1 / 35

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks. Julien Freudiger , Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009. Wireless Trends. Phones Always on (Bluetooth, WiFi ) Background apps New hardware going wireless Cars, passports , keys , ….

stacia
Download Presentation

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks JulienFreudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009

  2. Wireless Trends • Phones • Always on (Bluetooth, WiFi) • Background apps • New hardware goingwireless • Cars, passports, keys, …

  3. Peer-to-Peer Wireless Networks 1 2 Certificate Identifier Message • Share information with other users • Authenticate message sender

  4. Examples Social networks MiFi • Urban Sensing networks • Delay tolerant networks • Peer-to-peer file exchange

  5. Anonymity Problem Passive adversary monitors identifiers used in peer-to-peer communications Certificate Pseudonym Julien Freudiger Message • Adversarycantrackactivities of pseudonymoususers

  6. Reputation Privacy AnonymousAuthentication

  7. PreviousWork (1)Multiple Pseudonyms Message Pseudonym 1 Pseudonym 2 Pseudonym 3 Pseudonym 4 Certificate 1 Certificate 2 Certificate 3 Certificate 4 • Nodes change pseudonyms • + Simple for users • - Costly for operator (pseudonym management) • - Limited privacy • - Sybil attacks [1] A. Beresford and F. Stajano. Mix Zones: User Privacy in Location-aware Services. Pervasive Computing and Communications Workshop, 2004

  8. PreviousWork (2)Group Signatures + Good anonymity - Central management - Traceable Central Authority Group Identifier Message Group Certificate [2] D. Boneh, X. Boyen and H. Shacham. Short Group Signatures. Crypto, 2004 [3] D. Chaum and E. van Heyst. Group Signatures. EuroCrypt, 1991

  9. New ApproachSelf-OrganizedAnonymity + No need for infrastructure + Exploit inherent redundancy of mobile networks -Privacy? Many Certificates Random Identifier Message Network-generated privacy

  10. Outline • Ring Signatures • Anonymity Analysis • Evaluation

  11. Cryptographic PrimitiveRing Signatures • Procedure • Select a set of pseudonyms (including yours) in a ring • Sign messages with ring • Properties • Anonymity: Signer cannot be distinguished • Unlinkable: Signatures cannot be linked to same signer • Setup free: Knowledge of others’ pseudonym is sufficient Anonymous authentication: Member of ring signed the message [4] R. L. Rivest , A. Shamir , Y. Tauman. How to Leak a Secret. Communications of the ACM, 2001

  12. Ring Signatures Explained z = v x0 y0=g( ) + Ek xr-1 yr-1=g( ) k=H(m) v is the glue value xi are random values Ek + y1=g( ) x1 + … Ek + ys xs ys=g( ) xs=g-1() … + y2=g( ) x2 Ek

  13. Ring Construction in MANETs • Nodes record pseudonyms in rings of neighbors • Store pseudonyms in history • Node i creates ring by selecting pseudonyms from with strategy • Rings are dynamicallyand independentlycreated

  14. Illustration 5 3 4 6 2 1 t1: S1 = [] R1 = [P1] t2: S1 = [2, 3, 4] R1 = [P1, P2, P4] t3: S1 = [2, 3, 4, 6] R1 = [P1, P4, P6]

  15. Outline • Ring Signatures • Anonymity Analysis • Evaluation

  16. Anonymity • Adversaryshould not infer user ifromRi Ri Pi … Pj … User i Attack: Given all rings, adversary can infer most probable ring owner

  17. Anonymity Analysis • Bipartite graph model is set of nodes is set of pseudonyms is set of edges Captures relation between nodes and rings

  18. Attacking Ring Anonymity (1)Example Find a perfect matching: Assignment of nodes to pseudonyms

  19. Attacking Ring Anonymity (2)Analysis • Find most likely perfect matching • Weight edges • Max weight perfect matching • Bayesian inference • A priori weights • A posteriori weights • Entropy metric

  20. Optimal Construction • Maximize anonymity Theorem: Anonymity is maximum iif • Graph isregular • All subgraphs • are isomorphicto each other

  21. Outline • Ring Signatures • Anonymity Analysis • Evaluation

  22. Validation of TheoreticalResults • LEDA C++ library for graph manipulation • 10 nodes • K=4 (ring size) Random graphs K-out graphs Regular graphs u1 P1 u1 P1 u1 P1 u2 P2 u2 P2 u2 P2 … … … … … … u10 P10 u10 P10 u10 P10

  23. Entropy Distribution of Random Graphs with edge density p

  24. Minimum & Mean Entropy Distribution for Random and Regular Graphs

  25. Entropy distribution of random, K-out and regular graphs

  26. Fraction of matched nodes for various graph constructions

  27. Evaluation in Mobile Ad Hoc Network • 100 nodes • K=4 (ring size) • Static • Learn pseudonyms as far as graph connectivity allows • Select pseudonyms randomly • Mobile: Restricted Random Waypoint • Least popular: Select leas popular pseudonyms • Most popular: Select most popular pseudonyms • Random: Randomly select pseudonyms

  28. Average Anonymity Set size over time Least Mobile Random Static

  29. Conclusion • Self-organized anonymous authentication • Network generated anonymity • Analysis with graph theory • Results • Regular constructions near optimal • K-out constructions performwell • Mobility helps anonymity • Knowledge of popularity of pseudonymshelps

  30. Future Work • Stronger adversary model • Active adversary • Self-OrganizedLocation Privacy • Linkability Breaks Anonymity

  31. Backup Slides

  32. Compute Weights • A priori weight • Probability of an assignment • Probability of an assignment given all assignments • A posteriori weight of an edge between ui and pj

  33. Revocation • Keys can be black listed using traditional CRLs • Misbehaving nodes can be excluded by revoking all keys in a ring • Nodes can reclaim their key to CA • Nodes misbehaving several times would be detected • Accountability of group of users

  34. Cost • Computation overhead • Transmission overhead • Group of prime order q • q = 283 (128-bit security), M = log2(q)

  35. CDF of the average anonymity set size

More Related