node - malicious node - compromised node

v3

m5

m3

m4

m2

c

c

WormholeNode displacement

a) b)

d) Dissemination of false position and distance information

c) Malicious distance enlargement

Node's actual positionNode's actual

distanceNode's measureddistance

Node's reportedposition

http://www.syssec.ethz.ch/research/spot

(not part of the book)

34

Security and Cooperation in Wireless Ad Hoc Networks




35

3.0 Brief introduction to Game Theory

• Discipline aiming at modeling situations in which actors have to make decisions which have mutual, possibly conflicting, consequences

• Classical applications: economics, but also politics and biology

• Example: should a company invest in a new plant, or enter a new market, considering that the competitioncould make similar moves?

• Most widespread kind of game: non-cooperative(meaning that the players do not attempt to find an agreement about their possible moves)

36

Example 1: The Forwarder’s Dilemma

?Blue Green

?

37

From a problem to a game

• Users controlling the devices are rational (or selfish): they try to maximize their benefit

• Game formulation: G = (P,S,U)– P: set of players– S: set of strategy functions– U: set of utility functions

• Strategic-form representation

• Reward for packet reaching the destination: 1• Cost of packet forwarding: c (0 < c << 1)

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

38

Solving the Forwarder’s Dilemma (1/2)

' '( , ) ( , ), ,i i i i i i i i i iu s s u s s s S s S− − − −< ∀ ∈ ∀ ∈

iu U∈i is S− −∈

Strict dominance: strictly best strategy, for any strategy of the other player(s)

where: utility function of player istrategies of all players except player i

In Example 1, strategy Drop strictly dominates strategy Forward

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

Strategy strictly dominates ifis

39


Solution by iterative strict dominance:

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

Drop strictly dominates ForwardDilemma

Forward would result in a better outcomeBUT }

40

Nash equilibrium

Nash Equilibrium: no player can increase his utility by deviating unilaterally

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

The Forwarder’s Dilemma

(Drop, Drop) is the only Nash equilibrium of this game(Drop, Drop) is the only Nash equilibrium of this game

41

Example 2: The Multiple Access game

Reward for successfultransmission: 1

Cost of transmission: c(0 < c << 1)

There is no strictly dominating strategy

(0, 0) (0, 1-c)(1-c, 0) (-c, -c)

BlueGreen

Quiet

Transmit

Quiet Transmit

There are two Nash equilibria

Time-division channel

42

More on game theory

Properties of Nash equilibria to be investigated:• uniqueness• efficiency (Pareto-optimality)• emergence (dynamic games, agreements)

Promising area of application in wireless networks: cognitive radios

Pareto-optimalityA strategy profile is Pareto-optimal if the payoff of a player cannot be increased without decreasing the payoff of another player

43





44

3.1 Enforcing fair bandwidth sharing at the MAC layer

Well-behaved nodeCheater

The access point is trustedThe access point is trusted

• Kyasanur and Vaidya, DSN 2003• http://domino.epfl.ch• Cagalj et al., Infocom 2005 (game theory model for CSMA/CA ad hoc networks)

45

3.2 Enforcing packet forwarding

• V. Srinivasan, P. Nuggehalli, C. Chiasserini, and R. Rao, Infocom 2003, IEEE TWC 2005

• M. Felegyhazi, JP Hubaux, and L. Buttyan, Personal Wireless Comm. Workshop 2003, IEEE TMC 2006

S1

S2

D1D2

Usually, the devices are assumed to be cooperative. But what if they are not, and there is no incentive to cooperate?

46

Modeling packet forwarding as a game

time0time slot: 1 t

Strategy:cooperationlevel

pC(0) pC(1) pC(t)

Player: node

Payoff of node i: proportion of packets sent by node i reaching their destination

47

3.3 Games between wireless operatorsMulti-domain sensor networks

• Typical cooperation: help in packet forwarding• Can cooperation emerge spontaneously in multi-domain sensor

networks based solely on the self-interest of the sensor operators?

48

3.3 Border games of cellular operators (1/3)

49

• Two CDMA operators: A and B• Adjust the pilot signals• Power control game (no power

cost):– players = operators– strategies = pilot powers – payoffs = attracted users (best

SINR)pilotpG

where: – pilot processing gain– pilot signal power of BS A– path loss between A and v– own-cell interference factor– other-to-own-cell interference factor– traffic signal power assigned to w

by BS A– set of users attached to BS A

0

pilotp A Avpilot

Av pilot pilotown other

G P dSINR

N W I I

α−⋅ ⋅=

⋅ + +

Signal-to-interference-plus-noise ratio

A

pilotown Av Aw

wI d Tας −

∈

⎛ ⎞= ⋅ ⎜ ⎟

⎝ ⎠∑M

B

pilotother Bv B Bw

wI d P Tαη −

∈

⎛ ⎞= ⋅ +⎜ ⎟

⎝ ⎠∑M

Own-cell interference

Other-to-own-cell interference

pilotpG

APAvd α−

ςη

AwT

AM


50

• Unique and Pareto-optimal Nash equilibrium• Higher pilot power than in the standard Ps = 2W• 10 users in total

Extended game with power costs = Prisoner’s Dilemma where:

U – fair payoff (half of the users)Δ – payoff difference by selfish behaviorC* - cost for higher pilot power

standard

Nash equilibrium


51

3.4 Secure protocols for behavior enforcement

V2

V1

V4

V3

DS 3

4

15

10

7

5

3

5

3

2

• Self-organized ad hoc network• Investigation of both routing and packet forwarding

S. Zhong, L. E. Li, Y. G. Liu, and Y. R. Yang.On designing incentive-compatible routing and forwarding protocols in wireless ad hoc networks – an integrated approach using game theoreticaland cryptographic techniquesMobicom 2005

52

Who is malicious? Who is selfish?

There is no watertight boundary between malice and selfishnessBoth security and game theory approaches can be useful

There is no watertight boundary between malice and selfishnessBoth security and game theory approaches can be useful

Harm everyone: viruses,…

Selective harm: DoS,… Spammer

Cyber-gangster:phishing attacks,trojan horses,…

Big brother

Greedy operator

Selfish mobile station

53

From discrete to continuousWarfare-inspired Manichaeism:

The more subtle case of commercial applications:

Bad guys (they)Attacker

Good guys (we)System (or country) to be defended

0 1

Undesirablebehavior

Desirablebehavior

0 1

• Security often needs incentives• Incentives usually must be secured

54

http://secowinet.epfl.ch

55

Book structure (1/2)

X X X X X X

X X X X

X

X

?

X

X

X X X X X X ?

X X X X X X X X

X X X X X X X X

X X X X X ? ? ?

X X X X X ? ?

X ? X X ?

Small operators, community networksCellular operators in shared spectrumMesh networks

Naming and addressing

Discouraging

greedy op.

Security

associa

tions

Securin

g neighbor disc

overy

Secure ro

uting

Privac

yEnforci

ng PKT FWing

Enforcing fa

ir MAC

Hybrid ad hoc networksSelf-organized ad hoc networks

Vehicular networks

Sensor networks

RFID networks

Upcomingwireless

networks

Security and cooperation

mechanisms

Behavior

enforc.

Part I Part IIIPart II

56

Book structure (2/2)

1. Existing networks

2. Upcoming networks

3. Trust

4. Naming and addressing

5. Security associations

6. Secure neighbor discovery

7. Secure routing

8. Privacy protection

9. Selfishness at MAC layer

10. Selfishness in PKT FWing

11. Operators in shared spectrum

12. Behavior enforcement

Appendix A:Security and crypto

Appendix B:Game theory

Security Cooperation

57

Conclusion

• Upcoming wireless networks bring formidable challenges in terms of security and cooperation

• The proper treatment requires a thoroughunderstanding of upcoming wireless networks, of security, and of game theory

Slides available at http://secowinet.epfl.ch

58


Part 2: Thwarting Malicious Behavior

Panos [email protected]

© 2007 P. Papadimitratos

59

Outline

• Topics– Security Association Establishment– Secure Neighbor Discovery– Secure Route Discovery– Secure Data Communication– Privacy Enhancing Technologies for Vehicular

Communication Systems

60

Security Association Establishment


61

Problem statement

• Establishing secure communication channels between devices

Alice

Carol

Bob

Dave

Alice-Bob secure channel

Carol-Dave secure channel

62

Problem statement (cont’d)

• Security requirements– Authentication– Integrity– Confidentiality– Non-repudiation– …

Alice Bob

63


• Security mechanisms– Message Authentication Codes (MACs)– Digital signatures– Encryption/decryption– Passwords– …

• Cryptography– Asymmetric key– Symmetric key

Alice Bob

64


• Enable secure communication– Uni-directional– Bi-directional

• Issues to consider– Long- or short- term?– What fraction of the system nodes?– Is there a trusted third party?– …

65

Public-key approach

• Pro: Any-to-any secure communication• Con: Need to bind public keys to identities

AliceIdentity: APublic key: KAPrivate key: kA

BobIdentity: BPublic key: KBPrivate key: kB

66

Bob

(2) EA(sec-text,B), SigB(A,nA,EA(sec-text,B))

Public-key approach (cont’d)

