An overview of Trust, Naming and Addressing and Establishment of security associations

Transcription

1 Security and Cooperation in Wireless Networks Georg-August University Göttingen An overview of Trust, Naming and Addressing and Establishment of security associations trust assumptions; attacker models; naming and addressing; key establishment in sensor networks; key establishment in ad hoc networks exploiting physical contact node mobility vicinity

2 Trust Trust: The belief that another party will behave according to a set of wellestablished rules and thus meet one s expectations. The trust model of current wireless networks is rather simple subscriber service provider model subscribers trust the service provider for providing the service, charging correctly, and not misusing transactional data service providers usually do not trust subscribers, and use security measures to prevent or detect fraud In the upcoming wireless networks the trust model will be much more complex entities play multiple roles (users can become service providers) number of service providers will dramatically increase user service provider relationships will become transient how to build up trust in such a volatile and dynamic environment? Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 1

3 Reasons to trust organizations and individuals Moral values Culture + education, fear of bad reputation Experience about a given party Based on previous interactions Rule enforcement organization E.g. police or spectrum regulator Usual behavior Based on statistical observation Rule enforcement mechanisms Prevent malicious behavior by appropriate security mechanisms and encourage cooperative behavior It is much easier to encrypt the communication than to deploy police force everywhere to check that no one is eavesdropping Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 2

4 Trust vs. security and cooperation trust pre-exists security all security mechanisms require some level of trust in various components of the system E.g. if I trust that my computer is not compromised and the security mechanisms I am using is not (yet) broken --> then I can do my online transactions with the legitimate belief of not being defrauded. cooperation reinforces trust trust is about the ability to predic the behavior of another party I see the other party s cooperative behavior --> so I would believe that she will continue being cooperative --> this encourages me to be cooperative --> she will trust in me Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 3

5 Misbehaviors: Malice and selfishness Malice: willingness to do harm no matter what Selfishness: overuse of common resources (network, radio spectrum, etc.) for one s own benefit A misbehavior consists in deliberately departing from the prescribed behavior in order to reach a specific goal A misbehavior is selfish (or greedy, or strategic) if it aims at obtaining an advantage that can be quantitatively expressed in the units (bitrate, joules, or coverage) or in a related incentive system (e.g., micropayments); any other misbehavior is considered to be malicious. traditionally, security is concerned only with malice but in the future, malice and selfishness must be considered jointly if we want to seriously protect wireless networks Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 4

6 Who is malicious? Who is selfish? Examples of malice and selfish behavior: A technique aiming at increasing one s share of the bandwidth (in general at the expense of other users) is selfish. An attack aiming at obtaining information about another user of the network is malicious. The attack aiming at dropping another node s packets in order to save own power is selfish. Security mechanisms: to thwart malicious behavior Game theory: to model and prevent selfish behavior There is no watertight boundary between malice and selfishness Both security and game theory approaches can be useful Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 5

7 Naming and Addressing naming and addressing are fundamental for networking notably, routing protocols need addresses to route packets services need names in order to be identifiable, discoverable, and useable attacks against naming and addressing address stealing adversary starts using an address already assigned to and used by a legitimate node Sybil attack a single adversarial node uses several invented addresses makes legitimate nodes believe that there are many other nodes around node replication attack dual of the Sybil attack the adversary introduces replicas of a single compromised node using the same address at different locations of the network 6

8 Illustration of the Sybil and node replication attacks Z Y X D C B A Sybil nodes C E F I A X G X B D H J replicated nodes 7

9 Cryptographically Generated Addresses (CGA) aims at preventing address stealing general idea: generate node address from a public key corresponding private key is known only by the legitimate node prove ownership of the address by proving knowledge of the private key example in case of IPv6: 8

10 Thwarting the Sybil attack note that CGAs do prevent an attacker from stealing or spoofing an address already chosen by another node CGAs do not prevent the Sybil attack an adversary can still generate addresses for herself a solution based on a central and trusted authority the central authority vouches for the one-to-one mapping between an address and a device e.g., a server can respond to requests concerning the legitimacy of a given address other solutions take advantage of some physical aspects e.g., identify the same device (when it is using a new fake address) based on radio fingerprinting or using geographic location 9

11 Thwarting the node replication attack (1/2) a centralized solution each node reports its neighbors claimed locations to a central authority (e.g., the base station in sensor networks) the central authority detects if the same address appears at two different locations assumes location awareness of the nodes A D E A C (x2, y2) base station B (x1, y1) 10

12 Thwarting the node replication attack (2/2) a decentralized variant neighbors claimed location is forwarded to witnesses witnesses are randomly selected nodes of the network if a witness detects the same address appearing at two different locations then it broadcast this information and the replicated nodes are revoked 11

