The Identity and Location Privacy in Sensor Ad Hoc Networks Mayank Verma Vignesh Elamvazhuthi Venkata Snehith Cherukuri Zhibin Zhou
Agenda • ANONYMITY & PSUEDONUMITY • ID BASED CRYPTOGRAPHY • LOCATION PRIVACY • Privacy Preserving Routing Protocols
ANONYMITY • What is Anonymity? • Absence of Identity • Why it is important? • To provide security to user • Anonymization: concealing the relationship between a particular user and the data about him
TYPES OF ANONYMITY Content Based Environmental Procedural
1 • Determined by External Factors • Number and Diversity of users • Prior knowledge about them • It cannot be altered through design of system. • It is monitored over time while system is in operation. ENVIRONMENT ANONYMITY
2 CONTENT-BASED ANONYMITY • Exist when no identification by means of the exchanged data is possible. • De-anonymization may occur on the basis of: • The data content • Their structure • By sequence
3 PROCEDURAL ANONYMITY • Determined by: • The communication protocol • The underlying communication layers • This type of anonymity can be provided by the system and should be planned for in the design phase of the system. • Sender anonymity is present when the sender of a message cannot be identified by the recipient of a message within the set of potential senders. • Receiver anonymity means that the identity of the receiver is not known to the sender of a message.
B A C D E LEVEL OF ANONYMITY Identification: The user identifies himself to the system. Super-Identification: The user identifies herself to a certification authority, which in return assigns unique credentials to her (e.g., X.509 certificates). Latent Identification: The user identifies himself to a trustee and adopts a unique pseudonym that becomes registered with his identity Anonymity Pseudonymous Identification: The user initially chooses a unique but otherwise uncontrolled pseudonym, which he will also employ in subsequent sessions Anonymity. The user uses the system without any identification or identifier that distinguishes her from other users.
A B C Pseudonymity Pseudonymity is a word derived from pseudonym, meaning 'false name’. Describes a state of disguised identity resulting from the use of a pseudonym The pseudonym identifies a holder, that is, one or more human beings who possess but do not disclose their “true name”. D So it’s a type of anonymity.
Unobservable for Third Parties:The usage of a user-adaptive application by a user should not be recognizable by third parties. Characteristics of Pseudonymity Characteristics Linkable for the User-Adaptive System: The user-adaptive system can link every interaction with a specific user, even across sessions (users maintain a persistent identity) Unlikable for Third Parties:Third parties (including other components of the user-adaptive system) cannot link two interaction steps of the same user.
Types of Pseudonymity • Role Pseudonyms: To interact with the same site in different roles (e.g., as an employee at work, or a private citizen at home) • Relationship Pseudonyms (or Application Pseudonyms): To interact with different sites under different pseudonyms; and • Role-Relationship Pseudonyms: combines both of the above. Using multiple pseudonyms enhances environmental and content-based anonymity. • Separate role pseudonyms may improve personalization if users exhibit different personal characteristics in different roles, • Separate relationship pseudonyms may hurt the quality of personalization since synergy effects between assumptions made by different user-adaptive applications cannot occur any more. • Transaction pseudonyms that are different for each transaction would even bar any user modeling since likeability is no longer preserved. • If there is a chance that a user’s identity could be usurped by another user or software component, super-identification should instead be employed. The responsibility for the assignment of identifying data to the user is thereby delegated to a mutually trusted outside component. • Depending on the application type (e.g., tutorial systems) and its domain (e.g., electronic commerce), different levels of user anonymity can be required. A specific characteristic of user-adaptive systems is moreover that not only the user but also the user modeling server may need to remain anonymous.
Crowds DC-Net Onion Routing Web Mixes ANONYMITY BASED PROTOCOLS
WEB-MIX • We refer to a Mix-Net as protocol that uses Onion Routing's layered encryption and also employs mixing techniques to thwart timing analysis. • Such mixing techniques include sending messages in reordered batches, sending dummy messages, and introducing random delays. • In a MIX network, no two nodes know about the identity of a sender or reiever.