Alice(1) nA, A, text, SigA(nA,A,text)

• Secure communication example– Message (1): signed with kA; nA is a nonce– Message (2): sec-text and B encrypted with KA; A, nA,

and ciphertext signed with kB

– Note: In practice, different keys are used for signing/verifying and encrypting/decrypting

67

Public-key approach (cont’d)

• Certification Authority(CA)– Trusted Third Party– Known KCA

– CertCA: CA signature on the identity, public key, and other information (e.g., lifetime)

AliceIdentity: APublic key: KAPrivate key: kA

CertCA{A,KA}

BobIdentity: BPublic key: KBPrivate key: kB

CertCA{B,KB}

68

Using a CA

• Largely independent of communication– Users obtain certificates over the wire-line

network– Certificates are installed at wireless devices

and the corresponding keys used to secure wireless communication

• Examples specific to wireless networks

69

Using a CA (cont’d)

• Wireless local-area (e.g., campus-wide) networks– CA locally administered– IEEE 802.11 devices communicate securely with access

points

• Tactical networks– CA operated by the corresponding government

department– Keys and certificates installed at wireless-enabled

devices– Hierarchical network organization

• Vehicular Communication (VC) Systems• More detailed look next

70

CA example: Vehicular Networks

• Authorities

71

CA example: Vehicular networks (cont’d)

• Authorities– Hierarchical organization– ‘Forest’ with cross-certification

72

Public key cryptography - Practical aspects

• There is no single trusted authority– Nodes belonging to different administrative

domains will in general be associated and execute security protocols

• PK cryptography is feasible even in low-end mobile platforms, but it is costly– Processing– Energy consumption– Delays– Transmission overhead

73

Symmetric key establishment

• PK cryptography– Moderated use recommended– Examples:

• Session keys• Shared symmetric key establishment

• Key agreement– Both nodes contribute to the shared

symmetric key• Key transport

– One of the nodes ‘chooses’ the shared symmetric key

74

Key agreement• Authenticated Diffie-Hellman protocol

– g publicly known parameter; G a multiplicative group – A selects a random number rA in G; it calculates – B selects a random number rB in G; it calculates

(1) tA, EB(A, nA)

ArAt g=

BrBt g=

K0= h(nA,nB)(2) tB, EA(nB), MAC(K0, tA, tB, B, A)

Bob

(3) MAC(K0, tA, tB, A, B)

Alice

( ) ( )A B A Br r r rAB B AK t g t= = =

H. Krawczyk, “SKEME: A versatile secure key exchange mechanism for Internet,” NDSS’96

75

(3) nB, B, SigA(nB, B)

(2) nB, A, nA, EA(B, KBA), SigB(nB, A, nA, EA(B, KBA))

Key transport

BobAlice

(1) nA, B, EB(A, KAB), SigA(nA, B, EB(A, KAB))

( , )AB AB BAK f K K=

X.509 three-pass key transport protocol

76

Hash chains• Cryptographic hash or one-way function

– h : {0,1}* {0,1}n

– Input: Arbitrary length – Output: Fixed length n

• Required properties– Collision resistance: it is computationally infeasible to

find two distinct inputs, x, y, which hash to a common value h(x)=h(y)

– Pre-image resistance: given a specific hash-value z, it is computationally infeasible to find an input x such that h(x)=z

– 2nd pre-image resistance: given x and h(x) it is computationally infeasible to find a second input y≠xsuch that h(y)=h(x)

– Low computational cost: given h and an input x, h(x) is easy to compute.

77

Hash Chains (cont’d)

• Pick a random number r• Generate k elements by hashing r successively k

times

• H0 is the hash chain anchor• The remaining k-1 elements can be used for

authentication

( ) ( ) ( ) ( ) ( )( )( ) ( )1 3 2k kh r h rh r r h rh rh h−← ← ← ← = ←

0 1 3 2 1k kkH H H HH− −−← ← ← ←←

= = = = =

78

Bootstrapping a hash chain

• Alice must ‘commit’ to the hash chain anchor• Each Bi node validates the commitment (signature) and

stores H0

• Alice can then utilize the hash chain elements

SigA(H0, A, text), H0, A, text, CertCA(KA, A)

Alice B1

B2

B3

79

Using a hash chain

• Chain elements as authenticators, e.g., to transmit “yes” / “no”– “Yes” chain

– “No” chain0 1 3 2 1k kkH H H HH− −−← ← ← ←←

0 1 3 2 1k kkG G G GG− −−← ← ← ←←• Sender : ‘Reveal’ elements in this order

• Use Gi or Hi to authenticate a “no” or “yes”• Receiver: For the i – th message from Alice, verify that hi(Hi) =H0 or hi(Gi) =G0

R. Hauser, A. Przygienda, and G. Tsudik, “Reducing the Cost of Security in Link-State Routing,” NDSS’96

80

Using a hash chain (cont’d)

• Chain elements as symmetric keys

– Synchronized clocks at sender and receiver– Sender release keys (e.g., flooding them across the

network) at specific intervals– A posteriori validation at the receiver: reject messages

not generated sufficiently close to the release time

0 1 3 2 1k kkH H H HH− −−← ← ← ←←

Time Ti: : mi = A, texti, MAC(Hi, A, texti)Time Ti+j : Release Hi

S. Cheung, “An Efficient Message Authentication Scheme for Link State Routing,”Comp. Sec. App. Conf. ‘97A. Perrig et al., "Efficient and secure source authentication for multicast,“ NDSS '01

81

Recap: Public key enabled security

• Advantages– Any-to-any secure communication– Basis for bootstrapping symmetric key

primitives

• Disadvantages– Processing and communication overhead– Setting up a certification authority

• Comment– Methods discussed so far are rather ‘agnostic’

to the underlying network technology

82

What if no CA is available?

• Main challenge: Man-in-the-Middle attacks

BobAlice

Intended and perceived secure communication

MitM attacker

Actual communication

Actual communication

83

What if no CA is available? (cont’d)

• Can we leverage on characteristics of the network or the mobile application?

• Observation 1: Wireless, mobile devices are used by human beings, who can assist the security association establishment

• Observation 2: Wireless communication possible only within a very short range or within a line of sight can imply that no other device is present (caution!)

84

Leveraging on the users• Password-based key establishment

– : shared password–– q publicly known parameter– A, B select random numbers x, y respectively

(1) wA

(2) wB

BobAlice

( )2( ) modg h qπ π=π

modxAw g qπ=

modyBw g qπ=

modyAz w q=modx

Bz w q=Abort if z is not in range [2, q−2] Otherwise, z is a large shared secret

D. Jablon, “Extended Password Key Exchange Protocols Immune to Dictionary Attacks,” WET-ICE '97

85

Leveraging on the users (cont’d)

• Password-based key establishment– h : hash function– Once z is established, A and B prove to each other they

know the same z– A and B can then derive a session key from z

(3) oB

(4) oA

BobAlice

(03|| || || || )B A Bo h w w z gπ=(04|| || || || )A A Bo h w w z gπ=

3 (03|| || || || )A Bo h w w z gπ= 4 (04|| || || || )A Bo h w w z gπ=

Abort if or3Bo o≠ 4Ao o≠

86

Leveraging on the user (cont’d)

• The user verifies that the keys generated at the two devices are identical

• Visual and audible hashesPhrase 1Phrase 2

M. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun, “Loud And Clear Human-Verifiable Authentication Based on Audio", ICDCS'06

J. McCune, A. Perrig, and M. Reiter, "Seeing-is-Believing: Using Camera Phones for Human-Verifiable Authentiction." S&P'05

87

Leveraging on the wireless link

• ‘Off-line’ local channels– One example: infra-red

• D. Balfanz, D. Smetters, P. Stewart, and H. Wong, “Talking to strangers: Authentication in ad-hoc wireless networks,” NDSS’02

– Exchange information over the local channel that allows you to authenticate over the wireless radio channel

• Caution: System and protocol design must ensure that it is indeed impossible for the attacker to interfere actively with the communication over the local channel– For example, the attacker must be unable to act as an

‘invisible’ relay

88

Leveraging on the network

• Mobility– Users meeting each other, e.g., at a

conference, can set up symmetric keys or exchange public keys• Chapter 5 and S. Capkun, J-P. Hubaux, and L.

