1 / 49

An overview of Trust, Naming and Addressing and Establishment of security associations

An overview of Trust, Naming and Addressing and Establishment of security associations. trust assumptions; attacker models; n aming and addressing; key establishment in sensor networks; key establishment in ad hoc networks exploiting physical contact node mobility vicinity. Trust.

dora
Download Presentation

An overview of Trust, Naming and Addressing and Establishment of security associations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An overview of Trust, Naming and Addressing and Establishment of security associations trust assumptions; attacker models; naming and addressing; key establishment in sensor networks; key establishment in ad hoc networks exploiting physical contact node mobility vicinity

  2. Trust • Trust: The belief that another party will behave according to a set of well-established rules and thus meet one’s expectations. • The trust model of current wireless networks is rather simple • subscriber–service provider model • subscribers trust the service provider for providing the service, charging correctly, and not misusing transactional data • service providers usually do not trust subscribers, and use security measures to prevent or detect fraud • In the upcoming wireless networks the trust model will be much more complex • entities play multiple roles (users can become service providers) • number of service providers will dramatically increase • user–service provider relationships will become transient • how to build up trust in such a volatile and dynamic environment?

  3. Reasons to trust organizations and individuals • Moral values • Culture + education, fear of bad reputation • Experience about a given party • Based on previous interactions • Rule enforcement organization • E.g. police or spectrum regulator • Usual behavior • Based on statistical observation • Rule enforcement mechanisms • Prevent malicious behavior by appropriate security mechanisms and encouragecooperative behavior • It is much easier to encrypt the communication than to deploy police force everywhere to check that no one is eavesdropping

  4. Trust vs. security and cooperation • trust pre-exists security • all security mechanisms require some level of trust in various components of the system • E.g. if I trust that my computer is not compromised and the security mechanisms I am using is not (yet) broken --> then I can do my online transactions with the legitimate belief of not being defrauded. • cooperation reinforces trust • trust is about the ability to predict the behavior of another party • I see the other party’s cooperative behavior --> so I would believe that she will continue being cooperative --> this encourages me to be cooperative --> she will trust in me

  5. Misbehaviors: Malice and selfishness • Malice: willingness to do harm no matter what • Selfishness: overuse of common resources (network, radio spectrum, etc.) for one’s own benefit • A misbehavior consists in deliberately departing from the prescribed behavior in order to reach a specific goal • A misbehavior is selfish (or greedy, or strategic) if it aims at obtaining an advantage that can be quantitatively expressed in the units (bitrate, joules, or coverage) or in a related incentive system (e.g., micropayments); any other misbehavior is considered to be malicious. • traditionally, security is concerned only with malice • but in the future, malice and selfishness must be considered jointly if we want to seriously protect wireless networks

  6. Who is malicious? Who is selfish? • Examples of malice and selfish behavior: • A technique aiming at increasing one’s share of the bandwidth (in general at the expense of other users) is selfish. • An attack aiming at obtaining information about another user of the network is malicious. • The attack aiming at dropping another node’s packets in order to save own power is selfish. Security mechanisms: to thwart malicious behavior Game theory: to model and prevent selfish behavior There is no watertight boundary between malice and selfishness  Both security and game theory approaches can be useful

  7. Naming and Addressing • naming and addressing are fundamental for networking • notably, routing protocols need addresses to route packets • services need names in order to be identifiable, discoverable, and useable • attacks against naming and addressing • address stealing • adversary starts using an address already assigned to and used by a legitimate node • Sybil attack • a single adversarial node uses several invented addresses • makes legitimate nodes believe that there are many other nodes around • node replication attack • dual of the Sybil attack • the adversary introduces replicas of a single compromised node using the same address at different locations of the network

  8. Illustration of the Sybil and node replication attacks Z Y D C B Sybil nodes A X E I C F A X G X B D H J replicated nodes

  9. Cryptographically Generated Addresses (CGA) • aims at preventing address stealing • general idea: • generate node address from a public key • corresponding private key is known only by the legitimate node • prove ownership of the address by proving knowledge of the private key • example in case of IPv6:

  10. Thwarting the Sybil attack • note that CGAs do prevent an attacker from stealing or spoofing an address already chosen by another node • CGAs do not prevent the Sybil attack • an adversary can still generate addresses for herself • a solution based on a central and trusted authority • the central authority vouches for the one-to-one mapping between an address and a device • e.g., a server can respond to requests concerning the legitimacy of a given address • other solutions take advantage of some physical aspects • e.g., identify the same device (when it is using a new fake address) based on radio fingerprinting or using geographic location

  11. A @ (x2, y2) A @ (x1, y1) Thwarting the node replication attack (1/2) • a centralized solution • each node reports its neighbors’ claimed locations to a central authority (e.g., the base station in sensor networks) • the central authority detects if the same address appears at two different locations • assumes location awareness of the nodes A D E A base station C B

  12. Thwarting the node replication attack (2/2) • a decentralized variant • neighbors’ claimed location is forwarded to witnesses • witnesses are randomly selected nodes of the network • if a witness detects the same address appearing at two different locations then it broadcast this information and the replicated nodes are revoked

  13. Analysis of the decentralized variant • total number of nodes in the network is n • average number of neighbors is d (network degree) • A broadcasts its location to its neighbors • each neighbor of A forwards A’s location claim with probability p to g randomly selected witnesses • average number of witnesses receiving A’s location claim is p.d.g • Assume the attacker inserts L replicas of node A • The probability that p.d.g recipients of claim l1 do not receive any of the p.d.g copies of claim l2 is: Pnc1 =(1-(p.d.g)/n) (p.d.g) • The probability that the 2 p*d*g recipients of claims l1 and l2 do not receive any of the p.d.g copies of claim l3 is: Pnc2 =(1-(2p.d.g)/n) (p.d.g) • In the same way, the probability of no collisions is: Pnc=П(1-(i.p.d.g)/n)(p.d.g) (1 <= i <= (L-1)) Using (1+x)<=e^x we have: Pnc<=exp( - L(L-1)(p.d.g)2 / 2n)

  14. Analysis of the decentralized variant • then for the probability of detection: (1- Pnc =)Pdet > 1 – exp( - L(L-1)(p.d.g)2 / 2n) • numerical example: n = 10000, d = 20, g = 100, p = 0.5 L = 2  Pdet ~ 0.63 L = 3  Pdet ~ 0.95

  15. Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

  16. Key establishment in sensor networks • After identification, authentication and key establishment arenecessary for starting secure communication • authentication and key establishment are related to each other: • Once authenticated the two nodes can establish a session key • An already established key can be used for future authentication • A possible solution is public key cryptography: each device carries a certificate issued by the trusted authority • But due to resource constraints, asymmetric key cryptography should be avoided in sensor networks: asymmetric encryption is usually harder (more complicated computation and requiring the central organization) • we aim at setting up symmetric keys

  17. Key establishment in sensor networks • requirements for key establishment depend on • communication patterns to be supported • unicast • local broadcast • global broadcast • need for supporting in-network processing: data aggregation on packets received from downstream nodes to make the data more impact • need to allow passive participation: e.g. a node decides not to report an event to the sink if it hears another node is doing the same  needs decryption • necessary key types • node keys – shared by a node and the base station to protect packets exchanged between a node and the base station (no aggregation) • link keys – pairwise keys shared by neighbors (used for hop-by-hop encryption, message authentication and integrity) • cluster keys – shared by a node and all its neighbors (hop-by-hop encryption for local broadcast, makes passive participation possible) • network key – a key shared by all nodes and the base station (global broadcast)

  18. Setting up node, cluster, and network keys • node key • can be preloaded into the node before deployment • cluster key • can be generated by the node and sent to each neighbor individually protected by the link key shared with that neighbor • network key • can also be preloaded in the nodes before deployment • needs to be refreshed from time to time (due to the possibility of node compromise) • neighbors of compromised nodes generate new cluster keys • the new cluster keys are distributed to the non-compromised neighbors • the base station generates a new network key • the new network key is distributed in a hop-by-hop manner protected with the updated cluster keys (not available to compromised node)

  19. Setting up link keys • What remains to solve is establishing link keys • They can not be pre-loaded before network deployment: • no a priori knowledge of post-deployment topology • it is not known a priori who will be neighbor to whom • gradual deployment • need to add new sensors after deployment

  20. Link key setup using a short-term master key • Sensor networks: stationary nodes, neighborhood of a node does not change frequently • Link key establishment protocol in four phases: • Master key pre-loading • Neighbor discovery • Link key computation • Master key deletion • Master key pre-loading: • Before deployment • Master key Kinitis loaded into the nodes • Each node u computes Ku = fKinit (u)

  21. Link key setup using a short-term master key • Neighbor discovery: • After the deployment node u initializes a timer • Discovers its neighbors: by broadcasting HELLO message • Neighbor v responds with ACK • ACK: identifier of v, authenticated with Kv (u still has the master key and can compute Kv) • u verifies ACK • link key computation: • link key: Kuv=fKv (u). • Master key deletion: • When timer expires: udeletes Kinitand all Kv s

  22. 2. Deployment Probability for any 2 nodes to have a common key: Do we have a common key? Pairwise key establishment in sensor networks 1. Initialization m (<<k) keys in each sensor (“key ring of the node”) Keypool(k keys)

  23. Random key pre-distribution – Preliminaries Given a set S of k elements, werandomly choose two subsets S1 and S2 of m1 and m2 elements, respectively,from S. The probability of S1Ç S2¹Æis

  24. The basic random key pre-distribution scheme • initialization phase • a large pool S of unique keys are picked at random • for each node, m keys are selected randomly from S and pre-loaded in the node (key ring) • direct key establishment phase • after deployment, each node finds out with which of its neighbors it shares a key (e.g., each node may broadcast the list of its key IDs) • two nodes that discover that they share a key verify that they both actually posses the key (e.g., execute a challenge-response protocol) • path key establishment phase • neighboring nodes that do not have a common key in their key rings establish a shared key through a path of intermediate nodes where each link of the path is already secured in the direct key establishment phase

  25. Setting the parameters • connectivity of the graph resulting after the direct key establishment phase is crucial • a result from random graph theory [Erdős-Rényi]: in order for a random graph to be connected with probability c (e.g., c = 0.9999), the expected degree d of the vertices should be (n is the number of nodes): (1) • in our case, d= pn’ (2), where p is the probability that two nodes have a common key in their key rings, and n’ is the expected number of neighbors (for a given deployment density) • p depends on the size k of the pool and the size m of the key ring (3) • cd pk, m (1) (2) (3)

  26. Setting the parameters – an example • number of nodes: n = 10000 • expected number of neighbors: n’ = 40 • required probability of connectivity after direct key establishment: c = 0.9999 • using (1): required node degree after direct key establishment: d = 18.42 • using (2): required probability of sharing a key: p = 0.46 • using (3): appropriate key pool and key ring sizes: k = 100000, m = 250 k = 10000, m = 75 …

  27. Qualitative analysis • advantages: • parameters can be adopted to special requirements • no need for intensive computation • path key establishment have some overhead … • decryption and re-encryption at intermediate nodes • communication overhead • but simulation results show that paths are not very long (2-3 hops) • no assumption on topology • easy addition of new nodes • disadvantages: • node capture affects the security of non-captured nodes too • if a node is captured, then its keys are compromised • these keys may be used by other nodes too • if a path key is established through captured nodes, then the path key is compromised • no authentication is provided

  28. Improvements: q-composite rand key pre-distribution • basic idea: • two nodes can set up a shared key if they have at least q common keys in their key rings • the pairwise key is computed as the hash of all common keys • advantage: • in order to compromise a link key, all keys that have been hashed together must be compromised • disadvantage: • probability of being able to establish a shared key directly is smaller (it is less likely to have q common keys, than to have one) • key ring size should be increased (but: memory constraints) or key pool size should be decreased (but: effect of captured nodes)

  29. K k2 radio connectivity shared key connectivity multipath key reinforcement Improvements: Multipath key reinforcement • basic idea: • establish link keys through multiple disjoint paths • assume two nodes have a common key K in their key rings • one of the nodes sends key shares k1, …, kj to the other through j secured disjoint paths (encrypted hop-by-hop using the key links already established in the direct key establishment phase) • the key shares are protected during transit by keys that have been discovered in the direct key establishment phase • the link key is computed as K + k1 + … + kj • If no K is common in the two nodes’ key rings the key would be k1 + … + kj

  30. Improvements: Multipath key reinforcement • advantages: • in order to compromise a link key, at least one link on each path must be compromised  increased resilience to node capture • disadvantages: • increased overhead

  31. Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

  32. Exploiting physical contact • target scenarios • modern home with multiple remotely controlled devices • DVD, VHS, HiFi, doors, air condition, lights, alarm, … • modern hospital • mobile personal assistants and medical devices, such as thermometers, blood pressure meters, … • common in these scenarios • transient associations between devices • physical contact is possible for initialization purposes • the resurrecting duckling security policy • at the beginning, each device has an empty soul • each empty device accepts the first device to which it is physically connected as its master (imprinting) • during the physical contact, a device key is established • the master uses the device key to execute commands on the device, including the suicide command • after suicide, the device returns to its empty state and it is ready to be imprinted again

  33. Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

  34. Does mobility increase or reduce security ? • Authentication and security association between two devices is not always convenient through physical contact, because the devices do not necessarily provide the appropriate interface or the users do not always carry the required cable with them • Mobility is usually perceived as a major security challenge • Wireless communications • Unpredictable location of the user/node • Not regularly availability of the user/node • Higher vulnerability of the device • Reduced computing capability of the devices • However, very often, people gather and move to increase security • Face to face meetings • Transport of assets and documents • Authentication by physical presence • In spite of the popularity of PDAs and mobile phones, this mobility has not been exploited to provide digital security • So far, client-server security has been considered as a priority (e-business) • Peer-to-peer security is still in its infancy

  35. Two scenarios • Mobile ad hoc networks with a central authority • off-line or on-line authority • nodes or authorities generate keys • authorities certify keys and node ids • authorities control network security settings and membership • Fully self-organized mobile ad hoc networks • no central authority (not even in the initialization phase !) • each user/node generates its own keys and negotiates keys with other users • membership and security controlled by users themselves trust trust CA trust trust trust trust trust trust trust Fully self organized Authority-based

  36. Routing – security interdependence • Existing solutions: • Preloading all pairs of keys into nodes (it makes it difficult to introduce new keys and to perform rekeying) • On-line authentication servers (problematic availability and rekeying) • Routing cannot work until security associations are set up • Security associations cannot be set up via • multi-hop routes because routing does not work

  37. Mobility helps security of routing: authority-based security systems Each node holds a certificate that binds its id with its public key, signed by the CA { A,PuKA} sPrKCA A B { B, PuKB} sPrKCA • Wireless channel • Relatively long distance • No integrity • No confidentiality Certificate that binds B’s public key with its id, issued and signed by the central authority The establishment of security associations within power range breaks the routing-security interdependence cycle

  38. Advantages of the mobility approach (1/2) • Mobile ad hoc networks with authority-based security systems • breaks the routing-security dependence circle • automatic establishment of security associations • no user involvement • associations can be established in power range • only off-line authorities are needed • straightforward re-keying

  39. Fully self-organized scenarios: Public-key security association approaches Secure side channel mechanism: Visual recognition, conscious establishment of a two-way security association   (Alice, PuKAlice, XYZ) Bob Alice Infrared link (Bob, PuKBob , UVW) • Secure side channel • Typically short distance (a few meters) • Line of sight required • - Ensures integrity • - Confidentiality not required

  40. Secure side channel mechanism  Alice The node can easily verify the validation of the name because the name should correspond to the person present at the encounter The node can verify that the other node really possesses the private key corresponding to the received public key using a simple challenge-response protocol. Finally the node address can be verified against the public key, e.g. by using Cryptographically Generated Addresses Assumption: NodeId = h(PuK)

  41. Friends mechanism Colin (Alice, PuKAlice, XYZ) Bob (Colin’s friend) Alice (Alice, PuKAlice, XYZ) IR • - Bob knows the triplet of Alice • Colin and Bob are friends: They have established a Security Association at initialisation, • and they faithfully share with each other the Security Associations with other users (trust) • - Bob can issue fresh certificate for Alice and send it to Colin • - Colin knows the public key of Bob and trusts it: can verify the received information and • accept it if verified

  42. i i i i i i f f f f j j j j j j Mechanisms to establish Security Associations a) Encounter b) Mutual friend c) Friend + encounter Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter Friendship : nodes know each others’ triplets i knows the triplet of j ;the triplet has been obtained from a friend of i j i

  43. u i i u i i f f g f g f v j v j j j Symmetric-key security association approaches a) Encounter: when i and j are in each other’s vicinity they exchange through the side channel their user names and addresses and the data to generate a key (must be confidential) b) Mutual friend: i and j both have a shared key with f and also trust it; f can act as a trusted server or relay to help I and j to share a secret key • Friend + encounter: when • twonodes have no commonfriend or • do not want the friend to know thier secrets • sharedwithothers: • f isu’sfriendand has set up an association with • V; g isv’sfriend and has set up an association • with u. u generates a key contribution, k_u, and • Sendsit to v via g and v sendits key contribution, k_v, • to u via f. Thenboth u and v generate the k_uvusing • k_u and k_v. Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter Friendship : nodes know each others’ triplets j i i knows the triplet of j ;the triplet has been obtained from a friend of i

  44. Advantages of the mobility approach (2/2) • Fully self-organized mobile ad hoc networks • There are no central authorities • Each user/node generates its own public/private key pairs • Intuitive for users • Useful for setting up security associations for secure routing in smaller networks or peer-to-peer applications • Requires some time until network is fully secure • User/application oriented

  45. Conclusion on security associations using mobility • Mobility can help security in mobile ad hoc networks • Mobility “breaks” the security-routing interdependence cycle • The pace of establishment of the security associations is strongly influenced by the area size, the number of friends, and the speed of the nodes • The proposed solution also supports re-keying • The proposed solution can easily be implemented with both symmetric and asymmetric crypto

  46. Establishment of security associations: Outline Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

  47. Exploiting vicinity • problem • how to establish a shared key between two PDAs (using the radio link when no infrared connection is available)? • assumptions • no CA • PDAs can use short range radio communications (e.g., Bluetooth) • PDAs have a display • PDAs are held by human users • Example: two people get together at a meeting and want to exchange their business card using their PDAs in a secure way. • idea • use the Diffie-Hellman key agreement protocol • ensure key authentication by the human users

  48. Alice Bob gx mod p gy mod p select random y compute gy mod p select random x compute gx mod p compute k = (gy)x mod p compute k = (gx)y mod p The Diffie-Hellman protocol assumptions: p is a large prime, g is a generator of subgroup Zp*, both are publicly known system parameters Diffie-Hellman with String Comparison: a protocol to ensure the integrity of the exchanged randoms (the two users will only need to trigger the protocol and just compare two strings of characters)

  49. Summary of establishment of security associations • it is possible to establish pairwise shared keys in ad hoc networks without a globally trusted third party • mobility, secure side channels, and friends are helpful • in sensor networks, we need different types of keys • node keys, cluster keys, and network keys can be established relatively easily using the technique of key pre-loading and using already established link keys • link keys can be established using a short-term master key or with the technique of random key pre-distribution

More Related