SPLASH Sécurisation des ProtocoLes dans les

réseAux mobileS ad Hoc 

http://www.inrialpes.fr/planete/splash.html

12 Décembre 2003

Refik MolvaInstitut EURECOM

molva@eurecom.fr

MANET Security Requirements

Wireless & Mobile• Limited Energy• Lack of physical security

Ad Hoc• Lack of(or limited)

infrastructure• Lack of a priori trust

• Cooperation Enforcement

• Secure Routing

• Key management

[Recent security solutions for mobile ad hoc networks In “Ad Hoc Networks” IEEE Press - Wiley Ed]

Key Management Objectives

• Bootstrapping from scratch

• Fully distributed

• Minimum dependency

Key Management Approaches• Symmetric crypto [Basagni et al.]

• (ID, PK) binding– Certificate = (ID,PK)CA

• Self-organized Authorities [Zhou, Haas] [Kong, et al.] [Yi, Kravets] [Lehane, et al.]

• Web of trust(PGP) [Hubaux, Buttyan, Capkun]

– Certificate-less• Crypto-based IDs: ID = h(PK) [Montenegro, Castellucia] [O’Shea,

Roe] [Bobba, et al] • ID-based Crypto: PK = f(ID) [Halili, Katz, Arbaugh]

• Context-dependent authentication– location-limited channels [Balfanz, et al.] – Shared passwords [Asokan, Ginzborg]

Self-organized Admission ControlPerformance Comparison

• Centralized (simple signatures)– member gets t signatures from other members– Server grants GMC when t or more signatures are shown.

• Distributed (threshold signatures)– member gets “partial” certificates (mSKi) from other members.– member combines t certificates to get a GMC

GMC = mSK1 mSK2 mSK3.. mSKt = mSK

Threshold signatures are NOT suitable in MANET and sensor networks.

• Currently investigating Bilinear mappings

[Admission Control in Peer-to-Peer: Design and Performance Evaluation, ACM SASN Workshop, October 2003.]

[On the Utility of Distributed Cryptography in P2P and MANETs, ICNP 2003.]

(ID, PK) binding without a PKICrypto-Generated Addresses

(CGA)• Statistically Unique Cryptographically Verifiable IDs [Montenegro,

Castellucia] [O’Shea, Roe] IPv6 @ = prefix | h( prefix | PK )

• Secure Routing using CGA: AODV [Castellucia, Montenegro] DSR[Bobba, et al]

PROs: no certificates, no PKI CONs: generation of bogus IDs

• New: CGA based on the small primes variation of the Feige-Fiat-Shamir (MFFS)

[Statistically Unique and Cryptographically Verifiable Addresses: concepts and applications. ACM TISSEC, Feb. 2004]

[Protecting AODV against impersonation attacks, ACM MC2R, October 2002]

Cooperation enforcement mechanisms

Token-based [Yang,Meng,Lu]

Nuglets [Buttyan,Hubaux]SPRITE [Zhong, Chen, Yang]

CONFIDANT[Buchegger,Le Boudec] CORE [Michiardi,Molva]Beta-Reputation [Josang,Ismail]

Reputation-based

Threshold cryptography

Micro-payment

Cooperation Enforcement Evaluation with Game Theory

• Cooperative GT– Study the size (k) of a coalition of cooperating nodes

– Nash Equilibrium lower bound on k

• Non-cooperative GT– Utility function with pricing

– Pricing used to guide the operating point (i.e. maximum of utility function) to a fair position

– ri : dynamic reputation of node ni evaluated by her neighbors

jjy

iyi

iriiyuikU

:sharerelative

:functionutility )()()(

),,,,,(),( irjbibPFEREselfEfjbibiu

[Michiardi,Molva,CMS’02, WiOpt’03] [Srinivasan,et al.,INFOCOM’03]

Simulations: CORE – uniform traffic

Simulations: TFT – uniform traffic

Summary• Specific requirements

– Self organized bootstrapping of security associations

– Cooperation enforcement

• Prospects– New tools from crypto bag of tricks (Id-based crypto, . . .)

– Integrated mechanisms: reputation + key management

• Participation in MOBILEMAN project on Ad Hoc Networks

• ESAS 2004 1st European Workshop on Security in Ad-Hoc and Sensor Networks. (5.-6. August, 2004) 

ESORICS 2004 – RAID 2004

September 13-17

Institut EURECOMSophia Antipolis - FRANCE

THANK YOU