Buttyan, “Mobility helps security,” ACM Mobihoc’03

– More generally, a mobile device can be interested in obtaining public keys of other devices in proximity, e.g., within a few hops• Example later in secure routing

– Point of caution: communication pattern

89

Summary • One-to-one, one-to-many, one-to-all, any-to-any

secure communication• Need for protocols that allow dynamic

establishment of security associations – Public-key cryptography – Symmetric-key cryptography– Leveraging on the communication and computing

environment characteristics• Various communication patterns

– Duration, number of communicating devices, direction of communication

• Additional readings– Sensor network key distribution (Chapter 5)

90

Secure Neighbor Discovery


91

Problem statement

• Node discovery– A node discovers other nodes it can directly

communicate with

AB

C

D

92


• R: nominal communication range• Caution: A, B are neighbors if and only if

they can communicate directly

A

B

RR

93


• B is neighbor of A if and only if it can receive directly from A

• Link (A,B) is up B is neighbor of A• Consider the case with different nominal

communication ranges, e.g., RA, RB; then (A,B) may be up while (B,A) is down

A

B

RR

94

Neighbor discovery

• Neighbor discovery is a building block for other system functionality– Communication– Access control– Physical access control

• Examples– First step before routing– Connection to an wireless LAN access point– Radio Frequency Identification (RFID) reader

controlling a door

95

Neighbor discovery (cont’d)

• Simple, widely used solution, but not secure• Easy to mislead B that A is its neighbor when

this is not the case

A B

“Hello, I’m A”

B: “A is my neighbor”;“A is added in myNeighbor List”

96

Attacking neighbor discovery

• Single adversary appears as multiple neighbors

M


“Hello, I’m C”

“Hello, I’m Z” B: Neighbor List = {A, C, …, Z}

…

97

Securing neighbor discovery

• A first attempt– Authenticate “Hello” messages

• The adversary can record signed “Hello”messages and transmit (replay) them later

A B“Hello, I’m A”, SigA(“Hello, I’m A” ),CertCA(KA,A)

(1) Validate CertCA()(2) Validate SigA()(3) Add A to

neighbor iff (1), (2) are successful

98

(2) A, nA, nB, B, SigA(A, nA,nB, B), CertCA(KA,A)

Securing neighbor discovery (cont’d)

• A second attempt– Message authenticity and replay protection

• nA, nB are nonces– Bob essentially ‘challenges’ Alice to provide a ‘hello’

message

A B(1) nB, B

99

Attacking neighbor discovery (cont’d)

• “Relay” or “Wormhole” Attack– Simply relay any message, without any modification

A

“HelloB, I’m

A”“H

ello

B, I’

m A

”

B: Neighbor List = {A}

M“B: Anyone there?” “B

: Any

one

ther

e?”

100


• Long-range relay / wormhole– The attacker relays messages across large

distances

out-of-band or private channel

B: Neighbor List = {A}


“Hello, I’m A” “Hello, I’m A”

B

M1 M2

A

101

Attack implications

• Network access control– The attacker ‘assists’ access – But it has control over the nodes’ communication

AP

AB

M1

obstacle

M2

102

Attack implications (cont’d)

A

B

M VU

DC

• Routing– The attacker creates a ‘link’ and ‘provides’ shortest routes– Attracted traffic is under the control of the adversary

103

Attack implications (cont’d)

• Physical access control– RFID based access control – Attacker close to the owner of the access-granting RFID tag; relays

signals from and to her accomplice, who obtains access

Illustration by M. Poturalski

Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contact-less smartcard,” SECURECOMM ’05

104


• A third attempt– Geographical packet leashes

• Nodes are aware of their location in a secure manner• Loosely synchronized clocks• Sender adds coordinates to each packet• Receiver checks if sender is within range

– Temporal packet leashes• Nodes have tightly synchronized clocks• Sender (A) adds a timestamp to each packet• Receiver (B) estimates its distance from the sender based on the

elapsed time, tprop = treceiveB – tsendA

• Dist(A,B) < ctprop– c is the speed of light– ‘Ignore’ the clock drift

Y-C. Hu, A. Perrig, and D. Johnson, “Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks,” Infocom’03

105


obstacleA B A B

M

• Observation: Physical proximity does not necessarily imply correct nodes are able to communicate directly

• No protocol using time-of-flight measurements candistinguish the two situations

M. Poturalski, P. Papadimitratos, and J-P. Hubaux, “Secure Neighbor Discovery: Is it Possible?” LCA-REPORT-2007-004, 2007

106


• Location-aware nodes (securely) • Estimate neighbor distance in two ways

– Based on the time-of-flight (ToF)– Based on the location information (LOC)

• Compare the two distance estimates

B: Dist(LOCA, LOCB) = DistEstimate(tsendA, treceiveB)

B: “Add A toneighbor list”

A A, tsendA, LOCA, SigA(A, tsendA, LOCA) B

107


• Secure Neighbor Discovery: exchange location information, and compare ToF and LOC based distance estimates

obstacle

A B

A, tsendA, LOCA, SigA(A, tsendA, LOCA)

A, tsendA, LOCA, SigA(A, tsendA, LOCA)

B: Dist(LOCA,LOCB) < DistEstimate(TSA,treceiveB)

B: “Do NOT add A to neighbor list”

M. Poturalski, P. Papadimitratos, and J-P. Hubaux, “Secure Neighbor Discovery: Is it Possible?” LCA-REPORT-2007-004, 2007

108

Summary

• Secure Neighbor Discovery– Solution for – Hard problem; solution is not easy to

implement in practice– Prerequisite for secure networking protocols

and system security– Additional reading

• Other methods, surveyed in [Poturalski-Papadimitratos-Hubaux] report: Using distance bounding, directional antennas, knowledge of topology, properties of the radio signal

• Centralized visual and statistical wormhole detection (Chapter 6)

109

Secure Route Discovery


110

Multi-hop routing

• Wireless multi-hop connectivity

111

Multi-hop Routing (cont’d)

• (Multi-hop) Connectivity graph

G

F

B

C E

D

A

H

112

Multi-hop routing (cont’d)

• Stage 0: neighbor discovery• Stage 1: route discovery

G

F

B

C E

D

A

H Route : Sequence of nodes (and edges); for simplicity: (A, G, E)

Sourcenode

Destinationnode

Intermediatenodes

113


• Explicit route discovery– Fully, clearly expressed and readily observable

route returned by the routing protocol

G

F

B

C E

D

A

H

Route to E: (A, C, F, E)

Route to A: (E, F, C, A)

(Possibly)

114


• Implicit route discovery– Distributed computation that returns a tuple of the

form (current node, relay node, destination node)

G

F

B

C E

D

A

H

Route to E: (A, C, E) Route to E:

(C, F, E)

Route to E: (F, E, E)

115


• Basic route discovery– Explicit or implicit, providing only the structure of

the route

• Augmented route discovery– Need a function that assigns labels to links,

denoted as link metrics• For a link (V1,V2), metric m1,2

– Route metric: a function that is the aggregate of the route link metrics• For a route (V0, V1, …, Vn), route metric

g(m0,1, m1,2,…, mn-1,n)

116


• Input: source, S, and destination, T, nodes• Output: an (S-T)-route (of n links) and

– The link labels (metrics) or– The route metric

,S T N∈ (Secure) Routing Protocol

Input

OutputAn (S,T)-route

and(i) Explicit:

(ii)Implicit:0,1 1,2 1,, , , n nm m m −…

0,1 1,2 1,( , , , )n ng m m m −…

117


Source

Route Reply I

Destination

Route Reply II

Route Request

Route Error

• Example of route discovery– Reactive routing protocol

118

E

F

B

C H

G

A

D

RREP: “I am H”

RREQ: “A is looking for H”

Attacking route discovery (cont’d)

• Impersonation of the destination, for example, in any reactive routing protocol

119


• Modification of the route links, for example, in DSR

E

F

B

C H

G

A

D

RREP :Route ={A, D, E, H}

RREP :Route ={A, D, H}

120


• Abuse of the routing caching mechanism, for example, in DSR

E

F

B

C H

G

A

D

RREP :Route = {X, D, Y, H}

Route Cache:…

{A, D, Y}{A, D, Y, H}

…

121

Attacking route discovery

• Disrupting a link state routing protocol, for example, in OLSR

E

F

B

C H

G

A

D

Links(D, X)(D, H)(D, F)(D, Y)

122


• Disrupting distance vector routing, for example, in AODV

E

F

B

C H

G

A

D

RREP: “Hop count = 3”

RREQ: “A is looking for H”

RREP: “Hop count = 2”

123

E

F

B

C H

G

A

D

Destination | Next Hop | DH | C | 2

Destination | Next Hop | D H | C | 2

Destination | Next Hop | DH | C | 2

D(C,H)=1


• Disrupting distance vector routing, for example, in DSDV

124


• Caution: none of the above-mentioned protocols (DSR, AODV, DSDV, OLSR) was designed with security in mind

• Many possible ways to attack the route discovery

• Outcome of attacks – Control communication

• Become part of utilized routes • Monopolize resources

– Disrupt communication• Degrade or deny

125

Secure route discovery requirements

• What do we need a secure routing protocol to do?

