Key Management in Ad-Hoc Networks

Similar documents
Chapter 24 Wireless Network Security

WPA Passive Dictionary Attack Overview

Chapter 17. Wireless Network Security

1 FIVE STAGES OF I.

(2½ hours) Total Marks: 75

Security in Ad Hoc Networks Attacks

Improving the Robustness of Wireless Device Pairing Using Hyphen-Delimited Numeric Comparison

L13. Reviews. Rocky K. C. Chang, April 10, 2015

BISS: Building secure routing out of an Incomplete Set of Security associations

Key establishment in sensor networks

Applied Cryptography and Computer Security CSE 664 Spring 2017

Network Encryption 3 4/20/17

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Key Agreement Schemes

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

The case for Usable Mobile Security

WPA-GPG: Wireless authentication using GPG Key

Session key establishment protocols

Session key establishment protocols

Wireless Network Security

SAS-Based Group Authentication and Key Agreement Protocols

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Group Key Establishment Protocols

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Total points: 71. Total time: 75 minutes. 9 problems over 7 pages. No book, notes, or calculator

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

1. Diffie-Hellman Key Exchange

Authentication and Key Distribution

E-commerce security: SSL/TLS, SET and others. 4.1

The Secure Shell (SSH) Protocol

Lecture 6 - Cryptography

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Considerations about the Architecture Solutions for PKI in Ad-hoc-Networks

Cryptography and Network Security

Wireless Network Security

Public Key Algorithms

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

CIS 4360 Secure Computer Systems Applied Cryptography

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

The problem. Initializing Security Associations for Personal Devices. Outline. Setting up the first connection

CS Computer Networks 1: Authentication

CT30A8800 Secured communications

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Viber Encryption Overview

Security Enhanced IEEE 802.1x Authentication Method for WLAN Mobile Router

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

White Paper for Wacom: Cryptography in the STU-541 Tablet

Summary on Crypto Primitives and Protocols

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Securing Wireless Communication Against Dictionary Attacks Without Using PKI

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Overview. SSL Cryptography Overview CHAPTER 1

Experimenting with early opportunistic key agreement

Key establishment in sensor networks

Use of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks

Secure Device Pairing based on a Visual Channel (Short Paper)

Encryption. INST 346, Section 0201 April 3, 2018

TopSec Product Family Voice encryption at the highest security level

T Cryptography and Data Security

Lecture 2 Applied Cryptography (Part 2)

Information Security CS 526

IEEE i and wireless security

Authenticating People and Machines over Insecure Networks

CPSC 467: Cryptography and Computer Security

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Public-key Cryptography: Theory and Practice

T Cryptography and Data Security

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Wireless LAN Security. Gabriel Clothier

Kurose & Ross, Chapters (5 th ed.)

A PROPOSED AUTHENTICATION SCHEME USING THE CONCEPT OF MINDMETRICS

WLAN The Wireless Local Area Network Consortium

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Models of Authentications in Ad Hoc Networks and Their Related Network Properties

Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

Yet Another Secure Distance-Bounding Protocol

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Secure Initial Access Authentication in WLAN

KALASALINGAM UNIVERSITY

Formal Verification of the WireGuard Protocol

Chapter - 6 WIRELESS NETWORK SECURITY

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

Watermark-Based Authentication and Key Exchange in Teleconferencing Systems

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Cryptography and Network Security. Sixth Edition by William Stallings

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Intuitive and Sensible Access Control Policies N. Asokan

Transcription:

Key Management in Ad-Hoc Networks Jukka Valkonen Helsinki University of Technology Laboratory for Theoretical Computes Science jukka.valkonen@tkk.fi Abstract. Key management is crucial part of security in communications. In wireless ad-hoc network, the issue is even bigger. As there is no infrastructure in the network, the distribution of encryption keys in an authenticated manner is a difficult task. In this paper, key management aspects are discussed by first describing different key management approaches followed by some ways to authenticate key exchange protocols. Finally short overview of keys in Wireless LAN is given. 1 Introduction The wireless nature of ad-hoc networks enables easy eavesdropping of communications for adversaries. Thus it is crucial for the devices to share encryption keys to enable encryption of all data transmitted through the wireless medium. As ad-hoc networks lack all kind of an infrastructure, sharing these encryption keys is not an easy task. The devices need to be sure that they are actually communicating with the intended recipient and not some other device masquerading as a legitimate one. The lack of infrastructure is not the only difficulty for key generation in ad-hoc networks. In many cases, the devices are very constrained, both in computational capacity and input/output capabilities. In this paper, some key management aspects of ad-hoc networks are described. This paper concentrates on basis of authenticated key agreement, and the limitations of computationally constrained devices has been left away. See [Ekb06] for discussion on constrained devices. The paper is organized as follows. Section 2 discusses different approaches to key management. In Section 3 some protocols for authenticated key agreement are discussed. As an example of a real world system, Section 4 discusses key management in Wireless LAN. In Section 5 conclusions are given. 2 Key Management Approaches Different approaches for key management are listed in [MM04]. These are key predistribution, key transport, key arbitration and key agreement. These approaches are discussed next.