13 Analysis of the decentralized variant total number of nodes in the network is n average number of neighbors is d (network degree) A broadcasts its location to its neighbors each neighbor of A forwards A s location claim with probability p to g randomly selected witnesses average number of witnesses receiving A s location claim is p.d.g Assume the attacker inserts L replicas of node A The probability that p.d.g recipients of claim l1 do not receive any of the p.d.g copies of claim l2 is: P nc1 =(1-(p.d.g)/n) (p.d.g) The probability that the 2 p*d*g recipients of claims l1 and l2 do not receive any of the p.d.g copies of claim l3 is: P nc2 =(1-(2p.d.g)/n) (p.d.g) In the same way, the probability of no collisions is: P nc =П(1-(i.p.d.g)/n) (p.d.g) (1 <= i <= (L-1)) Using (1+x)<=e^x we have: P nc <=exp( - L(L-1)(p.d.g) 2 / 2n) 12

14 Analysis of the decentralized variant then for the probability of detection: (1- P nc =)P det > 1 exp( - L(L-1)(p.d.g) 2 / 2n) numerical example: n = 10000, d = 20, g = 100, p = 0.5 L = 2 P det ~ 0.63 L = 3 P det ~ 0.95 Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 13

15 Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link 14

16 Key establishment in sensor networks After identification, authentication and key establishment are necessary for starting secure communication authentication and key establishment are related to each other: Once authenticated the two nodes can establish a session key An already established key can be used for future authentication A possible solution is public key cryptography: each device carries a certificate issued by the trusted authority But due to resource constraints, asymmetric key cryptography should be avoided in sensor networks: asymmetric encryption is usually harder (more complicated computation and requiring the central organization) we aim at setting up symmetric keys 15

17 Key establishment in sensor networks requirements for key establishment depend on communication patterns to be supported unicast local broadcast global broadcast need for supporting in-network processing: data aggregation on packets received from downstream nodes to make the data more impact need to allow passive participation: e.g. a node decides not to report an event to the sink if it hears another node is doing the same needs decryption necessary key types node keys shared by a node and the base station to protect packets exchanged between a node and the base station (no aggregation) link keys pairwise keys shared by neighbors (used for hop-by-hop encryption, message authentication and integrity) cluster keys shared by a node and all its neighbors (hop-by-hop encryption for local broadcast, makes passive participation possible) network key a key shared by all nodes and the base station (global broadcast) Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 16

18 Setting up node, cluster, and network keys node key can be preloaded into the node before deployment cluster key can be generated by the node and sent to each neighbor individually protected by the link key shared with that neighbor network key can also be preloaded in the nodes before deployment needs to be refreshed from time to time (due to the possibility of node compromise) neighbors of compromised nodes generate new cluster keys the new cluster keys are distributed to the non-compromised neighbors the base station generates a new network key the new network key is distributed in a hop-by-hop manner protected with the updated cluster keys (not available to compromised node) 17

19 Setting up link keys What remains to solve is establishing link keys They can not be pre-loaded before network deployment: no a priori knowledge of post-deployment topology it is not known a priori who will be neighbor to whom gradual deployment need to add new sensors after deployment 18

20 Link key setup using a short-term master key Sensor networks: stationary nodes, neighborhood of a node does not change frequently Link key establishment protocol in four phases: Master key pre-loading Neighbor discovery Link key computation Master key deletion Master key pre-loading: Before deployment Master key K init is loaded into the nodes Each node u computes K u = f Kinit (u) 19

21 Link key setup using a short-term master key Neighbor discovery: After the deployment node u initializes a timer Discovers its neighbors: by broadcasting HELLO message Neighbor v responds with ACK ACK: identifier of v, authenticated with K v (u still has the master key and can compute K v ) u verifies ACK link key computation: link key: K uv =f Kv (u). Master key deletion: When timer expires: u deletes K init and all K v s 20

22 Pairwise key establishment in sensor networks 1. Initialization m (<<k) keys in each sensor ( key ring of the node ) Key pool (k keys) 2. Deployment Probability for any 2 nodes to have a common key: Do we have a common key? p 1 2 (( k m)!) k!( k 2m)! Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 21

23 Random key pre-distribution Preliminaries Given a set S of k elements, we randomly choose two subsets S 1 and S 2 of m 1 and m 2 elements, respectively, from S. The probability of S 1 S 2 is 22

24 The basic random key pre-distribution scheme initialization phase a large pool S of unique keys are picked at random for each node, m keys are selected randomly from S and pre-loaded in the node (key ring) direct key establishment phase after deployment, each node finds out with which of its neighbors it shares a key (e.g., each node may broadcast the list of its key IDs) two nodes that discover that they share a key verify that they both actually posses the key (e.g., execute a challenge-response protocol) path key establishment phase neighboring nodes that do not have a common key in their key rings establish a shared key through a path of intermediate nodes where each link of the path is already secured in the direct key establishment phase 23