• Network model– Capture the system characteristics

• For example, dynamically changing topology

• Specification– Define the properties of any candidate secure

routing protocol independently of its functionality

126

Requirements• We are interested in protocols that discover routes with

the following two properties:

(1) Loop-freedom: an (S,T)-route is loop-free when it has no repetitions of nodes

(2) Freshness: an (S,T)-route is fresh with respect to a (t1,t2) interval if each of the route’s constituent links is up at some point during the (t1,t2)

• Loop-freedom and freshness are relevant for both explicit and implicit route discovery, and both basic and augmented protocols

P. Papadimitratos, Z.J. Haas, and J.-P. Hubaux, "How to Specify and How to Prove Correctness of Secure Routing Protocols for MANET," BroadNets’06

127

Secure Routing Protocol (SRP)

• Explicit basic route discovery• Observation

– It is hard to ‘know’ all nodes in the network, i.e., establish associations with all of them

– Often infeasible and very costly– Especially in ‘open’ networks

• SRP assumptions – Secure neighbor discovery– Hop-by-hop authentication of all control traffic– End nodes (source, destination) ‘know’ each other

• Can set up security associations

P. Papadimitratos and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks," CNDS 2002

128

SRP (cont’d)

S V1 V3V2 T

Route Request (RREQ): S, T, QSEQ, QID, MAC(KS,T, S, T, QSEQ, QID)

1.S broadcasts RREQ;2.V1 broadcasts RREQ, {V1}; 3.V2 broadcasts RREQ, {V1, V2};4.V3 broadcasts RREQ, {V1, V2, V3};

1 2 3 4

129

SRP (cont’d)

Route Reply (RREP): QID, {T, V3, V2, V1, S},MAC(KS,T, QID, QSEQ, T, V3, V2, V1, S)

5. T → V3 : RREP;6. V3 → V2 : RREP;7. V2 → V1 : RREP;8. V1 → S : RREP;

S V1 V3V2 T

1 2 3 4

8 7 6 5

130

SRP (cont’d)

• Route requests verifiably reach destination– Intermediate node replies disabled– Aggressive caching of routing information disabled

• Route replies must trace back the paths traversed by route requests

• Intermediate nodes are not authenticated at the end nodes

• Dual route request identifier– QID: random, used by the intermediate nodes– QSEQ: sequence number, used by the destination– The adversary cannot launch a “sequence number”

attack

131

SRP (cont’d)

• Crucial to operate on top a secure neighbor discovery protocol

• Neighbor Lookup Protocol (NLP)– Secure neighbor discovery– Establish security associations between neighbors– Identify control traffic injected by each neighbor– Prevent attacks that misuse network addresses

• IP spoofing• Use of multiple identities• MAC spoofing

– DoS protection• Efficient mechanisms to discard spurious/

corrupted traffic at intermediate nodes– Replies relayed only if neighbors had previously

forwarded the corresponding request

132

SRP (cont’d)

• Routes discovered by SRP in the presence of independent adversaries are fresh – t1 is the point in time at which S transmitted a

RREQ for T, and t2 is the point at which S received the corresponding RREP

• In the presence of colluding adversaries SRP discovers ‘weakly fresh’ routes– A sequence of links, in general different than

those in the discovered route were up at some point in (t1,t2)

133

Secure Link State Protocol (SLSP)

• Secure Neighbor Discovery – Correct nodes discover only actual neighbors

• Periodic Link State Update (LSU) advertisements– Nodes distribute their discovered neighbors within an

extended neighborhood, the zone– LSUs are signed

• Link state accepted iff reported by both incident nodes

• Nodes distribute their public key throughout the zone

• SLSP can adjust its scope with different zone radii

P. Papadimitratos and Z.J. Haas, "Secure Link State Routing for Mobile Ad Hoc Networks," WSAAN’03

134

SLSP (cont’d)

}Zones

Neighbordiscovery

Key distribution,Link state updates

• SLSP can adjust its scope, with different zone radii

• It can operate locally, combined with another global route discovery, or network-wide

135

SLSP (cont’d)

• Keep the LSU propagation within the zone– Use a hash chain mechanism– zone_radius = XR=hR(x0)– hops_traversed = X1=h(x0), TTL = R-1 – After i hops (i=R-TTL), relay packet if:

• i < R, and• hR-i(hops_traversed) == zone_radius

– hops_traversed = H(hops_traversed)• Same idea can be applied in reactive

routing, to perform an expanding ring search

136

Authenticating intermediate nodes

• Source knows all nodes in the network• All nodes know any source and destination

node (especially in the case of reactive protocols)

• Overall, all nodes know all nodes, or equivalently have security associations established before any route discovery

• Hard to achieve, yet what if? For example, in small or closed networks

137

Ariadne

• Secures DSR, adding authentication of RREQ and RREP messages by each intermediate node that relays and modifies them

• All-to-all security associations• Use of different cryptographic primitives

– Signatures, Message Authentication Codes, and TESLA

Y.-C. Hu, A. Perrig, and D. Johnson,”Ariadne: A secure on-demand routing protocol for ad hoc networks,” Wireless Networks, 2005

138

Ariadne (cont’d)

• Operation across a route (S, F1, F2, D) with MACs• If TESLA is used, the delayed authentication (for

key disclosure) becomes part of the route discovery delay

Protocol operation as in Fig. 7.6 (p.202) of SeCoWiNet book

139

EndairA

• All-to-all security associations, digital signatures• Novelty: intermediate nodes sign only the RREP• Withstands provably attacks and reduces overhead

with respect to Ariadne

Protocol operation as in Fig. 7.8 (p.206) of SeCoWiNet book

G. Acs, L. Buttyan, and I. Vajda, “Provably secure on-demand source routing in mobile ad hoc networks,” TMC, 2006

140

Augmented Discovery: Requirement

• Let be the actual link metric for each link of a discovered (S,T)-route and

the actual route metric• The metric estimated (by a protocol) for link

(Vi,Vi+1) is mi,i+1

(3) Accuracy: an (S,T)-route is accurate with respect to a route metric g and a constant Δgood ≥ 0 if:

• Accuracy is relevant only to augmented, explicit or implicit, route discovery

, 1i il M+ ∈

0,1 1,( , ..., )n ng l l −

0,1 1, 0,1 1,| ( ,..., ) ( ,..., ) |n n n n goodg m m g l l− −− < Δ

141

Quality-of-Service Aware Discovery

• QoS-SRP: Secure QoS-aware routing• Nodes estimate metrics for their incident links

• For link (Vi ,Vi+1), node Vi calculates and Vi+1 calculates

• For some ε > 0,• ε is a protocol-selectable and metric-specific

threshold that allows for metric calculation inaccuracies

• is the maximum metric calculation error by a correct node

, 1ii im +

1, 1 , 1

i ii i i im m ε++ +− <

1, 1

ii im ++

0δ ≥

P. Papadimitratos and Z.J. Haas, "Secure Route Discovery for QoS-Aware Routing in Ad Hoc Networks," Sarnoff ‘05

142

QoS-SRP

S V1 V3V2 T

1 2 3 4

Route Request (RREQ): S, T, QSEQ, QID, MAC(KS,T, S, T, QSEQ, QID)

1. S broadcasts RREQ;2. V1 broadcasts RREQ, {V1}, { }; 3. V2 broadcasts RREQ, {V1,V2}, { };4. V3 broadcasts RREQ, {V1, V2, V3}, { };

1,1Sm

1 2,1 1,2,Sm m

1 2 3,1 1,2 2,3, ,Sm m m

143

QoS-SRP (cont’d)

S V1 V3V2 T

1 2 3 4

8 7 6 5

Route Reply (RREP):QID, {T, V3, V2, V1, S}, { }, MAC (KS,T, QSEQ, QID, T, V3, …, V1, S, )

5. T → V3 : RREP;6. V3 → V2 : RREP;7. V2 → V1 : RREP;8. V1 → S : RREP;

3 2 13, 2,3 1,2 ,1, , ,T

T Sm m m m1

3, 0,1, ...,TTm m

144

QoS-SRP (cont’d)

• Metric types

• ,

• If ,

can be written as

where

• ,

• ,

( )1

1 10,1 1, , 1

0,. ,

nn i

add n n i ii

g m m m−

+− +

=

=∑…

1, 1 0i

i im ++ > ( )

11 10,1 1, , 1

0

,. ,n

n in n i i

i

g m m m−

+− +

=

=∏…

( )10 ,1 1,, , n

add n ng m m −…

1 1, 1 , 1log( ), for 0 1i i

i i i im m i n+ ++ += ≤ ≤ −

( ) { }1 1max 0,1 1, , 10 1

,. , max n in n i ii n

g m m m +− +≤ ≤ −

=…mingoodΔ ( ) { }1 1

min 0,1 1, , 10 1,. , min n i

n n i ii ng m m m +

− +≤ ≤ −=…

maxgoodΔ

addgoodΔ

145

QoS-SRP (cont’d)

• Routes discovered by SRP in the presence of independent adversaries are accurate, with respect to (i) gadd and (ii) gmax and , and (iii) gminand , with n the number of route links, ε > 0 the maximum allowable difference between and , and the maximum error for a metric calculation by a correct node.

