Transaction Privacy in Wireless Networks

Transcription

1 Transaction Privacy in Wireless Networks Catharina Candolin Telecommunications and Software Engineering Institute Helsinki University of Technology Abstract An electronic transaction involves the exchange or transfer of information, services, or funds between two or more parties by digital means. We consider privacy protection of such transactions in wireless untrusted networks and propose a solution for integrating existing schemes of data, source and destination, location, and time privacy. The solution is based on strong encryption, the Non-Disclosure Method, and threshold cryptography and meets the requirements of transaction atomicity, consistency, and robustness. Keywords: Electronic transaction, wireless network, ad hoc network, Non-Disclosure Method, threshold cryptography 1 Introduction An electronic transaction involves the exchange or transfer of information, services, or funds between two or more parties by digital means. Such transactions often require that the contents of the transaction remain secret and intact, and that the parties involved in the transaction cannot deny having participated. Electronic transactions are normally performed over untrusted, possibly wireless, networks, but whereas nodes operating in fixed networks can make certain assumptions regarding the security of the network, wireless nodes cannot. For example, wireless nodes tend to be mobile, and are thus no longer protected by their own network boundary, such as a firewall, when roaming in foreign networks. Such nodes are likely to change their location on frequent basis and the transactions they are making are easier to observe. Also, the wireless medium is extremely vulnerable to attacks, and the nodes are thus likely to become subject to surveillance, where their location and transactions are tracked and disclosed. Privacy protection traditionally includes keeping personal information or unique identifiers secret from unauthorized parties in order to prevent tracking of users or collection of personal information. A unique identifier is, for example, a network address of a node, or a public key. We focus on protecting the privacy of the electronic transactions rather than on the privacy of the nodes themselves since the transactions are likely to reveal more valuable information to an adversary than the mere existence of the node. Information involved in an electronic transaction consists of the contents of the transaction, the parties involved, the location of the parties, and the exact time of the occurrence of the transaction. 1

2 The main objective of this paper is to discuss the concept of transaction privacy in untrusted wireless networks and to propose a solution for integrating existing data, source and destination, location, and time privacy solutions. 2 Background 2.1 Wireless networking Several technologies and protocols for wireless networking have been developed in order to meet the growing interest in mobile communications. The various area of application for such networks include, among other things, personal communication systems consisting of wearable devices, wireless e-home solutions, where any home appliances can easily be connected to a network, and wireless local area networks. For example, the IEEE WLAN standard offers a solution that is applicable for most wireless networking purposes, such as local area networking and ad hoc networking. Another wireless technology is Bluetooth, which has been developed for the purpose of replacing cables. Whichever the specific area of application the wireless technology is aimed at, they all consist of nodes that are communicating with each other and making electronic transactions of various kinds. An ad hoc network is a collection of nodes that do not need to rely on a predefined infrastructure to keep the network connected. The nodes may be mobile, thus implying a wireless communications medium, and they may form, enter and leave networks in an ad hoc fashion as they move along. The main characteristics of such networks are the lack of predefined trust relationships, the unreliable nature of the network due to node movements and link quality, the lack of centralized or global authorities or entities, and weak physical security of the nodes. Public mobile telecommunication systems, such as GSM, are out of scope of this paper. Privacy protection in such networks is discussed in and [12] and [8]. 2.2 Privacy in electronic transactions Transactions are traditionally considered to be monetary transactions. We expand this view and consider any exchange or transfer of funds, information, or services to be electronic transactions. In [2], the concept of transaction privacy is defined as a service for preventing unauthorized disclosure of the contents of the transaction, the parties involved in the transaction, the location of the parties involved in the transaction, and the exact time of occurrence of the transaction. Transaction privacy thus includes the following: 1. Data privacy: the contents of the transaction should be protected from disclosure to an unauthorized party. 2. Source and destination privacy: the parties involved in the transaction should not be revealed to an unauthorized party. 2