25 Setting the parameters connectivity of the graph resulting after the direct key establishment phase is crucial a result from random graph theory [Erdős-Rényi]: in order for a random graph to be connected with probability c (e.g., c = ), the expected degree d of the vertices should be (n is the number of nodes): (1) in our case, d = pn (2), where p is the probability that two nodes have a common key in their key rings, and n is the expected number of neighbors (for a given deployment density) p depends on the size k of the pool and the size m of the key ring (3) c (1) d (2) p (3) k, m 24

26 Setting the parameters an example number of nodes: n = expected number of neighbors: n = 40 required probability of connectivity after direct key establishment: c = using (1): using (2): using (3): required node degree after direct key establishment: d = required probability of sharing a key: p = 0.46 appropriate key pool and key ring sizes: k = , m = 250 k = 10000, m = 75 25

27 Qualitative analysis advantages: parameters can be adopted to special requirements no need for intensive computation path key establishment have some overhead decryption and re-encryption at intermediate nodes communication overhead but simulation results show that paths are not very long (2-3 hops) no assumption on topology easy addition of new nodes disadvantages: node capture affects the security of non-captured nodes too if a node is captured, then its keys are compromised these keys may be used by other nodes too if a path key is established through captured nodes, then the path key is compromised no authentication is provided 26

28 Improvements: q-composite rand key pre-distribution basic idea: two nodes can set up a shared key if they have at least q common keys in their key rings the pairwise key is computed as the hash of all common keys advantage: in order to compromise a link key, all keys that have been hashed together must be compromised disadvantage: probability of being able to establish a shared key directly is smaller (it is less likely to have q common keys, than to have one) key ring size should be increased (but: memory constraints) or key pool size should be decreased (but: effect of captured nodes) 27

29 Improvements: Multipath key reinforcement basic idea: establish link keys through multiple disjoint paths assume two nodes have a common key K in their key rings one of the nodes sends key shares k 1,, k j to the other through j secured disjoint paths (encrypted hop-by-hop using the key links already established in the direct key establishment phase) the key shares are protected during transit by keys that have been discovered in the direct key establishment phase the link key is computed as K + k k j If no K is common in the two nodes key rings the key would be k k j K k 2 radio connectivity shared key connectivity multipath key reinforcement 28

30 Improvements: Multipath key reinforcement advantages: in order to compromise a link key, at least one link on each path must be compromised increased resilience to node capture disadvantages: increased overhead 29

31 Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link 30

32 Exploiting physical contact target scenarios modern home with multiple remotely controlled devices DVD, VHS, HiFi, doors, air condition, lights, alarm, modern hospital mobile personal assistants and medical devices, such as thermometers, blood pressure meters, common in these scenarios transient associations between devices physical contact is possible for initialization purposes the resurrecting duckling security policy at the beginning, each device has an empty soul each empty device accepts the first device to which it is physically connected as its master (imprinting) during the physical contact, a device key is established the master uses the device key to execute commands on the device, including the suicide command after suicide, the device returns to its empty state and it is ready to be imprinted again 31

33 Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link 32

34 Does mobility increase or reduce security? Authentication and security association between two devices is not always convenient through physical contact, because the devices do not necessarily provide the appropriate interface or the users do not always carry the required cable with them Mobility is usually perceived as a major security challenge Wireless communications Unpredictable location of the user/node Not regularly availability of the user/node Higher vulnerability of the device Reduced computing capability of the devices However, very often, people gather and move to increase security Face to face meetings Transport of assets and documents Authentication by physical presence In spite of the popularity of PDAs and mobile phones, this mobility has not been exploited to provide digital security So far, client-server security has been considered as a priority (e-business) Peer-to-peer security is still in its infancy 33

35 Two scenarios Mobile ad hoc networks with a central authority off-line or on-line authority nodes or authorities generate keys authorities certify keys and node ids authorities control network security settings and membership Fully self-organized mobile ad hoc networks no central authority (not even in the initialization phase!) each user/node generates its own keys and negotiates keys with other users membership and security controlled by users themselves trust CA trust trust trust trust trust trust trust trust Authority-based Fully self organized 34

36 Routing security interdependence Routing cannot work until security associations are set up Security associations cannot be set up via multi-hop routes because routing does not work Existing solutions: Preloading all pairs of keys into nodes (it makes it difficult to introduce new keys and to perform rekeying) On-line authentication servers (problematic availability and rekeying) 35