, 1ii im +

1, 1

ii im ++ 0δ ≥

2addgood n nε δΔ = +

maxgood nε δΔ = +

mingood nε δΔ = +

146


• Adversary acting as a relay, ‘creating’ Byzantine links• Secure neighbor discovery and hop-by-hop

authentication can defeat this attack

E

F

B

C H

F

A

DRREQ: H, {A}

RREQ: H, {A} RREQ: H, {A, E}

RREP:Route={A, E, H}

147

Attacking Routing – Revisited (cont’d)

• Multiple Colluding Attackers– M1 and M3 are seemingly correct to their

neighbors, but they ‘omit’ protocol functionality when handling packets from M2

– Example: M2 relays RREQ and RREP packets without appearing in the route discovery

V’VS M1 M2 M3

T

148

Attacking Routing - Revisited

• Tunneling Attack– Two colluding attackers: M1, M2

– M1 encapsulates control traffic and forwards to M2 and vice versa

– Attackers seemingly follow the protocol with respect to their neighbors

ST

M1

M2P. Papadimitratos and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks," CNDS 2002

149

Summary• Route discovery is vulnerable• Secure route discovery specification

– Loop freedom– Freshness– Accuracy

• Protocols relying on different trust assumptions• Securing basic and augmented route discovery

in open, dynamic networks• Colluding adversarial nodes can subvert any

route discovery protocol; ‘tunneling attack’• Additional reading

– Chapter 7: More secure routing protocols, including sensor network protocols

150

Secure Data Communication


151

Problem statement

• Goal:– Reliable and low-delay data delivery in

the presence of attackers that disrupt the data communication

• Solution:– Detect and avoid compromised and

failing routes– Tolerate malicious and benign faults

• In general, hard to distinguish in highly dynamic networking environments

152

Data Communication

G

F

B

C E

DRoute to E

A

Route to A

H

153

Data Communication (cont’d)

G

F

B

C E

D

H

Message for E

A

154


F

B

C E

D

A

H

155


• How can an attacker be part of a route?– Make the route appear ‘preferable’ (shorter in hops,

delay, or any other metric)– Other routing protocol-specific attacks (e.g., ‘rushing’)– Do nothing that disrupts the secure route discovery

• Consider– An ideal secure routing protocol, ensuring loop-free,

fresh, and accurate routes against any possible attack– All nodes on the discovered route authenticated

• Still, the attacker can deny communication, dropping packets

• Worse even, the attacker can choose to hit when it hurts the most

156


• What is the impact of the adversary that ‘lies low’ and disrupts only the data communication?

Attacker Strength

Rel

iabi

lity

50% of the network nodes attacking

35% message delivery

100%

157

Securing Data Communication

G

F

B

C E

D

H

Route 1Route 2Route 3

A

• Use multiple routes

158

…

1

2

m-1

m

…3

1

2

n

n-2

n-3

Introduce redundancy

to the original message

=

Original message

Securing Data Communication (cont’d)

• Disperse data

159

…

1

3

n-2

n

…

3

1

2

n

n-2

n-3

Reconstruct message

if any m-out-of-n pieces are intact

=


• Disperse data

160

G

F

B

C E

D

H

Sending n=3

E needs m=2

A

Received m pieces!


• Transmit simultaneously across the routes

161

H G

F

B

C E

D

A

Route 1Route 2

Route 3

Tell A which pieces were

intact

• Get feedback


162

Secure Routing OnlySecure Routing + Secure Data Communication

Attacker Strength

Rel

iabi

lity

50% of the network nodes are attacking

35% message delivery

93% message deliverywithout

retransmissions


• Reliable and Real-Time Communication in Hostile Environments

163

RedundancyD

elay

1 3.5

1.2 s

0.4 s

Average delay for

100%message delivery

Redundancy

Rel

iabi

lity

1 3.5

82%

93%

Redundancy Message delivery without

retransmissions

Bandwidth For

Security


164


• Secure Message Transmission (SMT) protocol– Dispersion of the transmitted data– Simultaneous usage of multiple node-disjoint routes– Data integrity and origin authentication– End-to-end secure and robust feedback– Adaptation to the network conditions

• Secure Single Path (SSP) protocol– Discovery and utilization of a single route– End–to–end security and feedback

165

SMT Operation• The Active Path Set (APS)

– Maintain a (partial) view of the network topology– Construct a set of node disjoint routes (per destination)

– Routes remain in the APS until deemed non-operational

• Multi-path operation– Select the APS routes to transmit a dispersed message– Route selection attributes

• Path rating• Probability of path survival• Overall probability of successful message delivery

– Assign each message piece to one of the selected routes

166

SMT Operation (cont’d)

TimeSource

Destination

DispersedMessage

DispersedACK

Re-transmit

ACK

•Example: Transmission of a single message

timer timer

167


• Secure and robust end-to-end feedback– Dispersed and returned over multiple routes – Informs on the successfully received pieces– Allows the correlation of successfully received

pieces with data routes– Provides “safe” information for the adaptation

of the protocol operation

168


• Adapt to the network conditions– Detect non-operational routes– Switch to alternate (new) routes– Adapt the protocol configuration

• Number of routes• Transmission redundancy• Route selection• Additional route discovery

169


• Path rating mechanism– Each route is associated to a rating

• Update rs for each transmission across the route• For each delivered piece, rs is increased by a

constant β• For each lost piece, rs is decreased by a constant α

• The route is discarded when its rating reaches rsthr

max

if a piece is lost

if a piece is received

max{ ( 1) , }, ( )

min{ ( 1) , },

thrs s

ss s

r i rr i

r i rαβ

⎧ − −= ⎨

− +⎩

max,thrs S Sr r r⎡ ⎤∈⎣ ⎦

170


• Robustness to arbitrary attack patterns– Bounded fraction of data the adversary can

drop (Bandwidth Loss (BWL)) before the compromised route is detected

– Non-operational routes are promptly discarded– Route re-instatement after transient data loss

BWL βα β

≤+

P. Papadimitratos and Z.J. Haas, “Secure Message Transmission in Mobile Ad Hoc Networks,” ACM WiSe’03 P. Papadimitratos and Z.J. Haas. "Secure Message Transmission inMobile Ad Hoc Networks," Ad Hoc Networks, 2003

171


• What is the appropriate choice for α,β ?– The attack pattern is not known in advance– The faster a non-operational route is

discarded the better – Not discarding a route after a transient packet

loss is preferable

• One criterion– Min-Max Regret

P. Papadimitratos and Z.J. Haas, " Secure Data Communication in Mobile Ad Hoc Networks," JSAC, 2006

172


• Selection of α, β

173


• Selection of α, β

174


• Is the route rating sufficient to maintain reliable communication? What about mobility?

• The higher the route age is, the more likely it is to break • t : current route age of the i-th route in APS• pi(t ) : probability of survival of the route during a piece

transmission (delay d)• Estimate this from route lifetime samples (periods of time

from the discovery till the route removal from the APS

1

1

1 , if

ˆ ( ) , for such that:

1 , if

i j j

D

S t dS

S jp t j t dS

t dS

τ

τ τ

τ

+

−⎧ + <⎪⎪

−⎪= ≤ + <⎨⎪⎪ + >⎪⎩

175


• Example of the estimated probability of path survival , based on collected data

• FA: Fraction of adversaries present in the network

176


• Determine the appropriate message dispersion– To achieve the sought end-to-end reliability,

PGOAL, while minimizing • The transmission redundancy: PGOAL- rmin

• The number of utilized paths: PGOAL-Nmin

– To achieve a redundancy goal while maximizing the end-to-end reliability: rGOAL

177

Performance Evaluation

Nodes 50

Fraction of Adversaries

10%, 20%, 30%, 40%, or 50% of the network

Measurements 50 randomly seeded runs for each point

Security Bindings Single destination per source

Coverage Area 1000m-by-1000m

Simulated time 300 sec

Mobility Random waypoint; Pause times: 0, 20, 40, 60, 100, 150, 200, 250 seconds

Load 3, 7, 15, 20 CBR flows, Data payload: 512 BytesRates: 4, 10, 15, 20, 25, and 30 packets/sec

PHY/MAC 802.11, DCF, 2 and 5.5 Mbps, 300m

Tool OPNET

178

Performance Evaluation (cont’d)

• Secure Message Transmission (SMT) protocol

• Secure Single Path (SSP) protocol• Secure route discovery for both protocols

– Explicit, basic• Reactive, Proactive• SRP, SLSP

• Attack pattern– Full compliance with the route discovery– Discarding in–transit data packets

179


SMT-LS: SMT with a Link State Protocol

Message Delivery Fraction Message Delay

180


SMT-RRD: SMT with SRP


181


SMT-RRD: SMT with SRP

Routing Overhead Transmission Overhead

182


SSP-RRD: SSP with SRP


183


SSP-RRD: SSP with SRP

Routing Overhead Transmission Overhead

184


Transmission Redundancy

Average number of sent pieces (N) Average number of required pieces (M)

185


Impact of mobility; SMT-RRD


186


Impact of Load and interaction with TCP

Throughput – no flow control Throughput - SMT-RRD with TCP

187


Impact of Load and SMT interaction with TCP

Message delay – no flow control Message delay - SMT-RRD with TCP

188

Summary

• Secure data communication is critical– Secure routing protocols are vulnerable– As long as attackers can place themselves on utilized

routes, they can degrade or deny communication– The only answer is to assess whether data are

delivered, and avoid non-operational routes

• Secure data communication is practical– Low-delay, low-jitter, and highly reliable; essentially,

real-time– Flexible– Low overhead– End-to-end– Effective against any data-dropping pattern

189

Privacy Enhancing Technologies for Vehicular Communication (VC) Systems


190

VC System (cont’d)

• High rate broadcast communication• VANET-only (e.g., safety) and TCP/IP

communication

Safety Applications

IPv6

TCP / UDPC2C-CC Position Based

Routing

IEEE 802.11p MAC and PHY

C2C-CC MAC

Wave Short

Message Protocol (WSMP)