2.1 Key Predistribution In key predistribution the keys are distributed to the devices participating in the communication beforehand. The system is inflexible, all the devices sharing the key must be known when the system is initiated. 2.2 Key Transport In key transport methods, the key is transmitted when needed. The transport is initiated by one device; a device generates a key that is then transmitted to the recipients. This transmission is usually encrypted using some prior shared key encryption key (KEK). In such methods, some way for the devices to know the KEK is needed. With public key infrastructure (PKI), the key transmission could be done using the public keys of recipients. However, in ad-hoc networks, PKI can not be held as a requirement. One possible method for key transport utilizing key encryption keys given in [MM04] is called Shamir s three-pass protocol, illustrated in Figure 1. The protocol is based on invertible functions f and g that commute, that is f(g(z)) = g(f(z)). 1. D 1 generates random key K and encrypts it using f with random key x and sends the value to D 2 D 1 D 2: f x(k) 2. D 2 encrypts the received message using g and a random key y and sends the value to D 1 D 1 D 2: g y(f x(k)) 3. D 1 decrypts the received value using f 1 and x and sends the value to D 2 D 1 D 2: f 1 (g y(f x(k))) = fx 1 (f x(g y(k))) = g y(k) 4. D 2 decrypts the received value using g 1 and y. Fig.1. Shamir s three-pass protocol Recently, standardization organizations have adopted key transport as one possible way to transmit keys. Both Bluetooth Simple Pairing [Blu06] and Wi-Fi Protected Setup [Wi-07] can use some out-of-band channels to transmit network credentials between the devices. The out-of-band channel can be implemented for example using Near Field Communication (NFC) or USB Flash drives (UFD). 2.3 Key Arbitration In key arbitration, one device in the network is used to create and transmit keys to devices. Key arbitration methods are not very suitable for ad-hoc networks, as one central node is needed to be accessible for all the other nodes all the time. In a network with infrastructure, the access point acts usually as the arbitrator.

2.4 Key Agreement In key agreement protocols, some asymmetric key algorithm is used to negotiate the key. Probably the most common algorithm is called Diffie-Hellman key agreement protocol [DH76]. The protocol provides an unauthenticated key agreement; a passive attacker is not able to derive the shared secret, but an active attacker is able to masquerade as a man-in-the-middle an participate in the key agreement without the legitimate devices noticing. The protocol is depicted in Figure 2. Fig.2. Diffie-Hellman Key Exchange 3 Authenticated Key Management 3.1 Methods Based on a Passkey One possibility to authenticate key agreement is to use a shared passkey. Such methods are proposed for example in [GMN04,BM92]. The basic principle behind the protocols is that the attacker is not able to masquerade as a legitimate device as it does not know the passkey. A version of a MANA III protocol described in [GMN04] is depicted in Figure 3, where PK 1 and PK 2 are the public keys of the devices. The protocol needs to run at least twice with different passkeys P i ; first to authenticate the values and then to verify the authentication. For example, Bluetooth Simple Pairing [Blu06] uses 20 rounds. Other possibility is to use the human as the verifier: after the protocol has run, the user indicates the success or failure to both devices. A natural extension for a pairwise protocol is to create a shared key between a group of devices. Asokan and Ginzboorg present in [AG00] group key agreement methods based on Encrypted Key Exchange (EKE) -protocol proposed in [BM92]. The protocol is depicted in Figure 4, where R i denotes a random value selected by ith device, P(data) denotes encryption using the shared secret, K(data) denotes encryption using the negotiated shared key K and H(data) is a one-way hash function. As a result of the protocol, all n devices share the same key g R1R2...Rn mod p.