3 3. Location privacy: the location of the parties making the transaction, be it the physical (geographical) or logical (with respect to the network), should not be disclosed to an unauthorized party. 4. Time privacy: the exact time when a transaction occurs should not be disclosed to an unauthorized party Data privacy Although the character of a transaction may be easily guessable, for example, a transaction between a node and a bank is likely to involve a transfer of funds, the exact details of the transaction must still be kept secret. For example, an adversary may be able to deduce that a transfer of funds is taking place, but not the exact amount of money transferred Source, destination, and location privacy Source and destination information present a wide area of potential misuse. In military networks, the source and destination of a communication flow may reveal details of certain nodes, which in turn may give an enemy information about the structure of the network. For example, some nodes may be more important than others, and they are likely to participate in a larger number of communications than less important nodes. The same problems arise also in public networks, where an unusually high traffic load between two companies may reveal that the two parties are somehow involved, or that a mobile user is frequently contacting certain types of services. Location information may be used to track user movements or deduce information about the structure of the network. For example, if a node is roaming in a foreign network, then anyone communicating with that node may be able to determine where the node is located at each time. This information may be collected in order to determine movement patterns. The main concern in ad hoc networks is usually not the location of one node, but rather the location of several nodes, since this information can be used to determine the structure of the network. Protecting the location information from disclosure is especially important in military networks Time privacy Time privacy [2] of an electronic transaction is a service for preventing unauthorized disclosure of the exact time of occurence of the transaction. The main objective of protecting the time of occurence of a transaction is not to completely hide the existence of the transaction, but rather to make it difficult or impossible for an adversary to determine when exactly the transaction has occurred. This might be important in time-critical systems where an adversary wishes to perform an attack only after having received knowledge of the completion of a given transaction. Information about the exact occurence of a transaction should be protected in order to prevent attacks that are triggered to the completion of a given transaction. For example, a 3

4 thief may be observing that a person is making monetary transactions in exchange of some valuable jewellery. The thief may furthermore be able to guess which person out of many is the one that performed the transaction. For example, if a transaction is made in a store with 10 people, and one of them comes out two minutes after the completion of the transaction, then it is quite likely that the person coming out is the one that just made the transaction and is now carrying an expensive piece of jewellery in his pocket. In order to protect the person from being attacked by the thief, a method for hiding the exact occurence of the transaction is required. 3 Criteria The electronic transaction must be properly executed, that is, the so called ACID properties must be fulfilled. These properties include atomicity, consistency, isolation, and durability. The transaction is also required to be robust. The transaction atomicity property means that either all of the transaction is executed or none of it. Consistency requires that all parties involved in the transactions agree on the conditions set. These requirements are important if, for example, the node to which the transaction is made suddenly becomes compromised, or if there is a conflict between the parties involved. Nodes in ad hoc networks are especially vulnerable to such problems due to low physical security. The node that initiated the transaction should be able to put the transaction on hold or interrupt it if necessary; the other party should have no means of completing the transaction on its own. Isolation of transactions basically implies that separate transactions should not interfere with each other. For example, two nodes may simultaneously try to execute the same transaction where both are trying to buy the same seat on a flight, but only one of them is allowed to succeed. The node to which the transaction is made must have some means of coping with such situations. Durability of a transaction implies that the effect of a completed transaction should not be lost if the system fails, even if the failure occurs immediately after the completion of the transaction. This is especially important in ad hoc networks, where the quality of the wireless link is bad and the nodes may be limited in battery power. The wireless medium is extremely vulnerable to disturbances, which may cause information to be delayed or destroyed. However, the completion of a transaction may be crucial for the network. The solution where traffic is assigned priorities is not feasible in most cases, since the disturbance may be caused by an attacker or the network may be an ad hoc network that lacks entities or rules for prioritizing traffic. The parties involved in the transaction cannot make any assumptions regarding the operation of the network. Therefore, the transaction must be robust in the sense that it should be able to complete also when the transmission medium is unreliable, that is, when a large amount of messages are likely to be dropped, and when an adversary is trying to interfere with the transaction. 4

5 4 Previous work 4.1 Data privacy The classical approach to protecting the data from disclosure is by encryption. Depending on the security requirements of the transaction, different encryption schemes may be applied. When the transaction is performed over a network, encryption can be enforced on the link layer, the network layer, or the application layer. Many transactions require end-to-end security to be enforced, which often means that encryption at the link or network layer is not always sufficient. However, as pointed out in [1], encryption at multiple protocol layers is not necessarily considered harmful Link layer encryption in wireless networks is mostly used to substitute the physical security provided by the wires in a fixed network, but is seldom adequate for most transactions. Network layer security may be enforced by, for example, IPSec [11], which defines a security architecture for IP based networking. Two traffic security protocols are defined; the Authentication Header (AH) [9] and the Encapsulating Security Payload (ESP) [10]. The ESP protocol provides data privacy of the contents of the IP packet. IPSec enables end-to-end encryption between two hosts, but many transactions still require end-to-end encryption at the application layer. 4.2 Source, destination, and location privacy A method that allows anonymous sending of messages through a so called mix node is presented in [3]. A sender Ë first encrypts the message Å using the public key of the receiver Ê. Then Ë encrypts the message and the address of the recipient with the public key of the mix node. The message is now sent to the mix node, which decrypts the received message and forwards it to Ê. A cascade of mix nodes is proposed in order to ensure untraceable traffic flow. In [6], the Non-Disclosure Method (NDM) for protecting source and destination privacy as well as the location privacy is introduced. The solution relies on independent security agents distributed over the network, where each agent possesses a public and private key pair. When a sender Ë wishes to transmit a message to receiver Ê it first selects Ò security agents Ë ½ Ë Ò through which the message shall be forwarded. Each security agent will only know the addresses of the previous and the next security agent in the chain. The message Å is then encapsulated using the public keys of the security agents in the following way: Å ¼ à ½ Ë ¾ à ¾ Ë ÃÒ Ê Åµ µµ. Message Å ¼ is sent to Ë ½, which decrypts it using its private key, thus finding the next hop address Ë ¾ and the message content à ¾ Ë ÃÒ Ê Åµ µµ. The message is now forwarded to Ë ¾, and so on. Ë Ò finally receives ÃÒ Ê Åµ, which it deciphers using its private key before forwarding the original message Å to Ê. The NDM method is further discussed in [7]. 5

6 4.3 Time privacy Information regarding the completion of a transaction should be protected from disclosure. A convenient solution is to distribute the transaction over time in such a way that an unauthorized party is unable to determine anything about the state of the transaction merely by eavesdropping on the stream of encrypted bytes that is transferred between the parties involved in the transaction. In fact, the unauthorized party may only deduce that the other parties are involved in a negotiation and that the occurence of transactions is probable. In [2], a method based on threshold cryptography for distributing a transaction over time is introduced. A Ø Òµ threshold scheme, where Ø Ò, is a method by which a secret Ë is not revealed unless any Ø out of Ò shares are pooled [4, 5]. However, pooling Ø ½ shares does not reveal any information about Ë. Instead of distributing the shares to different participants as is done when the scheme is used for traditional secret sharing, the shares remain with the node wishing to make the transaction. In order to apply the ideas of threshold cryptography to distribute the transaction over time, it is assumed that node wishes to perform a transaction with node. First, and agree on a threshold value Ø, and then computes Ò shares. This agreement designates the beginning of the transaction. proceeds by sending the shares one by one to. The time limit between the shares need not be fixed, and is determined by. All shares will be sent in order to prevent an adversary from deducing that a transaction has completed by the fact that no more information is sent between and. The transaction, however, is considered completed once has received Ø shares and is able to successfully determine Ë. The threshold scheme must be perfect in order to maintain transaction atomicity and consistency, that is, given any knowledge of any Ø ½ shares, no information about Ë is disclosed. This allows to interrupt the transaction if necessary, for example, if detects that has become compromised. Also, the threshold scheme must be robust, that is, if an adversary tries to interfere with the transaction by sending garbage shares, then will be able to verify that the result is wrong and ignore the wrong shares. The main concern in a wireless network and especially in an ad hoc network is not that the other parties involved are untrusted to begin with, but rather that they are compromised during the cause of the transaction. Therefore a solution where the and exchange bits little by little in such a way that brute force attacks become easier as bits are exchanged is not feasible, since, if compromised, should have no means of completing the transaction without having all the required bits. 5 An integrated solution for wireless networks In order to enforce data privacy, the contents of the transaction should be encrypted. The solution should be based on strong encryption schemes with proper key lengths. However, the choice of such schemes is out of scope of this paper. Source, destination, and location privacy can be enforced using a set of security agents, which are distributed among the network. In an ad hoc network, all nodes should have the 6

7 possibility to function as security agents.. However, the solution introduced in [6] should be modified in such a way that different security agents should be chosen for each packet. This would be the normal case in a mobile ad hoc network, since the sender cannot rely on the same security agents being able to efficiently route the whole transaction anyway. Another modification is that the message Å that is sent by sender Ë to receiver Ê should be encrypted in order to not be disclosed to the last security agent. To enforce time privacy, the message Å can be encrypted with a key that is unknown to the receiver. The sender will then proceed with sending the different shares of the decryption key to the receiver in such a way that the receiver will be able to recover Å once a minimum amount of shares has arrived. For example, if wishes to perform a transaction to, it first encrypts the message Å with a key that is secret to and unique for the transaction to be performed. The encrypted message Å ¼ is also encrypted using the public key of and is further denoted as Å ¼¼. then selects a set of security agents, through which it sends Å ¼¼ to. In order to complete the transaction, divides the decryption key into Ò shares, and starts sending them to, each via a different set of security agents. starts by decrypting the message Å ¼¼ using its private key, and then awaits for the shares of the decryption key of Å ¼ to arrive. Once has received at least Ø shares, it is able to recover the original message Å, and the transaction is complete. 6 Analysis The criteria set for the solution were transaction atomicity, consistency, isolation, and durability as well as transaction robustness. The requirement for transaction atomicity and consistency is met in our solution due to the characteristics of the threshold scheme. A perfect threshold scheme requires that Ø ½ shares do not reveal any knowledge of the secret Ë in a scheme where Ø shares are needed. Thus, a compromised node would not be able to complete the transaction or fulfill the transaction partially by taking advantage of the shares it has received. On the other hand, if an adversary is able to collect the transmitted shares and manages to compromise, then nothing prevents the adversary from completing an interrupted transaction if it has a sufficient number of shares. Transaction isolation is only partially addressed by our solution. If two nodes simultaneously initiate a transaction, it is quite unlikely that both send their shares using the same time interval. On the other hand, the problem is only shifted to the time of completion of the transaction instead of the time of initiating the transaction. The node that gets its shares through first is obviously the one that is served first. In case of the nodes fighting over the same airline ticket, this node is the one that gets a successful transaction; the transaction of the other node is practically undefined until all its shares have arrived, and once the last share arrives, the seat has already been booked. If the last shares of both nodes arrive exactly at the same time, then it is up to the node to which the transaction is performed to decide how to handle the situation. The requirement for transaction robustness is also met. For the transaction to complete, Ø 7

8 shares out of Ò are required. Any Ø shares will do; hence, some shares may be dropped in the network without affecting the transaction as such. Furthermore, is able to compute more shares if necessary. Since the threshold scheme is required to be robust, the transaction will not be affected by an adversary trying to interfere by sending garbage shares. The main problem with our solution seems to be inefficiency, since encryption is enforced several times. For example, node has to encrypt the message Å twice to enforce data and time privacy, and Ò times, where Ò is the number of security agents, to enforce source, destination, and location privacy. The solution therefore seems to be quite heavy to be used in practice, especially in ad hoc networks where the nodes are limited in CPU, memory, and battery power. Also, the criteria for transaction durability has not been addressed. The problem is left to network fault management. 7 Conclusion In this paper we have discussed the concept of transaction privacy and proposed a solution for integrating data privacy, source and destination privacy, location privacy, and time privacy. Our solution is based on strong encryption schemes to protect the contents of the transaction from disclosure, the NDM method for protecting the source, destination, and location of the parties involved in the transaction, and threshold cryptography to protect the exact time of occurence of the transaction. In order to meet the requirements set by wireless networks, we have focused on issues such as fault tolerance in order to ensure that the transactions are able to complete successfully unless explicitly interrupted by a party involved in the transaction. Our solution still have several problems, of which the two most apparent are inefficiency and routing complexity in ad hoc networks. Due to the vast number of encryptions caused mainly by the NDM method, the whole solution might end up being too inefficient to be used in practice. Also, choosing security agents in ad hoc networks may be difficult if the nodes are mobile. First of all, the message may have to be routed via nodes that are not in the set of chosen security agents. This might become a vulnerability, since an adversary could track the message as it is passed between normal nodes. Second, if one security agent is compromised or dies, then the message cannot get through. The threshold scheme provides a partial solution because it enables the transaction to complete even though all shares are not received by the target node. However, this requires that a different set of security agents are chosen for each share to be sent, which in turn adds to complexity and performance. Acknowledgements We thank Professor Hannu H. Kari for several discussions on privacy protection of electronic transactions and Professor Arto Karila for commenting some of the ideas. 8

9 References [1] A. Aziz and W. Diffie. Privacy and Authentication for Wireless Local Area Networks. In IEEE Personal Communications, First Quarter, [2] C. Candolin and H. Kari. Time Privacy of Electronic Transactions. submitted, [3] D. Chaum. Untraceable Electronic Mail. Communications of the ACM, 24(2):84 88, [4] Y. Desmedt. Threshold Cryptography. In European Transactions on Telecommunications, [5] Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Advances in Cryptology Crypto 89 (Lecture Notes in Computer Science 435), [6] A. Fasbender, D. Kesdogan, and O. Kubitz. Analysis of Security and Privacy in Mobile IP. In 4th International Conference on Telecommunication Systems, Modeling and Analysis, [7] A. Fasbender, D. Kesdogan, and O. Kubitz. Variable and Scalable Security: Protection of Location Information in Mobile IP. In IEEE VTS, 46th Vehicular Technology Conference, [8] H. Federrath, A. Jerichow, D. Kesdogan, and Pfitzmann A. Security in Public Mobile Communication Networks. In Proceedings of the IFIP TC 6 International Workshop on Personal Wireless Communications, [9] S. Kent and R. Atkinson. IP Authentication Header. RFC 2402, November [10] S. Kent and R. Atkinson. IP Encapsulating Security Protocol (ESP). RFC 2406, November [11] S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, November [12] U. G. Wilhelm and X. Defago. Objets protégés cryptographiquement. In Actes Ren- Par 9, Lausanne, CH, May