General Applications

IEEE 1609.4

191

Security for VC

• Focus: Communication• Main objectives

– Identity and Cryptographic Key Management– Privacy Enhancing Technologies (PET)– Secure Communication

• Requirements– Authentication, integrity, non-repudiation, access

control, confidentiality, availability– Privacy– Liability identification

P. Papadimitratos, V. Gligor, J.-P. Hubaux, “Securing Vehicular Communications – Assumptions, Requirements and Principles,”ESCAR 2006

192

Secure VC• Authorities

– Trusted entities – Issuing and managing identities and credentials

• Network nodes– Vehicles

• Public • Private

– Road-side units• Users

193

Secure VC (cont’d)

•System Illustration

194


Graphic courtesy of DC

Wireless Communication

Module

Central Processing Module

Unique Identity

Credentials and

Cryptographic Keys

Abstract view of a vehicle in a

(secure) vehicular communications

system

Sensory Inputs Module

195


• Node Identity– Unique identity V– Integration of pre-VC and VC-specific

identifiers

• Node Keys – Public / private key pair KV, kV

• Node Credentials – Certificate CertX{KV,AV}– AV: attributes of node V

• Long-term identification

196


• Secure Communication– Single- and Multi-hop– Vehicle to vehicle – Vehicle to infrastructure

• Digital signatures more appropriate tool– Any-to-any communication; e.g., broadcast, geo-cast– High mobility

• Relatively simple networking protocols ‘shift’ the security focus to the application

197


• Secure Communication (cont’d)

Warning:Accident at (x,y,z)

!!

Payload

Location: (xV,yV,zV)

CertX{KV,AV}

Signature with kV

Vehicle V

Time: tV

Vehicle U

Warning:Accident at (x,y,z)

198

Problem statement

• Frequent, high-rate vehicle-to vehicle and vehicle-to-infrastructure communication– Periodic, triggered, dependent on network

characteristics (e.g., density)– Example: a vehicle transmits safety messages

every 100 to 300 milliseconds– Safety messages include vehicle-specific

information; e.g., its coordinates• Communication cannot be regulated or

controlled by the node/user – Safety messaging will be essentially an

‘always-on’ application

199


• Vehicle-originating wireless transmissions are particularly easy to eavesdrop– Data link very similar to a widely adopted

technology: IEEE 802.11p– Very large and increasing numbers of 802.11

access points already deployed– Road-side infrastructure deployed for other

services could be subverted into acting as an eavesdropper

• Linking messages to the transmitting vehicle and inferring private information about its passengers

200


201


• What are we after? – At least the same degree of privacy achieved nowadays,

before the advent of vehicular communications– Combination of strong security and privacy-enhancing

technologies– Ideally, anonymous and authentic communications, but:

• High processing and communication overhead• Often, messages from the same vehicle should be linkable

– Requirement: messages generated by a given vehicle can be linked at most over a protocol-selectable period of time

• The shorter this period, the harder to track a vehicle becomes

202

• Pseudonym: Remove all identifying information from certificate

• Equip vehicles with multiple pseudonyms – Alternate among pseudonyms over time (and space)– Sign message with the private key corresponding to

pseudonym– Append current pseudonym to signed message

PET for VC (cont’d)

PSNYM_1

PSNYM_2

PSNYM_3 PSNYM_1

PSNYM_2 PSNYM_1

PSNYM_2

PSNYM_3

203


• PET system setup

PSNYM_1, …, PSNYM_k

Authority XLong-term

Identification

Vehicle V

Authority APseudonym

Provider

Set of pseudonyms for V

204


• PET system setup (cont’d) • Multiple pseudonym providers

Organization 1 Organization 2 Organization n...

V-PNYM-1 V-PNYM-2 V-PNYM-n

...

Vehicle V

205


• Pseudonym format

• Supplying vehicles with pseudonyms– Sufficient in number– Periodic ‘refills’

PSNYM-Provider ID

Public Key Ki

PSNYM-Provider Signature

PSNYM Lifetime

PSNYM_1PSNYM_2

PSNYM_3PSNYM_4PSNYM_k1

PSNYM_1PSNYM_2


PSNYM_1PSNYM_2


Time

206

Secure VC Building Blocks (cont’d)

• Pseudonym Change MechanismPSNYM_1, …, PSNYM_k

Vehicle V

Pseudonym Selection Process

Inputs:

Vehicle Location

Vehicle Clock

Recipient(s) /

(Verifier(s))

Output:

Use PSNYM_i for period

[ti,ti+1]

Inputs:

Local (vehicle) and

Authority Privacy Policies

PSNYM_1, …, PSNYM_k

One pseudonym per day (?) One per transaction (?)

207


• Other vehicle network identifiers: e.g., IP and MAC addresses

• Change addresses along with pseudonyms• Maintain addresses only when necessary, but

encapsulate

PSNYM_i

APAAPB

APC

ServerS

IPA

PSNYM_j

IPB

IPS

PSNYM_k

IPc

IPS

208


• Credentials Management

Roadside Unit

‘Re-filling’ with or obtaining new

credentials

‘Re-filling’ with or obtaining new

credentials

Roadside Unit

Wire-lineConnections

209


• Pseudonym ResolutionPseudonymous CommunicationTranscript

“Vehicle V generated the transcript”

Authority O

210


• Challenge– Managing a pseudonymous authentication system is

cumbersome• Preload large numbers of pseudonyms or obtain them on-

the-fly• Costly computations at the side of the pseudonym provider• Costly wireless communication to obtain pseudonyms• Need reliable access to the pseudonym provider

• Solution– On-board generation of pseudonyms– G. Calandriello, P. Papadimitratos, A. Lloy, and J.-P.

Hubaux, "Efficient and Robust Pseudonymous Authentication in VANET," VANET 2007

211

Summary

• Security and privacy-enhancing mechanisms are a prerequisite for the VC systems deployment

• Securing VC systems is a complex yet ‘real’ problem that attracts the attention of the community

• Opportunity: Awareness and joint efforts in industry and academia

212

Acknowledgements

• Thanks to Marcin Poturalski and George Theodorakopoulos for their feedback on Part 2 of this tutorial

213

Questions?

[email protected]

mailto:[email protected]

214


Part 3: Thwarting Selfish Behavior

Jean-Pierre [email protected]

mailto:[email protected]

© 2007 Levente Buttyán and Jean-Pierre Hubaux


http://secowinet.epfl.ch/

Appendix B: A tutorial on game theory for wireless networks

static games;dynamic games;repeated games;strict and weak dominance;Nash equilibrium;Pareto optimality;Subgame perfection;…

216Security and Cooperation in Wireless NetworksAppendix B: A tutorial on game theory for wireless networks

Chapter outline

B.1 IntroductionB.2 Static gamesB.3 Dynamic gamesB.4 Repeated games


Brief introduction to Game Theory

Discipline aiming at modeling situations in which actors have to make decisions which have mutual, possibly conflicting, consequencesClassical applications: economics, but also politics and biologyExample: should a company invest in a new plant, or enter a new market, considering that the competition may make similar moves?Most widespread kind of game: non-cooperative (meaning that the players do not attempt to find an agreement about their possible moves)

B.1 Introduction


Classification of games

Non-cooperative Cooperative

Static Dynamic (repeated)

Strategic-form Extensive-form

Perfect information Imperfect information

Complete information Incomplete information

Cooperative

Imperfect information

Incomplete information

Perfect info: each player knows the identity of other players and, for eachof them, the payoff resulting of each strategy.

Complete info: each player can observe the action of each other player.

B.1 Introduction


Cooperation in self-organized wireless networks

S1

S2

D1D2

Usually, the devices are assumed to be cooperative. But what if they are not?

B.1 Introduction


Chapter outline



Example 1: The Forwarder’s Dilemma

?Blue Green

?

B.2 Static games


From a problem to a game

users controlling the devices are rational = try to maximize their benefitgame formulation: G = (P,S,U)– P: set of players– S: set of strategy functions– U: set of utility functions

strategic-form representation


(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

B.2 Static games



' '( , ) ( , ), ,i i i i i i i i i iu s s u s s s S s S− − − −< ∀ ∈ ∀ ∈

iu U∈i is S− −∈

where:

Strict dominance: strictly best strategy, for any strategy of the other player(s)

utility function of player i

strategies of all players except player i

In Example 1, strategy Drop strictly dominates strategy Forward

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

Strategy strictly dominates ifis

B.2 Static games



Solution by iterative strict dominance:

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

Result: Tragedy of the commons ! (Hardin, 1968)

Drop strictly dominates ForwardDilemma

Forward would result in a better outcomeBUT }

B.2 Static games


Example 2: The Joint Packet Forwarding Game

?Blue GreenSource Dest

?

No strictly dominated strategies !


(1-c, 1-c) (-c, 0)(0, 0) (0, 0)

BlueGreen

ForwardDrop

Forward Drop

B.2 Static games


Weak dominance

?Blue GreenSource Dest

?