1. D 1 generates a long random value R i1, computes commitment h i1 = h(1, PK 1, PKˆ 2, P i, R i1) and sends it to D 2 D 1 D 2: h i1 2. D 2 generates a long random value R 2, computes commitment h i2 = h(2, PK 2, PKˆ 1, P i, R i2) and sends it to D 1 D 1 D 2: h i2 3. D 1 responds by opening its commitment and sending R i1 to D 2 D 1 D 2: R i1 D 2 checks if ĥi1 =? h(1, PKˆ 1, PK 2, P i, ˆR i1) 4. D 2 responds by opening its commitment and sending R i2 to D 1 D 1 D 2: R i2 D 1 checks if ĥi2 =? h(2, PK 1, PKˆ 2, P i, ˆR i2) and aborts if it does not hold. Fig.3. Round i of Authentication by (Short) Shared Secret 1. D i D i+1 : g R 1R 2...R i mod p, i = 1,..., n 2 2. D n 1 ALL: π = g R 1R 2...R n 1 mod p 3. D i D n: P(c i), R i = 1,..., n 1, where c i = π i and R i is a fresh random number generated by D i 4. D n D i: c Rn i, i = 1,..., n 1 5. D i ALL: D i, K(D i, H(D 1, D 2,..., D n )) for some i Fig.4. EKE-based Group Diffie-Hellman key agreement method R i 3.2 Methods Based on a Verification String If the devices have more restricted input capabilities but good displays, the key negotiation can be authenticated using so called short authenticated strings, as proposed for example by [ČČH06] and [LAN05]. In these methods, the devices compute a short verification string from the negotiated material. This string is displayed to the user, whose task it is to compare the strings. In case the strings are equal, the devices share the same key and thus the association was successful. Otherwise, the devices have negotiated a shared key with an attacker or some other device, and thus the association failed. The basic three-round protocol from [LAN05] is depicted in Figure 5. It should be noted, that protocols based on a verification string are inherently less secure than methods based on a passkey, as the user is able to do fatal errors by signaling false acceptance to the devices. With passkey based protocols, this is not the case, as if the user enters wrong passkey, the key agreement algorithm fails. As was the case with the with passkey based protocols, also numeric comparison protocols can be extended to handle group key negotiation, as is described in [VAN06]. The protocol utilizes Diffie-Hellman key agreement protocol extended to multi-party case. As a result of the protocol, all devices compute a short verification string from the keying material and random values. Each of the devices

1. D 1 generates a long random value R 1, computes commitment h = h(r 1) and sends it to D 2 D 1 D 2: h 2. D 2 generates a long random value R 2 and sends it to D 1 D 1 D 2: R 2 3. D 1 opens its commitment by sending R 1 to D 2 D 1 D 2: R 1? 4. D 2 checks if ĥ = h( ˆR 1) If equality holds, D 2 computes v 2 = f( PKˆ 1, PK 2, ˆR 1, R 2), otherwise it aborts. D 1 computes v 1 = f(pk 1, PKˆ 2, R 1, ˆR 2). 5. Both devices check if v 1 equals v 2. Fig.5. Authentication by Short Integrity Checksum display the string for the users to compare. If and only if all the devices display the same string, the users acknowledge the procedure for all of the devices. 3.3 Threshold Cryptography Contradicting the properties of ad-hoc networks, the authors of [MM04] describe also usage of public key infrastructure as a possible way for key agreement. In such methods, the network includes certifying authorities (CAs) that binds keys to specific nodes by means of certificates. In the method described in [MM04] the networks includes n servers providing the certificates, out of which t + 1 are needed for creation of the certificate but t is not enough. The system requires that n 3 t + 1. When signing a public key, the servers create partial signatures and send them to combiner, which then generates the signature using t + 1 partial signatures and verifies the result. If the verification fails, another subset of partial signatures is tried. 3.4 Self-Organized Key Management In [MM04] describe also self-organized public-key management originally proposed by Čapkun, et al., in [ČBH03]. The system does not need any kind of infrastructure to authenticate keys. Their method is based on the users issuing certificates to each other based on personal acquaintance. These certificates are used to bind a public key and a node. The devices store in a local repository all certificates the other devices have issued to the device and the certificates the devices has issued to other devices. The devices periodically exchange information about these repositories by requesting new certificates from neighbors. If a conflict is found, some method for resolving such conflicts is used. The devices are organized into a certificate graph, where vertices are public keys of nodes edges are certificates issued by the users. When a device wishes to obtain a public key of some other device, it finds a chain of certificates between themselves.