37 Mobility helps security of routing: authority-based security systems Each node holds a certificate that binds its id with its public key, signed by the CA s PrKCA { A, PuK A } A B s PrKCA { B, PuK B } Certificate that binds B s public key with its id, issued and signed by the central authority Wireless channel - Relatively long distance - No integrity - No confidentiality The establishment of security associations within power range breaks the routing-security interdependence cycle 36

38 Advantages of the mobility approach (1/2) Mobile ad hoc networks with authority-based security systems breaks the routing-security dependence circle automatic establishment of security associations no user involvement associations can be established in power range only off-line authorities are needed straightforward re-keying 37

39 Fully self-organized scenarios: Public-key security association approaches Secure side channel mechanism: Visual recognition, conscious establishment of a two-way security association Alice (Alice, PuK Alice, XYZ) Infrared link Bob (Bob, PuK Bob, UVW) Secure side channel -Typically short distance (a few meters) - Line of sight required - Ensures integrity - Confidentiality not required 38

40 Secure side channel mechanism The node can easily verify the validation of the name because the name should correspond to the person present at the encounter Alice The node can verify that the other node really possesses the private key corresponding to the received public key using a simple challenge-response protocol. Finally the node address can be verified against the public key, e.g. by using Cryptographically Generated Addresses Assumption: NodeId = h(puk) Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 39

41 Friends mechanism Colin (Alice, PuK Alice, XYZ) Alice (Alice, PuK Alice, XYZ) IR Bob (Colin s friend) - Bob knows the triplet of Alice - Colin and Bob are friends: They have established a Security Association at initialisation, and they faithfully share with each other the Security Associations with other users (trust) - Bob can issue fresh certificate for Alice and send it to Colin - Colin knows the public key of Bob and trusts it: can verify the received information and accept it if verified 40

42 Mechanisms to establish Security Associations a) Encounter i j i j f f b) Mutual friend i j i j f f c) Friend + encounter i j i j Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter Friendship : nodes know each others triplets i j i knows the triplet of j ; the triplet has been obtained from a friend of i 41

43 Symmetric-key security association approaches a) Encounter: when i and j are in each other s vicinity they exchange through the side channel their user names and addresses and the data to generate a key (must be confidential) i j i j f f b) Mutual friend: i and j both have a shared key with f and also trust it; f can act as a trusted server or relay to help I and j to share a secret key i f j i f j c) Friend + encounter: when two nodes have no common friend or do not want the friend to know thier secrets shared with others: f is u s friend and has set up an association with V; g is v s friend and has set up an association with u. u generates a key contribution, k_u, and Sends it to v via g and v send its key contribution, k_v, to u via f. Then both u and v generate the k_uv using k_u and k_v. u g v Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter Friendship : nodes know each others triplets i j i knows the triplet of j ; the triplet has been obtained from a friend of i u g v Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 42

44 Advantages of the mobility approach (2/2) Fully self-organized mobile ad hoc networks There are no central authorities Each user/node generates its own public/private key pairs Intuitive for users Useful for setting up security associations for secure routing in smaller networks or peer-to-peer applications Requires some time until network is fully secure User/application oriented 43

45 Conclusion on security associations using mobility Mobility can help security in mobile ad hoc networks Mobility breaks the security-routing interdependence cycle The pace of establishment of the security associations is strongly influenced by the area size, the number of friends, and the speed of the nodes The proposed solution also supports re-keying The proposed solution can easily be implemented with both symmetric and asymmetric crypto 44

46 Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link 45

47 Exploiting vicinity problem how to establish a shared key between two PDAs (using the radio link when no infrared connection is available)? assumptions no CA PDAs can use short range radio communications (e.g., Bluetooth) PDAs have a display PDAs are held by human users Example: two people get together at a meeting and want to exchange their business card using their PDAs in a secure way. idea use the Diffie-Hellman key agreement protocol ensure key authentication by the human users 46

48 The Diffie-Hellman protocol Alice Bob select random x compute g x mod p g x mod p g y mod p select random y compute g y mod p compute k = (g y ) x mod p compute k = (g x ) y mod p assumptions: p is a large prime, g is a generator of subgroup Z p*, both are publicly known system parameters Diffie-Hellman with String Comparison: a protocol to ensure the integrity of the exchanged randoms (the two users will only need to trigger the protocol and just compare two strings of characters) Trust, Naming and Addressing and Establishment of security associations Georg-August University Göttingen 47

49 Summary of establishment of security associations it is possible to establish pairwise shared keys in ad hoc networks without a globally trusted third party mobility, secure side channels, and friends are helpful in sensor networks, we need different types of keys node keys, cluster keys, and network keys can be established relatively easily using the technique of key pre-loading and using already established link keys link keys can be established using a short-term master key or with the technique of random key pre-distribution 48