Considerations about the Architecture Solutions for PKI in Ad-hoc-Networks

Transcription

1 Considerations about the Architecture Solutions for PKI in Ad-hoc-Networks MIHAI-LICĂ PURA, VICTOR-VALERIU PATRICIU Military Electronic and Informatics Systems Faculty Military Technical Academy George Coşbuc Bulevard, District 5, Bucharest Romania s: Abstract: Ad hoc networks are a relative new technology build with the need for ubiquitous connectivity in mind. All the things around us are coming to life. They are being equipped with computing and communication devices. But for this equipment to achieve its goals, interconnectivity is needed. Here is where ad hoc networks come into place, offering communications with out any preinstalled infrastructure. Here is where security comes into place too, because the data exchanged has to be made safe. In common networks, security is assured using PKI. Are classic solutions suitable for this new type of network? Key-words: ad hoc network, PKI, CA, certificate, public key, private key 1 Introduction When we talk about ad hoc networks we talk about connectivity. Being an implementation of the Distributed Transient Network paradigm, ad hoc networks focus on assuring the communications between the entities that want to form a network. The main characteristic of such a network is that each of its nodes acts like a router by retransmitting all the packets that it receives. This means that even if two nodes are outside of each others cover area, they can still communicate through the nodes that are between them. From the point of view of communications, the connectivity can be achieved only if the data are retransmitted by each node it reaches in order to get to all the devices in the network. From the point of view of security the fact that data gets to all the nodes is a risk factor. But in network security a new trend emerged: we no longer propose to keep the intruders out of the network (this thing had proved to be very difficult to achieve), but to protect the data from being accessed by unauthorized users. The simplest way for doing this is through public key cryptography. Public key cryptography is based on a public key infrastructure that consists out of three elements: private keys, public keys and the Certification Authority. As presented in [2], every node of the network has a private key that only it knows and a corresponding public key that can be obtain by every node that wants it. The Certification Authority is a trusted third party that is used for key management. The CA has also a public/private key pair. The private key is used by the CA to sign certificates that bind every node to its public key. The CA public key is known by all the nodes and can be used to verify the certificate of a node. The CA has to be always online and accessible by all the nodes because it is responsible for reflecting all the changes that can appear: some certificates have to be revoked (if the corresponding nodes are no longer trusted, if they were compromised or they had left the

2 network), other certificates have to be renew and the new nodes that join the ad hoc network need to obtain certificates. 2 Solutions with a CA The implementation of the above model in ad hoc networks has to take into consideration several aspects. The most obvious one is how the CA can be implemented. If the CA functions are taken by a single node of the network, this node becomes a single point of failure for the network. In military applications, for example, if this node is destroyed by the enemy, the whole network will seize to function. A solution for this problem would be the cloning of the CA on more than one node. This way the nodes that need the CA functions are more likely to be able to get them. But if the enemy will compromise one of this mirror node by getting the public key all the others are also compromised. Anyway, this approach has other weak points. The CA node will have to have special resources, different from an average node of the network: more storage resources, higher computational power (requested by all the calculation needed to be perform in key generation and in answering to all the different requests of the network nodes) and of course more battery power (unlike the other nodes, the CA will have to always be online, will have to route the packets that it receives like every other node of an ad hoc network, and of course it will have to serve all the requests concerning certificates of all the other nodes). So this node will have to be very different from the others and will act as a server. Thus a characteristic of ad hoc network is broken: the nodes have to be equal. A solution to some of these problems is the distribution of the CA s functions to an n number of nodes in the network ([1]). This means that for every request concerning certificates, a node must obtain an answer from at least k out of the n CA nodes. These k nodes have to be present at the initialization of the ad hoc network in order to receive a share of the CA private key. Then, if a node requests a certificate for another node it wants to communicate with and needs its public key, it will broadcast the request. At least k of the CA nodes will have to receive it in order to obtain a correct answer. After receiving the request, each of the k nodes must sign the requested public key with its share of the systems private key. The resulted partial signatures are than send to a combiner node C that computes the whole signature and sends it to the requesting node. The problems of this implementation are exactly the ones that can be seen as advantages. So there is not a single failure point in the network, but the fact that k+1 nodes have to be able to communicate in order to achieve a result (getting a certificate as in the example above) is a very restrictive need. Because the topology of the ad hoc network is very dynamic and the routes change very often, the communication channel can be occupied with the packets for route building between the requesting node and the k CA nodes and never with the actually exchanged data. Of course, this is an extreme situation, but if the implementation wants to be dependable it has to cover all the aspects. Beside this, the problem with nodes resources is not solved because all n CA nodes have to have lot of memory resources (they have to store the certificates for all the nodes in the network). So instead of one server node, we get n server nodes. 3 Solutions without a CA As we have seen above the implementation of key management

3 through CA is very easy to develop, but the results are far from satisfactory. Ad hoc network were build for situations where there is no infrastructure. Therefore, the presence of the CA reduces the ad hoc character of the network. So, a simplistic solution would be to consider that all the nodes are equal. There is no CA (distributed or not) in the network, but all the operations with certificates demand a group answer of the network nodes ([1]). For instance, if a node wants to obtain another node s certificate it has to identify itself to any t of the network nodes. The authors of this implementation suggest that the identification should be made through physical contact or through a secure side-channel. But this request is very restrictive and might that suite in some real implementations. Plus, the combination of the partial signatures from the t nodes requires some heavy calculations and so the performance of the network depends on the resources of the nodes. Another proposed model is based on the ID of the nodes, as in [3]. This way when two nodes want to communicate they do not need to exchange certificates in order to get one another s public key, but the ID of the nodes is used as a certificate and as the public key too. The authors suggest using human readable and unique identities as the public key, such as addresses, names, etc. This model requires the presence of a CA only at the initialization phase of the network s existence and its role is to assign to each node a secret key based on the identity used by it and to assign an expiration date to the pair thus resulted. After this step is completed the CA becomes redundant. The main advantages of this model are that no certificates are needed to bind a node to its public key and no exchange of the public key is need prior to the actual communication. The disadvantages of the model are given by the fact that after the initialization the CA knows the secret key for all the nodes in the network. This means that if it is compromised the communications in the network are not secure. Also, the necessity of a secure channel between the CA and every of the nodes in order to transmit the secret keys is also consider to be a drawback. When implementing this model some aspects are to be very carefully examined. For example, how does a new node that joins the network receives a secret key? Haw are renewed the identity-secret key pairs after the expiration date? Haw can be identified and banned a compromised node? A somehow similar model is the selfcertified public key model. Its defining characteristic is that the certificate (thus the identity of the node) is included in the node s public key. So the identity of the node is not used itself as the public key, like in the previous discussed model. Therefore, for two nodes to be able to communicate they have to first change public keys. The authenticity of the keys is provided by the keys themselves. For the generation of the self-certified public keys a CA is needed, but just in the initialization phase, exactly like in the previous model. Based on the device s public key and identity and on the CA s secret key, the CA generates the selfcertified public key. So the authentication of a node in a network is based on this self-certified public key. It can be observed that the CA does not know the secret keys of the nodes. A problem is this way solved, but another emerges: signing and encryption using these selfcertified public keys are different from regular asymmetric schemes because there is no direct correspondence between the self-certified public key and the secret key. A more suitable model for the ad hoc character of the ad hoc networks is the

4 self-organization model. As presented in [3], this model is based on PGP. Therefore the entities that form the ad hoc network issue certificates for each other based on their personal trust. This means that the model presumes that some nodes trust each other from the initialization phase of the ad hoc network. The difference from the PGP model is given by how these certificates are stored and distributed. In PGP there are special on-line servers called certificate directories that perform the storage and distribution tasks. In the self organization model, on the other hand, each of the nodes maintains a local certificate repository. A node s repository can be divided into two lists: a list of certificates that where issue by this node for the nodes that this node trust, and a list of certificates that were issue for this node by the nodes that trust it. The model presumes that each node has a public/private key pair. In the initialization phase, the nodes that trust each other issue certificates for one another for the public keys they each have. For example if node A and node B trust each other, A issues a certificate for B with is signed with A s private key, and B issues a certificate for A, witch is signed by B s private key. Node A stores the certificate it issued for B in its repository in the list of certificates of the nodes it trusts, and the certificate it receives from B, in the list of certificates from the nodes that trust it. The same thing does B to. Let s presume that after a while node A finds another node that it trust, called C. A and C do the same thing as A did with B. So when B and C will want to communicate, they merge theirs two types of certificate lists and try to find a trusted path between them. So C sends to B the certificates it receives from the nodes that trust it and the certificates that it issued for the nodes it trust. So B will receive also the certificate that A issued for C. B trusts A, and A trusts B. So B checks A s signature on the certificate issued by A for C and if it is correct B will trust C also and will issue a certificate for it. Figure 1 In [1] the authors observe that in order to verify a certificate of a node N (in the manner that B did with C) in the best case a node M has to verify only the certificates from the M s list of certificates that where issued for M. In the worst case, N will have to verify all the certificates from the trusted path, except the one that it issued. It is now obvious that the performances of this model depend on the length of the trusted path. For this, the authors propose the utilization of a PGP like graph and special algorithm for finding the shortest trust path. The authors from [1] consider that the disadvantages of the algorithm are the fact that for authentication a node has to verify more than one certificate and that the lists of certificates are changed over an insecure channel, witch makes the model vulnerable to man-in-themiddle attacks. But on the other hand this model solves many of the problems of the precedent models: there are no special nodes in the network, the nodes