(1-c, 1-c) (-c, 0)(0, 0) (0, 0)

'( , ) ( , ),i i i i i i i iu s s u s s s S− − − −≤ ∀ ∈

Weak dominance: strictly better strategy for at least one opponent strategy

with strict inequality for at least one s-i

Iterative weak dominanceBlue

Green

Drop

Forward

Forward

Drop

BUT

The result of the iterative weak dominance is not unique in general !

Strategy s’i is weakly dominated by strategy si if

B.2 Static games


Nash equilibrium (1/2)

Nash Equilibrium: no player can increase its utility by deviating unilaterally

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Forward

Drop

Forward DropE1: The Forwarder’s Dilemma

E2: The Joint Packet Forwarding game (1-c, 1-c) (-c, 0)

(0, 0) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

B.2 Static games


Nash equilibrium (2/2)

* * *( , ) ( , ),i i i i i i i iu s s u s s s S− −≥ ∀ ∈

iu U∈i is S∈

where: utility function of player istrategy of player i

( ) arg max ( , )i i

i i i i is S

b s u s s− −∈

=

The best response of player i to the profile of strategies s-i is a strategy si such that:

Nash Equilibrium = Mutual best responses

Caution! Many games have more than one Nash equilibrium

Strategy profile s* constitutes a Nash equilibrium if, for each player i,

B.2 Static games


Example 3: The Multiple Access game



There is no strictly dominating strategy

(0, 0) (0, 1-c)(1-c, 0) (-c, -c)

BlueGreen

Quiet

Transmit

Quiet Transmit

There are two Nash equilibria


B.2 Static games


Mixed strategy Nash equilibrium

objectives– Blue: choose p to maximize ublue

– Green: choose q to maximize ugreen

(1 )(1 ) (1 )blueu p q c pqc p c q= − − − = − −(1 )greenu q c p= − −

1 , 1p c q c= − = −

is a Nash equilibrium

p: probability of transmit for Blueq: probability of transmit for Green

B.2 Static games


Example 4: The Jamming game

transmitter:• reward for successfultransmission: 1• loss for jammed transmission: -1

jammer:• reward for successfuljamming: 1• loss for missed jamming: -1

two channels: C1 and C2

(-1, 1) (1, -1)(1, -1) (-1, 1)

There is no pure-strategy Nash equilibrium

BlueGreen

C2

C1

C2

C1

transmitter

jammer

1 1,2 2

p q= = is a Nash equilibrium

p: probability of transmit on C1 for Blueq: probability of transmit on C1 for Green

B.2 Static games


Theorem by Nash, 1950

Theorem: Every finite strategic-form game has a mixed-strategy Nash equilibrium.

B.2 Static games


Efficiency of Nash equilibria

E2: The Joint Packet Forwarding game

(1-c, 1-c) (-c, 0)(0, 0) (0, 0)

BlueGreen

Forward

Drop

Forward Drop

How to choose between several Nash equilibria ?Pareto-optimality: A strategy profile is Pareto-optimal if it is not possible to increase the payoff of any player without decreasing the payoff of another player.

B.2 Static games


How to study Nash equilibria ?

Properties of Nash equilibria to investigate:existenceuniquenessefficiency (Pareto-optimality)emergence (dynamic games, agreements)

B.2 Static games


Chapter outline



Extensive-form games

usually to model sequential decisionsgame represented by a treeExample 3 modified: the Sequential Multiple Access game:Blue plays first, then Green plays.

Green

BlueT Q

T Q T Q

(-c,-c) (1-c,0) (0,1-c) (0,0)



Green


B.3 Dynamic games


Strategies in dynamic games

The strategy defines the moves for a player for every node in the game, even for those nodes that are not reached if the strategy is played.

Green

BlueT Q

T Q T Q

(1-c,0) (0,1-c) (0,0)

Green

(-c,-c)

strategies for Blue: T, Q

strategies for Green: TT, TQ, QT and QQ

If they have to decide independently: three Nash equilibria(T,QT), (T,QQ) and (Q,TT)

B.3 Dynamic games


Backward induction

Solve the game by reducing from the final stageEliminates Nash equilibria that are increadible threats

Green

BlueT Q

T Q T Q

(1-c,0) (0,1-c) (0,0)

Green

(-c,-c)

incredible threat: (Q, TT)

B.3 Dynamic games


Subgame perfection

Extends the notion of Nash equilibrium

Green

BlueT Q

T Q T Q

(1-c,0) (0,1-c) (0,0)

Green

Subgame perfect equilibria: (T, QT) and (T, QT) (-c,-c)

One-deviation property: A strategy si conforms to the one-deviation property if there does not exist any node of the tree, in which a playeri can gain by deviating from si and apply it otherwise.

Subgame perfect equilibrium: A strategy profile s constitutes a subgame perfect equilibrium if the one-deviation property holds for every strategy si in s.

Finding subgame perfect equilibria using backward induction

B.3 Dynamic games


Chapter outline



Repeated games

repeated interaction between the players (in stages)move: decision in one interactionstrategy: defines how to choose the next move, given the previous moveshistory: the ordered set of moves in previous stages– most prominent games are history-1 games (players consider only

the previous stage)

initial move: the first move with no historyfinite-horizon vs. infinite-horizon gamesstages denoted by t (or k)

B.4 Repeated games


Utilities: Objectives in the repeated game

finite-horizon vs. infinite-horizon gamesmyopic vs. long-sighted repeated game

( )1i iu u t= +

( )0

T

i it

u u t=

=∑

( )0

i it

u u t∞

=

=∑

myopic:

long-sighted finite:

long-sighted infinite:

utility with discounting: ( )0

ti i

tu u t ω

∞

=

= ⋅∑0 1ω< ≤ is the discounting factor

B.4 Repeated games


Strategies in the repeated game

usually, history-1 strategies, based on different inputs:

– others’ behavior:

– others’ and own behavior:

– utility:

( ) ( )1i i im t s m t−⎡ ⎤+ = ⎣ ⎦( ) ( ) ( )1 ,i i i im t s m t m t−⎡ ⎤+ = ⎣ ⎦

( ) ( )1i i im t s u t⎡ ⎤+ = ⎣ ⎦

Example strategies in the Forwarder’s Dilemma:

Blue (t) initial move

F D strategy name

F

F

D

F

F

AllC

F

F

D

D

Tit-For-Tat (TFT)

D AllD

FD Anti-TFT

Green (t+1)

B.4 Repeated games


The Repeated Forwarder’s Dilemma

(1-c, 1-c) (-c, 1)(1, -c) (0, 0)

BlueGreen

Drop

Forward

Forward Drop

?Blue Green

?

stage payoff

B.4 Repeated games


Analysis of the Repeated Forwarder’s Dilemma (1/3)

Blue strategy Green strategy

AllD AllD

AllD TFT

AllD AllC

AllC AllC

AllC TFT

TFT TFT

infinite game with discounting: ( )0

ti i

tu u t ω

∞

=

= ⋅∑

Blue utility Green utility

0 0

1 -c

(1-c)/(1-ω) (1-c)/(1-ω)

1/(1-ω) -c/(1-ω)

(1-c)/(1-ω) (1-c)/(1-ω)

(1-c)/(1-ω) (1-c)/(1-ω)

B.4 Repeated games



Blue strategy Green strategy

AllD AllD

AllD TFT

AllD AllC

AllC AllC

AllC TFT

TFT TFT

Blue utility Green utility

0 0

1 -c

(1-c)/(1-ω) (1-c)/(1-ω)

1/(1-ω) -c/(1-ω)

(1-c)/(1-ω) (1-c)/(1-ω)

(1-c)/(1-ω) (1-c)/(1-ω)

AllC receives a high payoff with itself and TFT, butAllD exploits AllCAllD performs poor with itselfTFT performs well with AllC and itself, andTFT retaliates the defection of AllD

TFT is the best strategy if ω is high !B.4 Repeated games



Theorem: In the Repeated Forwarder’s Dilemma, if both players play AllD, it is a Nash equilibrium.

Theorem: In the Repeated Forwarder’s Dilemma, both players playing TFT is a Nash equilibrium as well.

Blue strategy Green strategy Blue utility Green utility

AllD

TFT

0 0AllD

TFT (1-c)/(1-ω) (1-c)/(1-ω)

The Nash equilibrium sBlue = TFT and sGreen = TFT is Pareto-optimal (but sBlue = AllD and sGreen = AllD is not) !

B.4 Repeated games


Experiment: Tournament by Axelrod, 1984

any strategy can be submitted (history-X)strategies play the Repeated Prisoner’s Dilemma (Repeated Forwarder’s Dilemma) in pairsnumber of rounds is finite but unknown

TFT was the winnersecond round: TFT was the winner again

B.4 Repeated games


Discussion on game theory

RationalityUtility function and costPricing and mechanism design (to promote desirable solutions)Infinite-horizon games and discountingReputationCooperative gamesImperfect / incomplete information

B.5 Discussion


Who is malicious? Who is selfish?

Both security and game theory backgrounds are useful in many cases !! Both security and game theory backgrounds are useful in many cases !!