4 Case: WLAN The key management approaches described previously in this paper are used on the upper layers of the protocol stack. In addition to these keys, lower level keys are used to actually encrypt transmitted data. To give an insight about what actually happens after the upper layer keys have been negotiated, this section briefly discusses key hierarchies of Wireless LAN [IEE06,IEE]. After the devices have negotiated a pair-wise master key using some method described previously, they install it into MAC-layer. This key is then used to derive pair-wise transient keys and group temporal keys (GTK). The pair-wise transient key (PTK) is negotiated using four way handshake depicted in Figure 6, where ANonce and SNonce are random nonces used to guarantee freshness, PMKID is identifier for pair-wise master key negotiated, MICs stand for message integrity codes and KCK (key confirmation key) and KEK (key encryption key) are subkeys derived from PTK. As a result of the handshake, the devices share pair-wise encryption keys, key confirmation keys and key encryption keys used to secure pair-wise communications. 1. D A D S: ANonce, PMKID 2. D A D S: SNonce, MIC KCK 3. D A D S: ANonce, MIC KCK, E KEK(GTK) 4. D A D S: MIC KCK Fig.6. Simplified 4-way handshake used in WLAN During the four way handshake, the devices also transmit group temporal keys encrypted using the output of the handshake. This group temporal key is sender specific; the sender negotiates a 4-way handshake with all the intended recipients and transmits the key to these. Only the sender uses this key to encrypt data, the recipients use the key only to decrypt. This kind of construction works well when the network is constructed in infrastructure mode, where all devices are attached to base station performing all the multicasts. In ad-hoc mode, the situation is different, as in order to generate a multicast group where all devices need to transmit to all devices, they all need first to generate pair-wise keys on the upper level, run the MAC-layer handshake and transmit the group key to other devices. See [NV07] for more thorough discussion on multicast aspects on MAC-layer. 5 Conclusions Key management in ad-hoc networks is a difficult problem. In this paper, some aspects of key management approaches based on [MM04] have been discussed.

The classification described in Section 2 is just one possible, see [SVA07] for a different kind of classification. From the key management point of view, it is not enough to create a method that can be used to create a shared secret between the devices, the underlying communications protocol must also be taken into consideration. As it can be seen, there is no single method for key management that can be used in all cases. If some way works in some kind of network, it might not work with another kind. References [AG00] N. Asokan and Philip Ginzboorg. Key Agreement in Ad-hoc Networks. Computer Communications Review, 23(17):1627 1637, November 2000. [Blu06] Bluetooth SIG. Bluetooth Simple Pairing Whitepaper. Technical report, Bluetooth SIG, 2006. http://www.bluetooth.com/bluetooth/apply/technology/ Research/Simple_Pairing.htm. [BM92] Steven M. Bellovin and Michael Merritt. Encrypted Key Exchange: Password- Based Protocols Secure Against Dictionary Attacks. In 1992 IEEE Computer Society Symposium, pages 72 84, 1992. [ČBH03] Srdjan Čapkun, Levente Buttyan, and Jean-Pierre Hubaux. Self-organized public-key management for mobile ad hoc networks. IEEE Transactions on Mobile Computing, 2(1):52 64, 2003. [ČČH06] Mario Čagalj, Srdjan Čapkun, and Jean-Pierre Hubaux. Key Agreement in Peer-to-Peer Wireless Networks. Proceedings of the IEEE (Special Issue on Security and Cryptography), 92(2):467 478, February 2006. [DH76] Whitfield Diffie and Martin E. Hellman. New Directions In Cryptography. IEEE Transactions on Information Theory, IT-22:644 654, 1976. [Ekb06] Jan-Erik Ekberg. Key establishment in constrained devices. http://www.tcs.hut.fi/studies/t-79.7001/2006aut/seminar-papers/ Ekberg-paper-final.pdf, 2006. [GMN04] Christian Gehrmann, Chris J. Mitchell, and Kaisa Nyberg. Manual Authentication for Wireless Devices. RSA Cryptobytes, 7(1), 2004. [IEE] IEEE 802.11TM WIRELESS LOCAL AREA NETWORKS - The Working Group for WLAN Standards. http://grouper.ieee.org/groups/802/11/. [IEE06] IEEE. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specif ications. Unpublished Draft v8.0, 2006. [LAN05] Sven Laur, N. Asokan, and Kaisa Nyberg. Efficient Mutual Data Authentication Using Manually Authenticated Strings. Cryptology eprint Archive, Report 2005/424, 2005. http://eprint.iacr.org/. [MM04] C. Siva Ram Murthy and B. S. Manoj. Ad Hoc Wireless Networks: Architectures and Protocols. Prentice Hall, 2004. [NV07] Kaisa Nyberg and Jukka Valkonen. Wireless Group Security Using MAC Layer Multicast, 2007. Accepted to WoWMoM 2007. [SVA07] Jani Suomalainen, Jukka Valkonen, and N. Asokan. Security Associations in Personal Networks: A Comparative Survey. Technical Report NRC-TR-2007-004, Nokia Research Center and VTT Technical Research Centre of Finland, 2007. http://research.nokia.com/tr/nrc-tr-2007-004.pdf. [VAN06] Jukka Valkonen, N. Asokan, and Kaisa Nyberg. Ad Hoc Security Associations for Groups. Accepted to ESAS 2006, 2006.

[Wi-07] Wi-Fi Alliance. Wi-Fi Protected Setup Specification. Wi-Fi Alliance Document, January 2007.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback