An overview of Trust, Naming and Addressing and Establishment of - - PowerPoint PPT Presentation

Security and Cooperation in Wireless Networks

Georg-August University Göttingen

An overview of Trust, Naming and Addressing and Establishment of security associations

• trust assumptions;
• attacker models;
• naming and addressing;
• key establishment in

sensor networks;

• key establishment in ad

hoc networks exploiting

 physical contact  node mobility  vicinity

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Trust

• Trust: The belief that another party will behave according to a set of well-

established rules and thus meet one’s expectations.

• The trust model of current wireless networks is rather simple

– subscriber–service provider model – subscribers trust the service provider for providing the service, charging correctly, and not misusing transactional data – service providers usually do not trust subscribers, and use security measures to prevent or detect fraud

• In the upcoming wireless networks the trust model will be much more complex

– entities play multiple roles (users can become service providers) – number of service providers will dramatically increase – user–service provider relationships will become transient – how to build up trust in such a volatile and dynamic environment?

1

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Reasons to trust organizations and individuals

• Moral values

– Culture + education, fear of bad reputation

• Experience about a given party

– Based on previous interactions

• Rule enforcement organization

– E.g. police or spectrum regulator

• Usual behavior

– Based on statistical observation

• Rule enforcement mechanisms

– Prevent malicious behavior by appropriate security mechanisms and encourage cooperative behavior – It is much easier to encrypt the communication than to deploy police force everywhere to check that no one is eavesdropping

2

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Trust vs. security and cooperation

• trust pre-exists security

– all security mechanisms require some level of trust in various components of the system – E.g. if I trust that my computer is not compromised and the security mechanisms I am using is not (yet) broken --> then I can do my

• nline transactions with the legitimate belief of not being defrauded.
• cooperation reinforces trust

– trust is about the ability to predict the behavior of another party – I see the other party’s cooperative behavior --> so I would believe that she will continue being cooperative --> this encourages me to be cooperative --> she will trust in me

3

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Misbehaviors: Malice and selfishness

• Malice: willingness to do harm no matter what
• Selfishness: overuse of common resources (network, radio spectrum,

etc.) for one’s own benefit

• A misbehavior consists in deliberately departing from the prescribed

behavior in order to reach a specific goal

• A misbehavior is selfish (or greedy, or strategic) if it aims at obtaining an

advantage that can be quantitatively expressed in the units (bitrate, joules, or coverage) or in a related incentive system (e.g., micropayments); any other misbehavior is considered to be malicious.

• traditionally, security is concerned only with malice
• but in the future, malice and selfishness must be

considered jointly if we want to seriously protect wireless networks

4

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Who is malicious? Who is selfish?

5

Security mechanisms: to thwart malicious behavior Game theory: to model and prevent selfish behavior There is no watertight boundary between malice and selfishness  Both security and game theory approaches can be useful  Examples of malice and selfish behavior:

• A technique aiming at increasing one’s share of the bandwidth (in

general at the expense of other users) is selfish.

• An attack aiming at obtaining information about another user of the

network is malicious.

• The attack aiming at dropping another node’s packets in order to save
• wn power is selfish.

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 6

Naming and Addressing

• naming and addressing are fundamental for networking

– notably, routing protocols need addresses to route packets – services need names in order to be identifiable, discoverable, and useable

• attacks against naming and addressing

– address stealing

• adversary starts using an address already assigned to and used by

a legitimate node

– Sybil attack

• a single adversarial node uses several invented addresses
• makes legitimate nodes believe that there are many other nodes

around

– node replication attack

• dual of the Sybil attack
• the adversary introduces replicas of a single compromised node

using the same address at different locations of the network

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 7

Illustration of the Sybil and node replication attacks

Sybil nodes

A B C D X Y Z X X A C B D E G F H I J

replicated nodes

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 8

Cryptographically Generated Addresses (CGA)

• aims at preventing address stealing
• general idea:

– generate node address from a public key – corresponding private key is known only by the legitimate node – prove ownership of the address by proving knowledge of the private key

• example in case of IPv6:

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 9

Thwarting the Sybil attack

• note that CGAs do prevent an attacker from stealing or

spoofing an address already chosen by another node

• CGAs do not prevent the Sybil attack

– an adversary can still generate addresses for herself

• a solution based on a central and trusted authority

– the central authority vouches for the one-to-one mapping between an address and a device – e.g., a server can respond to requests concerning the legitimacy of a given address

• other solutions take advantage of some physical aspects

– e.g., identify the same device (when it is using a new fake address) based on radio fingerprinting or using geographic location

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 10

Thwarting the node replication attack (1/2)

• a centralized solution

– each node reports its neighbors’ claimed locations to a central authority (e.g., the base station in sensor networks) – the central authority detects if the same address appears at two different locations – assumes location awareness of the nodes

base station

A B C A D E

A @ (x1, y1) A @ (x2, y2)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 11

Thwarting the node replication attack (2/2)

• a decentralized variant

– neighbors’ claimed location is forwarded to witnesses – witnesses are randomly selected nodes of the network – if a witness detects the same address appearing at two different locations then it broadcast this information and the replicated nodes are revoked

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 12

Analysis of the decentralized variant

• total number of nodes in the network is n
• average number of neighbors is d (network degree)
• A broadcasts its location to its neighbors
• each neighbor of A forwards A’s location claim with probability p to g

randomly selected witnesses

• average number of witnesses receiving A’s location claim is p.d.g
• Assume the attacker inserts L replicas of node A
• The probability that p.d.g recipients of claim l1 do not receive any of the

p.d.g copies of claim l2 is:

Pnc1 =(1-(p.d.g)/n) (p.d.g)

• The probability that the 2 p*d*g recipients of claims l1 and l2 do not

receive any of the p.d.g copies of claim l3 is:

Pnc2 =(1-(2p.d.g)/n) (p.d.g)

• In the same way, the probability of no collisions is:

Pnc =П(1-(i.p.d.g)/n)(p.d.g) (1 <= i <= (L-1)) Using (1+x)<=e^x we have: Pnc <=exp( - L(L-1)(p.d.g)2 / 2n)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Analysis of the decentralized variant

• then for the probability of detection:

(1- Pnc =)Pdet > 1 – exp( - L(L-1)(p.d.g)2 / 2n)

• numerical example:

n = 10000, d = 20, g = 100, p = 0.5 L = 2  Pdet ~ 0.63 L = 3  Pdet ~ 0.95

13

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 14

Establishment of security associations: Outline

Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 15

Key establishment in sensor networks

• After identification, authentication and key establishment are necessary for

starting secure communication

• authentication and key establishment are related to each other:

– Once authenticated the two nodes can establish a session key – An already established key can be used for future authentication

• A possible solution is public key cryptography: each device carries a certificate

issued by the trusted authority

• But due to resource constraints, asymmetric key cryptography should be avoided

in sensor networks: asymmetric encryption is usually harder (more complicated computation and requiring the central organization)

• we aim at setting up symmetric keys

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Key establishment in sensor networks

• requirements for key establishment depend on

– communication patterns to be supported

• unicast
• local broadcast
• global broadcast

– need for supporting in-network processing: data aggregation on packets received from downstream nodes to make the data more impact – need to allow passive participation: e.g. a node decides not to report an event to the sink if it hears another node is doing the same  needs decryption

• necessary key types

– node keys – shared by a node and the base station to protect packets exchanged between a node and the base station (no aggregation) – link keys – pairwise keys shared by neighbors (used for hop-by-hop encryption, message authentication and integrity) – cluster keys – shared by a node and all its neighbors (hop-by-hop encryption for local broadcast, makes passive participation possible) – network key – a key shared by all nodes and the base station (global broadcast)

16

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 17

Setting up node, cluster, and network keys

• node key

– can be preloaded into the node before deployment

• cluster key

– can be generated by the node and sent to each neighbor individually protected by the link key shared with that neighbor

• network key

– can also be preloaded in the nodes before deployment – needs to be refreshed from time to time (due to the possibility of node compromise)

• neighbors of compromised nodes generate new cluster keys
• the new cluster keys are distributed to the non-compromised

neighbors

• the base station generates a new network key
• the new network key is distributed in a hop-by-hop manner

protected with the updated cluster keys (not available to compromised node)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 18

Setting up link keys

• What remains to solve is establishing link keys
• They can not be pre-loaded before network deployment:

– no a priori knowledge of post-deployment topology

• it is not known a priori who will be neighbor to whom

– gradual deployment

• need to add new sensors after deployment

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 19

Link key setup using a short-term master key

– Sensor networks: stationary nodes, neighborhood of a node does not change frequently

• Link key establishment protocol in four phases:

– Master key pre-loading – Neighbor discovery – Link key computation – Master key deletion

• Master key pre-loading:

– Before deployment – Master key Kinit is loaded into the nodes – Each node u computes Ku = fKinit (u)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 20

Link key setup using a short-term master key

• Neighbor discovery:

– After the deployment node u initializes a timer – Discovers its neighbors: by broadcasting HELLO message – Neighbor v responds with ACK – ACK: identifier of v, authenticated with Kv (u still has the master key and can compute Kv) – u verifies ACK

• link key computation:

– link key: Kuv=fKv (u).

• Master key deletion:

– When timer expires: u deletes Kinit and all Kv s

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Pairwise key establishment in sensor networks

• 1. Initialization

Key pool (k keys)

m (<<k) keys in each sensor (“key ring of the node”)

• 2. Deployment

Do we have a common key?

Probability for any 2 nodes to have a common key:

)! 2 ( ! ) )! (( 1

2

m k k m k p    

21

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 22

Random key pre-distribution – Preliminaries

Given a set S of k elements, we randomly choose two subsets S1 and S2

• f m1 and m2 elements, respectively, from S.

The probability of S1  S2   is

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 23

The basic random key pre-distribution scheme

• initialization phase

– a large pool S of unique keys are picked at random – for each node, m keys are selected randomly from S and pre-loaded in the node (key ring)

• direct key establishment phase

– after deployment, each node finds out with which of its neighbors it shares a key (e.g., each node may broadcast the list of its key IDs) – two nodes that discover that they share a key verify that they both actually posses the key (e.g., execute a challenge-response protocol)

• path key establishment phase

– neighboring nodes that do not have a common key in their key rings establish a shared key through a path of intermediate nodes where each link

• f the path is already secured in the direct key establishment phase

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 24

Setting the parameters

• connectivity of the graph resulting after the direct key establishment

phase is crucial

• a result from random graph theory [Erdős-Rényi]: in order for a

random graph to be connected with probability c (e.g., c = 0.9999), the expected degree d of the vertices should be (n is the number of nodes): (1)

• in our case, d = pn’ (2), where p is the probability that two nodes

have a common key in their key rings, and n’ is the expected number

• f neighbors (for a given deployment density)
• p depends on the size k of the pool and the size m of the key ring

(3)

• c d p k, m

(1) (2) (3)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 25

Setting the parameters – an example

• number of nodes: n = 10000
• expected number of neighbors: n’ = 40
• required probability of connectivity after direct key establishment: c =

0.9999

• using (1):

required node degree after direct key establishment: d = 18.42

• using (2):

required probability of sharing a key: p = 0.46

• using (3):

appropriate key pool and key ring sizes: k = 100000, m = 250 k = 10000, m = 75 …

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 26

Qualitative analysis

• advantages:

– parameters can be adopted to special requirements – no need for intensive computation – path key establishment have some overhead …

• decryption and re-encryption at intermediate nodes
• communication overhead

– but simulation results show that paths are not very long (2-3 hops) – no assumption on topology – easy addition of new nodes

• disadvantages:

– node capture affects the security of non-captured nodes too

• if a node is captured, then its keys are compromised
• these keys may be used by other nodes too

– if a path key is established through captured nodes, then the path key is compromised – no authentication is provided

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 27

Improvements: q-composite rand key pre-distribution

• basic idea:

– two nodes can set up a shared key if they have at least q common keys in their key rings – the pairwise key is computed as the hash of all common keys

• advantage:

– in order to compromise a link key, all keys that have been hashed together must be compromised

• disadvantage:

– probability of being able to establish a shared key directly is smaller (it is less likely to have q common keys, than to have one) – key ring size should be increased (but: memory constraints) or key pool size should be decreased (but: effect of captured nodes)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 28

Improvements: Multipath key reinforcement

• basic idea:

– establish link keys through multiple disjoint paths – assume two nodes have a common key K in their key rings – one of the nodes sends key shares k1, …, kj to the other through j secured disjoint paths (encrypted hop-by-hop using the key links already established in the direct key establishment phase) – the key shares are protected during transit by keys that have been discovered in the direct key establishment phase – the link key is computed as K + k1 + … + kj – If no K is common in the two nodes’ key rings the key would be k1 + … + kj

radio connectivity shared key connectivity k2 K multipath key reinforcement

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 29

Improvements: Multipath key reinforcement

• advantages:

– in order to compromise a link key, at least one link on each path must be compromised  increased resilience to node capture

• disadvantages:

– increased overhead

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 30

Establishment of security associations: Outline

Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 31

Exploiting physical contact

• target scenarios

– modern home with multiple remotely controlled devices

• DVD, VHS, HiFi, doors, air condition, lights, alarm, …

– modern hospital

• mobile personal assistants and medical devices, such as thermometers, blood

pressure meters, …

• common in these scenarios

– transient associations between devices – physical contact is possible for initialization purposes

• the resurrecting duckling security policy

– at the beginning, each device has an empty soul – each empty device accepts the first device to which it is physically connected as its master (imprinting) – during the physical contact, a device key is established – the master uses the device key to execute commands on the device, including the suicide command – after suicide, the device returns to its empty state and it is ready to be imprinted again

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 32

Establishment of security associations: Outline

Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 33

Does mobility increase or reduce security ?

• Authentication and security association between two devices is not always

convenient through physical contact, because the devices do not necessarily provide the appropriate interface or the users do not always carry the required cable with them

• Mobility is usually perceived as a major security challenge

– Wireless communications – Unpredictable location of the user/node – Not regularly availability of the user/node – Higher vulnerability of the device – Reduced computing capability of the devices

• However, very often, people gather and move to increase security

– Face to face meetings – Transport of assets and documents – Authentication by physical presence

• In spite of the popularity of PDAs and mobile phones, this mobility has not been

exploited to provide digital security

• So far, client-server security has been considered as a priority (e-business)
• Peer-to-peer security is still in its infancy

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 34

• Mobile ad hoc networks with a central authority

– off-line or on-line authority – nodes or authorities generate keys – authorities certify keys and node ids – authorities control network security settings and membership

• Fully self-organized mobile ad hoc networks

– no central authority (not even in the initialization phase !) – each user/node generates its own keys and negotiates keys with other users – membership and security controlled by users themselves

trust trust trust trust CA trust trust trust trust trust

Fully self organized Authority-based

Two scenarios

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 35

• Existing solutions:

– Preloading all pairs of keys into nodes (it makes it difficult to introduce new keys and to perform rekeying) – On-line authentication servers (problematic availability and rekeying) Routing cannot work until security associations are set up Security associations cannot be set up via multi-hop routes because routing does not work

Routing – security interdependence

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 36

{ A, PuKA }

Wireless channel

• Relatively long distance
• No integrity
• No confidentiality

sPrKCA A B

Certificate that binds B’s public key with its id, issued and signed by the central authority

Each node holds a certificate that binds its id with its public key, signed by the CA

{ B, PuKB } sPrKCA

The establishment of security associations within power range breaks the routing-security interdependence cycle

Mobility helps security of routing: authority-based security systems

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 37

• Mobile ad hoc networks with authority-based security

systems

– breaks the routing-security dependence circle – automatic establishment of security associations – no user involvement – associations can be established in power range – only off-line authorities are needed – straightforward re-keying

Advantages of the mobility approach (1/2)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 38

Infrared link

(Alice, PuKAlice, XYZ) (Bob, PuKBob , UVW)

 

Visual recognition, conscious establishment of a two-way security association Secure side channel

• Typically short distance (a few meters)
• Line of sight required
• Ensures integrity
• Confidentiality not required

Alice Bob

Fully self-organized scenarios: Public-key security association approaches

Secure side channel mechanism:

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Secure side channel mechanism

• The node can easily verify the validation of the name

because the name should correspond to the person present at the encounter

• The node can verify that the other node really possesses the

private key corresponding to the received public key using a simple challenge-response protocol.

• Finally the node address can be verified against the public

key, e.g. by using Cryptographically Generated Addresses Assumption: NodeId = h(PuK)

39



Alice

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 40

IR

Colin Bob (Colin’s friend) Alice (Alice, PuKAlice, XYZ) (Alice, PuKAlice, XYZ)

• Bob knows the triplet of Alice
• Colin and Bob are friends: They have established a Security Association at initialisation,

and they faithfully share with each other the Security Associations with other users (trust)

• Bob can issue fresh certificate for Alice and send it to Colin
• Colin knows the public key of Bob and trusts it: can verify the received information and

accept it if verified

Friends mechanism

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 41

Friendship : nodes know each others’ triplets

Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter i j i knows the triplet of j ; the triplet has been obtained from a friend of i i f j i f j i f j i f j i j i j a) Encounter b) Mutual friend c) Friend + encounter

Mechanisms to establish Security Associations

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

Symmetric-key security association approaches

42

Friendship : nodes know each others’ triplets

Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter i j i knows the triplet of j ; the triplet has been obtained from a friend of i i f j i f j u f v u f v i j i j a) Encounter: when i and j are

in each other’s vicinity they exchange through the side channel their user names and addresses and the data to generate a key (must be confidential)

b) Mutual friend: i and j

both have a shared key with f and also trust it; f can act as a trusted server

• r relay to help I and j to

share a secret key

c) Friend + encounter: when

two nodes have no common friend or do not want the friend to know thier secrets shared with others: f is u’s friend and has set up an association with V; g is v’s friend and has set up an association with u. u generates a key contribution, k_u, and Sends it to v via g and v send its key contribution, k_v, to u via f. Then both u and v generate the k_uv using k_u and k_v.

g g

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 43

• Fully self-organized mobile ad hoc networks

– There are no central authorities – Each user/node generates its own public/private key pairs – Intuitive for users – Useful for setting up security associations for secure routing in smaller networks or peer-to-peer applications – Requires some time until network is fully secure – User/application oriented

Advantages of the mobility approach (2/2)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 44

Conclusion on security associations using mobility

• Mobility can help security in mobile ad hoc networks
• Mobility “breaks” the security-routing interdependence cycle
• The pace of establishment of the security associations is

strongly influenced by the area size, the number of friends, and the speed of the nodes

• The proposed solution also supports re-keying
• The proposed solution can easily be implemented with both

symmetric and asymmetric crypto

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 45

Establishment of security associations: Outline

Key establishment in sensor networks Exploiting physical contact Exploiting mobility Exploiting the properties of vicinity and of the radio link

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 46

Exploiting vicinity

• problem

– how to establish a shared key between two PDAs (using the radio link when no infrared connection is available)?

• assumptions

– no CA – PDAs can use short range radio communications (e.g., Bluetooth) – PDAs have a display – PDAs are held by human users

• Example: two people get together at a meeting and want to exchange

their business card using their PDAs in a secure way.

• idea

– use the Diffie-Hellman key agreement protocol – ensure key authentication by the human users

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations

The Diffie-Hellman protocol

47 Bob Alice

select random x compute gx mod p select random y compute gy mod p gx mod p gy mod p compute k = (gy)x mod p compute k = (gx)y mod p assumptions: p is a large prime, g is a generator of subgroup Zp

*, both are publicly known system

parameters

Diffie-Hellman with String Comparison: a protocol to ensure the integrity of the exchanged randoms (the two users will only need to trigger the protocol and just compare two strings of characters)

Georg-August University Göttingen

Trust, Naming and Addressing and Establishment of security associations 48

Summary of establishment of security associations

• it is possible to establish pairwise shared keys in ad hoc

networks without a globally trusted third party

• mobility, secure side channels, and friends are helpful
• in sensor networks, we need different types of keys

– node keys, cluster keys, and network keys can be established relatively easily using the technique of key pre-loading and using already established link keys – link keys can be established using a short-term master key or with the technique of random key pre-distribution