5 do not need special resources (no have computations are need), and there is no need for a CA, not even in the initialization phase. The self-organization model that was last presented suits an ad hoc network in the best way. The reason is that ad hoc networks try to copy the way humans naturally relate and speak to each other. 4 Testing architecture The theoretical approaches of ad hoc networks implementation are many. But the actual implementations are rare. When it is about ad hoc routing protocols there are quite a few implemented and tested. But when it comes about security, the tests are relatively rare. If we focus only on security matters it is not very important what ad hoc routing protocol it is used. But after the security models are tested, the actual implementation of such a model will have to take into consideration the particularities of the routing protocol that it will be based on. The tests that we performed were made using Jadhoc 0.2 and WinAODV implementations of AODV ad hoc routing protocol. Jadhoc is a Java implementation of AODV protocol developed ad the University of Bremen and WinAODV is a C implementation of the same protocol from David West from Trinity College, Dublin. Booth implementations are open source and available for free on the internet. We implemented an ad hoc network of laptops used for exchanging text messages using a SIP based Java program. In the future we will extend it to multimedia messages. Over this network we tested the security models based on a CA, using an open source CA implementation available on the internet. These models were the simplest to test because the CA didn t need to be implemented and the modifications required by the PKI architecture to the message exchange program where easy to make. But in the future we propose to implement the PGP based security model that was last discussed. Some implementation details will be given in the next paragraph. 5 Conclusions The self-organization model that was last presented suits an ad hoc network in the best way. The reason is that ad hoc networks try to copy the way humans naturally relate and speak to each other. The relationships between humans are based on trust. This trust can be based on previous experience. For example, two persons that worked together and saw each other in real situations know if each can trust the other. But the trust can also be based on an already establish relation of trust. For example Mihai can trust Vlad because Andrei (witch is trusted by Mihai) trust Vlad. For these relations of trust to work, people have to be able to identify one another. If the trust relation is direct, the people recognize one another by the looks. If the trust relation was derived, the persons can identify one another through recommendations. If we take the example with Mihai and Vlad, Mihai can identify and trust Vlad if Vlad presents to Mihai a recommendation from Andrei that Mihai can verify to be authentic. After the verification of the recommendation the trust relationship between Mihai and Vlad becomes a direct one. Let s presume that two people meet. They do not know each other and they do not have common trustees either. Can a trust relation be established between the two? Why not? They observe one another for a period of time. And after seeing haw each acts in given situations they can get to trust each other. But even close friends can disappoint you some times, right? In this

6 case people decide simply not to trust the friend in cause anymore and tell everybody that that person cannot be trusted anymore. The self-organization model tries to implement these human behaviors for ad hoc networks. And the resulted implementation is not forced at all because, of course, behind every node of the network (PDA, laptop, etc.) is a human operator. Each of these nodes has to have a public/private key pair and the necessary software to be able to sign, encrypt, verify and decrypt data and generate certificates for their own public keys. At the initialization phase of the network is a high chance that lots of these nodes already knows each other and thus trust or not each other. The one that do trust each other can issue certificates for one another. The mutual identification of the nodes can be done by physical contact and the exchange of certificates must be done on a peer-topeer channel. Than the network starts to exist fulfilling the purpose it was created for. The nodes of the network that want to communicate but do not have a prior trust relationship must get into physical contact and see if they can establish a common trust path as was discussed before. If the mutual trust path does not exist they can choose to trust each other based on the observations of each other s behavior. The revocation of a trust relationship based on present observation can be made known to other nodes by sending a revocation list to all the nodes of the certificates from the certificate repository. Of course, there are many theoretical studies of the ad hoc network security. What lacks are actual implementations. [2] Arun Kumar Bayya, Siddhartha Gupte, Yogesh Kumar Shukla, Anil Garikapati, Security in Ad-Hoc Networks [3] Refik Molva, Pietro Michiardi, Security in Ad Hoc Networks [4] Srdjan Capkun, Jean-Pierre Hubaux, Levente Buttyan, Mobility Helps Security in Ad Hoc Networks [5] Vesa Karpijoki, Security in Ad Hoc Networks References: [1] Katrin Hoeper, Guang Gong, Model of Authentications in Ad Hoc Networks and Their Related Network Properties