WEB-MIX (Contd.) • Mix – a single computing node that performs operations on input messages and outputs them. • But you cannot map an output message to an input message. • Operations performed – cryptographic, padding and reordering.
MIX NETWORK • A single Mix node never used – several ‘mixes’ are used as a mix network. • Why Not single? • Less anonymity : small mapping • Bottleneck • Minimizing links to be tapped to 2 • Use several mix nodes – increases strength of anonymity
Mix network (Contd.) • Messages may pass through any number of these nodes. • Application decides how to use the nodes.
Hiding Routing Information • Only the sender and receiver know each others identity. • Intermediate nodes know only the identity of previous and next hops in the route. • Path to be followed is decided by proxy node closest to sender • Alternatively several proxy nodes decide the route – “Loose Routing”. • Proxy nodes are “sensitive” to attack
CROWD • Reiter and Rubin developed Crowds. • It uses a group of nodes that serve as proxies for a given initiator from the group. • An initialization message is routed from the initiator to a series of proxies, forming a path for all future messages from the initiator. • Upon receiving this message, each proxy decides, based on a probability of forwarding (pf), whether to extend the path through another proxy chosen at random with uniform probability or to become the last node on the path and communicate with the responder directly. • This path is maintained for a limited period of time, after which all paths must be reformed. The time limit allows nodes that join the protocol to add their paths at the same time as all other nodes; otherwise new paths may be easily attributed to recently joined nodes. Paths must also be reformed when proxies on the path leave the session.
DISADVANTAGES • An attacker can guess the initiator of an anonymous connection. The guess can be made based on information about the predecessor on the path of proxies. The presence of the attack caused the designers of Crowds to modify their protocol, which helped to ward off, but failed to eliminate, any threat. • A number of attackers may simply join the crowd and wait for paths to be reformed to attack crowd. This wait is a periodic occurrence, usually hourly. Each attacker can log its predecessor after each path reformation. The attacker can appear directly after I and may then easily recover the responder R's address, which is in plain view, and other session identifying information. Multiple attackers can perform this attack in parallel. • Another method is for attackers to always submit requests from the session directly to the responder, thereby ending the path. Or the attacker may covertly tag messages before forwarding along the route.
ONION ROUTING • Onion Routing is similar to Crowds in that an initial message forms a path of proxies through which the initiator sends its future messages. • The protocol gets its name from its method of encrypting the initial packet and the address of the proxies at each hop on the path with the public key of the previous step. • This scheme results in layers of encryption that are peeled off at each step in order to determine the next address to send to on the path. This requires the initiator to predetermine the entire path. • Onion Routing has generally been implemented with the onion routers being placed in the network outside of the control of the individual users • Onion Routing can be configured in two ways: • Local COR configurations where individuals run their own onion router, and • Remote-COR configurations where individual’s first connect to a remote untrusted COR. • The use of layered encryption in Onion Routing results in a substantial advantage: • Only the last node in the path can recognize a particular data stream. • An attacker must compromise the first and last node on the path, and even then must use timing analysis to know that both compromised nodes are on the path. This might be possible if packet decryption and encryption dominated the message latency. But since there is not message latency, this attack is not possible.
ONION ROUTING (CONTD.) • The message packet is repeatedly encrypted by sender. • Public encryption scheme is used for this. • As the onion is passed through the network each node decrypts and passes on to the next node. • Finally the receiver gets the original message.
DISADVANTAGES • While it can be argued that this reduces the possibility of corruption of any particular onion router, it requires that the users trust the operators of the onion router to maintain their anonymity. • Accordingly, users may instead choose to run their own onion routers locally and band together cooperatively to forward traffic for each other. This local configuration distributes the trust to many operators, but provides more opportunities for corruption of routing nodes. • Secure only against simple traffic analysis. • Attacker can still engage in Denial of Service attacks. • If Proxy nodes are compromised all details are exposed – single point of failure.
DC-NET • Given by Chaum's solution for anonymous communication, called DC-Net. • Each participant share secret coin flips with other participants in pairs. The parity of the flips a participant has seen is then announced to all other participants. Since each flip is announced twice, the total parity should be even. • To send a message, a participant incorrectly states the parity seen. This causes the total parity to be odd, which indicates transmission of a bit. No one except the initiator knows who sent the message, unless all of the nodes who flipped coins with the sender reveal their coin flips among themselves. • In DC-Net, a graph is constructed by viewing each shared secret as an edge between nodes. To defeat DC-Net and expose the messages of a node N, attackers can surround N by corrupting all nodes that share an edge with N and share their secret coin flips with each other. By doing this, they know all the coin flips that N shared and therefore know what N's bit parity should be and can detect any messages. • To determine the initiator in a particular session, the attackers can surround each node in turn until the initiator is found. A good instantiation of DC-Net does not allow less than all pairs of participants exchanging coin flips. • The enhancement is given in Ring Based DCNET. In the ring version of DC-Net each participant shares two secret coin flips, one with each of her neighbors.
RING BASED DCNET • The anonymity of a ring-based DC-Net degrades to zero and the initiator's identity can be proven by only two attackers after an average-case of Θ (n lg n) rounds. • A round only requires each attacker to leave the Chaum ring and rejoin it – Since it is assumed that joining nodes are placed randomly in the ring. If nodes are placed deterministically based on a piece of information about the nodes, such as a node's IP address, an attacker can simply forge that information before joining. This allows the attacker to effectively choose the best positions in the ring to perform the attack, which then works much faster. It is also assumed that all nodes hear all outgoing messages. This is a requirement of DC-Net, because the sender must hear the message to know whether it was sent correctly or if a collision occurred. Even with a system to prevent collisions and denial of service attacks, such as found in, the sender must be able to see its message to know whether a trap was set off. • During a round, two nonadjacent attackers A and B may share their coin flips with each other. This effectively creates a new edge in the DC-Net graph seen only by the attackers. This new edge creates two sub-rings: one new ring consists of the edges from A to B and the new edge; while the other ring consists of the edges from B to A and the new edge. The announced parities in the sub-ring without the initiator will sum to zero, and the nodes in that ring may be eliminated as possible initiators. The attackers will be able to identify the initiator immediately if it is the only node present in one of the sub-rings, which is not possible.
DISADVANTAGE • Any node may launch a denial-of-service attack by choosing to send a message every round of coin flips. Such a node is as anonymous as any initiator, and therefore cannot be simply detected and denied access. Strategies have been developed to detect such an attacker, but at a high cost in overhead. • The work shows that attack against DC-Net are extremely low-cost when participants are arranged in a logical ring. Additionally, authors argue that although attacks against DC-Net where participants are fully connected require unreasonable resources on the part of the attacker. • DC-Net has overhead that does not scale well with the number of participants.
Public Key Cryptography • Symmetric key cryptography • People use the same key to encrypt and decrypt. • DES AES IEDA • Pro: Fast • Con: Key Management is a critical problem • Public key cryptography • People use different key to encrypt and decrypt • RSA, ECC • Pro: easy to manage the key, digital signature • Con: Computational Intensive, Based on Unsolved Math problems
Public Key Cryptography • RSA • in 1977 by Ron Rivest, Adi Shamir and Len Adleman at MIT • Based on the Big Integer Factoring Problem • 1024 bit key size • ECC • by Neal Koblitz and Victor S. Miller in 1985. • Based on the Discrete Logarithm Problem • 128 bit key size can achieve the security level of 1024-RSA
ID based Cryptography • Based on the Public Key Cryptography (ECC) • Use the Identity of the user as the Public key to encrypt message • ID can be the name: Bob, Alice • ID can be the email address: Bob@asu.edu • ID can be a arbitrary bit string: Pseudonym • Do not need to share any thing before the encryption • Bob use Alice to encrypt the message to get the ciphertext C. • Alice get C, then she can ask a third party to derive the respective private key to decrypt the message. • All Bob need to know is the name: Alice
ID Privacy with ID based Cryptography • The Identity privacy of Alice can be protected by: • Alice keep anonymous to Bob by informing the pseudonyms to Bob. • Bob can not identify Alice from the pseudonyms, but • He can be ensured that the pseudonym belong to a trusted anonymous user. • He can be ensured that the pseudonym belong to a trusted group. • Alice generate the Private key from the pseudonyms. • The trusted third party can certify and invoke the pseudonym.
ID Privacy with ID based Cryptography • Id based cryptography can help achieve the Identity Privacy through pseudonyms. • Pseudonym is an arbitrary string • The owner of the pseudonym can identity it. • The other party in the communication can not identity the owner through the pseudonyms. • The communication can be protected by the pseudonym with the both party keep anonymous.
Pairing Based Cryptography • Pairing is the math foundation for ID based Cryptography. • The central idea is the construction of a mapping between two useful cryptographic groups • allows for new cryptographic schemes based on the reduction or transform of one problem in one group to a different, sometimes easier problem in the other group. • the Weil and Tate pairings. • first used in cryptography as cryptanalytic tools to reduce the complexity of the discrete logarithm problem on some “weak” elliptic curves. However, using them for constructive purposes is a novel idea.
Bilinear Maps • The Core work of Weil and Tate pairings is to construct a Bilinear Map
Bilinear Maps • Bilinearity: • Non-Degeneracy: If everything maps to the identity, that’s obviously not interesting • Computability: is efficiently computable
Divisor • Definition: A divisor is the formal sum of points on the curve. • We define the Function
Weil and Tate Pairing • The weil pairing: • f is a function that have intersection points on the Curve • The tate pairing:
1 2 3 Data integrity, origin authentication and anti-replay protection of MIP registration and location update message Access control of the MN when it uses resource on a visiting network Location privacy and anonymity of the MN Security Services Focusing on Mobile Networks
What is Location Privacy ???????? • Location privacy is the ability to prevent other parties from learning one's current or past location. In order to get such ability, the mobile node must conceal any relation between its location and the personal identifiable information • The disclosure of the MN’s location and identity allows unauthorized entities to track down its moving history, which can be a serious violation of privacy
Important Design Considerations • Proposed protocol must support revocable privacy rather than perfect privacy. • Proposed protocols desired not to increase the network traffic.
IMPORTANT POINTERS WHILE ENSURING LOCATION PRIVACY • The home network should have no knowledge about which foreign network the mobile node is currently connected to. • Similarly, the foreign or roaming network should have no knowledge about the mobile node's home network • An eavesdropper or man-in-the-middle should not be able to tell who the communicating parties are. • In addition, all the usual communication security constraints must apply; ie message integrity, authentication and confidentiality.
THE ADMINISTRATION requires all legitimate users to provide identity (ID) information in order to grant them permission to use its wireless service MOBILE USERS would prefer not to expose any information which enables anyone, including the administration, to get some clue regarding their whereabouts Location Privacy
AUTHORIZED ANONYMOUS ID BASED SCHEME • Key Weapon Is A Cryptographic Technique Called Blind Signature • It is a Distributed Architecture , overcoming the drawbacks of Centralized Architecture • The location privacy of mobile users is not completely under their own control since the system administration maintains a central server where the location information of mobile users is stored. • The central server is a single-failure-point; that is, the location privacy of mobile users would be compromised if an attacker successfully hacked into it. • The centralized architecture is not scalable.
AUTHORIZED ANONYMOUS ID BASED SCHEME Contd... • Two important Phases • Registration Protocol • Controlled Connection Protocol • MAC (Message Authentication Code) used for access control