1 / 16

Integrity-regions: Authentication Through Presence in Wireless Networks

Integrity-regions: Authentication Through Presence in Wireless Networks. Srdjan Č apkun 1 and Mario Č agalj 2 1 Department of Computer Science, ETH Zurich 2 FESB, University of Split, Croatia ACM WiSe 2006. Key Establishment: Diffe-Hellman. . g a mod p. . . g b mod p. Alice. Bob.

urbana
Download Presentation

Integrity-regions: Authentication Through Presence in Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrity-regions: Authentication ThroughPresence in Wireless Networks Srdjan Čapkun1 and Mario Čagalj2 1Department of Computer Science, ETH Zurich2FESB, University of Split, Croatia ACM WiSe 2006

  2. Key Establishment: Diffe-Hellman  ga mod p   gb mod p Alice Bob KAB=(gb)a mod p KAB=(ga)b mod p Mallory

  3. Man in the Middle Attack (MITM)   

  4. Solution to the MITM: Authentication of DH Contributions   ga mod p B A gb mod p, sigB(gb,ga) sigA(ga,gb) Uses signatures ... (DH contributions are authenticated)   B A here are the public keys  TTP

  5. Our goal: Avoiding Certificates (Reliance on TTPs)   ga mod p B A gb mod p Visual recognition, conscious establishment of keys   B A h(ga) h(gb)

  6. Existing Solutions • Stajano and Anderson propose the “resurrecting duckling” security policy model (physical contact) • Balfanz et al. “location-limited channel”(e.g., an infrared link) • Asokan and Ginzboorg propose a solution based on a shared password • Perrig and Song, hash visualization (image comparison) • Maher presents several methods to verify DH public parameters (short string comparison), found flawed by Jakobsson • Jakobsson and Larsson proposed two solutions to derive a strong key from a shared weak key • Dohrmann and Ellison propose a method for key verification that is similar to DH-SC (short word comparison) • Gehrmann et al., (short string comparison) • Goodrich et al. Loud And Clear: Human Verifiable Authentication Based on Audio • Cagalj et al. (short string comparison (1/2 string size)) • Capkun, et al. key establishment for self-organized mobile networks (IR channel, mobility) • Castellucia, Mutaf (device signal indistinguishability) • Cagalj, Capkun, Hubaux, distance-based verification, channel anti-blocking • Cagalj, Capkun, ... Integrity-codes (awareness of presence)

  7. The Seriousness of the MITM Attack • Devices using low-power radios can avoid it? • not all radios can control their tx power • the ranges are highly unpredictable • the attacker can use high-gain directional antennas and increase its listening range up to 10x • neighboring/hidden devices • I will establish keys in my own living room, I do not need security ... • maybe your neighbor steals your dvd UWB output? • you meet someone at a conference ... • ad hoc groups of emergency staff, police, ... • ... • yes, you probably do not need any security in your living room 

  8. Our Solution: Integrity-regions • Main idea:message authentication through distance verification (e.g. ultrasonic distance-bounding) • Assumption: the user can assume or visually verify that there are no malicious devices within the integrity region • No certificates or preshared keys exchanged prior to the protocol execution

  9. Integrity Region Protocol  c,B NA tS NAo tR US channel A’s integrity region M d* d   (c,o) = commit(gb) B A d*=(tR-tS)vsound [1]verify (c,o) [2] verify that d* is within its (A's) integrity region d(i.e., d* d) [3] verify that there are no devices at any distance d** d* [4] if verifications (1-3) pass, A accepts message gb as genuine

  10. Diffie-Hellman with Integrity Regions Alice Bob Given gb PickNB U {0,1}k mB 1gbNB (cB ,oB)commit (mB) Given ga PickNA , NA U {0,1}k mA0gaNA (cA ,oA) commit (mA) * cA cB oA mAopen (cA ,oA) Verify 0 in mA sBNBNA oB mBopen (cB ,oB) Verify 1 in mB sANANB * NA * tS RBNA sB RB dA=(tR-tS)vsound Verify sA = NARB tR * Only Alice verifies her integrity region. If verification OK, Alice and Bob accept mB and mA, respectively.

  11. Analysis of the Implementation with Ultrasound (c*,o*) = commit(gm) c*,B NA o*  c,B NA tS NAo tR US channel A’s integrity region M d* d   (c,o) = commit(gb) B A

  12. Main Consequence of Integrity Regions • Forcing the attacker to be physically close to the devices to perform the MITM attack. with integrity regions without integrity regions

  13. Integrity-regions with (Omni)directional Antennas

  14. Example Application Scenarios Setup of wireless sensor networks (establishment of keys) Setup of a home network no attackers inthis space (sensors’ I-region)

  15. Summary/Future Work • Physical presence of the attacker (i.e., the attacker cannot be omnipresent (physically)) • Honest devices (users) can have an awareness of presence (distance, space, surrounding devices) • One solution: Integrity regions, message authentication through distance verification • Impact on (mobile) ad hoc / sensor networks: • verification of the distance prevents MITM attacks on key establishment from remote locations • enables P2P key establishment / key pairing

  16. Authentication Through Presence (Awareness) • M. Čagalj, S. Čapkun, R. Rengaswamy, I.Tsigkogiannis, M. Srivastava, and J.-P. Hubaux. Integrity (I) codes: Message Integrity Protection and Authentication Over Insecure Channels. In Proceedings of the IEEE Symposium on Security and Privacy, 2006 • M. Čagalj, S. Čapkun, and J.-P. Hubaux,Key Agreement in Peer-to-Peer Wireless Networks Proceedings of the IEEE (Special Issue on Security and Cryptography), 94(2), 2006

More Related