Harm everyone: viruses,…

Selective harm: DoS,… Spammer

Cyber-gangster:phishing attacks,trojan horses,…

Big brother

Greedy operator

Selfish mobile station

B.5 Discussion


Conclusions

Game theory can help modeling greedy behavior in wireless networksDiscipline still in its infancyAlternative solutions– Ignore the problem– Build protocols in tamper-resistant hardware




Chapter 10: Selfishness in packet forwarding


Introduction

the operation of multi-hop wireless networks requires the nodes to forward data packets on behalf of other nodeshowever, such cooperative behavior has no direct benefit for the forwarding node, and it consumes valuable resources (battery)hence, the nodes may tend to behave selfishly and deny cooperationif many nodes defect, then the operation of the entire network is jeopardized questions:– What are the conditions for the emergence of cooperation in packet

forwarding?– Can it emerge spontaneously or should it be stimulated by some

external mechanism?


Modeling packet forwarding as a game

time0time slot:

1 t

Strategy:cooperationlevel

pC(0) pC(1) pC(t)

Players: nodes

Payoff (of node i): proportion of packets sent by node i reaching their destination

10.1 Game theoretic model of packet forwarding


Cost function

( ) ( )trcrTtr jsf j,ˆ)(, τη ⋅⋅−=

Cost for forwarder fj :

where:Ts(r) – traffic sent by source s on route rc – unit cost of forwarding

Example :

( ) )()()(,ˆ},{

tptptptr CECEk

fC k⋅== ∏

∈

τ

( ) ( )ˆ, ( ) ,C A jr t T r c r tη τ= − ⋅ ⋅

A E C D

TA pE(t) pC(t)r (A→D):


( ) )(,ˆ1

tptrj

kfj k∏

=

=τ

Normalized throughput at forwarder fj :

where:r – route on which fk is a forwardert – time slotfk – forwarders on route rpfk – cooperation level of forwarder fk


Utility function

( ) )()()(, tptprTtr CEA ⋅⋅=τ

( ) )()(,1

tprTtrl

kfs k∏

=

⋅=τ

Experienced throughput :

where: s – sourcer – route on which s is a sourcet – time slotfk – forwarders for spfk – cooperation level of forwarder fk

A E C D

TA pE(t) pC(t)r (A→D):

Example :

Utility function :



Total payoff

( ) ( )( ) ( )( ) ( )

, ,i i

i i iq S t r F t

t u q t r tπ τ η∈ ∈

= +∑ ∑

The goal of each node is to maximize its total payoff over the game

Payoff = Utility - Cost

where: Si(t) – set of routes on which i is a sourceFi(t) – set of routes on which i is a forwarder

( ) t

tii t ωππ ⋅=∑

∞

=0max where: ω – discounting factor

t – time

time0time slot: 1 t

Payoff: πA(0) πA(1).ω πA(t).ωt

Example :



Representation of the nodes as players

Node i is playing against the rest of the network (represented by the box denoted by A-i )

yi

xi

A-i σi ))]1,(([)( )1( −∈−= tSrii itrtp τσStrategy function for node i:

where:τ (r,t) – experienced throughputSi – set of routes on which i is a source



Examples of strategies

1)( =ii yσ

iii xy =)(σ

0)( =ii yσ

StrategyFunctionInitial

cooperation level

AllD (always defect)

AllC (always cooperate)

TFT (Tit-For-Tat)

0

1

1

non-reactive strategies: the output of the strategy functionis independent of the input (example: AllD and AllC)

reactive strategies: the output of the strategy functiondepends on the input (example: TFT)

where yi stands for the input

iii yy =)(σ



Concept of dependency graph

dependency: the benefit of each source is dependent on the behavior of its forwarders

dependency loop

10.2 Meta-model


Analytical Results (1/2)

0)( =IFσ

Theorem 1: If node i does not have any dependency loops, then its best strategy is AllD.

Theorem 2: If node i has only non-reactive dependency loops, then its best strategy is AllD.

Corollary 1: If every node plays AllD, it is a Nash-equilibrium. Corollary 1: If every node plays AllD, it is a Nash-equilibrium.

0)( =IEσ

node i

node playing a non-reactive strategy

other nodes

10.3 Analytical results


Analytical results (2/2)

Corollary 2: If Theorem 3 holds for every node, it is a Nash-equilibrium.Corollary 2: If Theorem 3 holds for every node, it is a Nash-equilibrium.

Theorem 3 (simplified): Assuming that node i is a forwarder, its behavior will be cooperative only if it has a dependency loop with each of its sources

Theorem 3 (simplified): Assuming that node i is a forwarder, its behavior will be cooperative only if it has a dependency loop with each of its sources

Example in which Corollary 2 holds:

A B

C

A B

C

Network Dependency graph



Classification of scenarios

D: Set of scenarios, in which every node playing AllD is a Nash equilibrium

C: Set of scenarios, in which a Nash equilibrium based on cooperation is not

excluded by Theorem 1

C2: Set of scenarios, in which cooperation is based on the conditions expressed in

Corollary 2



Simulation settings

Number of nodes 100, 150, 200

Area type torus

Area size 1500x1500m, 1850x1850m, 2150x2150m

Radio range 200 m

Distribution of the nodes random uniform

Number of routes originating at each node

1-10

Route selection shortest path

Number of simulation runs 1000

10.4 Simulation results


Simulation results

10.4 Simulation results


Summary

Analytical results:– If everyone drops all packets, it is a Nash-equilibrium– In theory, given some conditions, a cooperative Nash-equilibrium

can exist ( i.e., each forwarder forwards all packets )

Simulation results: – In practice, the conditions for cooperative Nash-equilibria are very

restrictive : the likelihood that the conditions for cooperation hold for every node is extremely small

Consequences:– Cooperation cannot be taken for granted– Mechanisms that stimulate cooperation are necessary

• incentives based on virtual currency• reputation systems

10.5 Summary




Chapter 11: Wireless operators in shared spectrum

(multi-domain sensor networks)

border games in cellular networks


Introduction

spectrum licenses do not regulate access over national bordersadjust pilot power to attract more users

Is there an incentive for operators to apply competitive pilot power control?

11.2 Border games in cellular networks


System model (1/2)

Network:cellular networks using CDMA– channels defined by orthogonal

codestwo operators: A and Bone base station eachpilot signal power control

Users:roaming usersusers uniformly distributedselect the best quality BSselection based signal-to-interference-plus-noise ratio (SINR)

11.2 Border games in cellular networks11.2.1 Model


System model (2/2)

0

pilotp i ivpilot

iv pilot pilotown other

G P gSINR

N I I⋅ ⋅

=⋅ + +W

i

pilotown iv iw

wI g Tς

∈

⎛ ⎞= ⋅ ⋅⎜ ⎟⎜ ⎟

⎝ ⎠∑M

i

pilotother jv j iw

j i wI g P Tη

≠ ∈

⎛ ⎞= ⋅ ⋅ +⎜ ⎟⎜ ⎟

⎝ ⎠∑ ∑

M

A Bv

PA

TAv

TAw

PB

TBw

0

trp iv ivtr

iv tr trown other

G T gSINR

N I I⋅ ⋅

=⋅ + +W

, i

pilotown iv i iw

w v wI g P Tς

≠ ∈

⎛ ⎞= ⋅ ⋅ +⎜ ⎟⎜ ⎟

⎝ ⎠∑

M

tr pilotother otherI I=

pilot signal SINR:

traffic signal SINR:

Pi – pilot power of i– processing gain for the pilot signalpilot

pG

ivg

0NW

– noise energy per symbol

ς

ivT

η

pilotownI

– channel gain between BS i and user v

– own-cell interference affecting the pilot signal

– own-cell interference factor– traffic power between BS i and user v

iM

– available bandwidth

– other-to-own-cell interference factor– set of users attached to BS i

11.2 Border games in cellular networks11.2.1 Model


Game-theoretic model

Power Control Game, GPC– players → networks operators (BSs), A and B– strategy → pilot signal power, 0W < Pi < 10W, i = {A, B}– standard power, PS = 2W– payoff → profit, where is the expected income

serving user v– normalized payoff difference:

i

i vv

u θ∈

= ∑M

vθ

( ) ( )( )( )

max , ,

,i

S S Si i is

i S Si

u s P u P P

u P P

−Δ =

11.2 Border games in cellular networks11.2.2 Power control game


Simulation settings



Is there a game?

only A is strategic (B uses PB = PS)10 data users path loss exponent, α = 2

Δi



When both operators are strategic

10 data userspath loss exponent, α = 4



Nash equilibria

10 data users 100 data users



Efficiency (1/2)

10 data users



Efficiency (2/2)

100 data users



convergence based on better-response dynamicsconvergence step: 2 W

Convergence to NE (1/2)

PA = 6.5 W

11.2 Border games in cellular networks11.2.3 Convergence to a Nash Equilibrium


Convergence to NE (2/2)

convergence step: 0.1 W

11.2 Border games in cellular networks11.2.3 Convergence to a Nash Equilibrium


Conclusion on border games

not only individual nodes may exhibit selfish behavior, but operators can be selfish tooexample: adjusting pilot power to attract more users at national bordersthe problem can be modeled as a game between the operators– the game has an efficient Nash equilibrium– there’s a simple convergence algorithm that drives the system into

the Nash equilibrium

11.2 Border games in cellular networks

security and cooperation in wireless ... - people.kth.se

Documents