210 likes | 333 Views
Secure Mobility. Jean-Pierre Hubaux EPFL/School of Information and Communication. Some security activities in MICS. IP10. IP8. Business aspects of security in mobile networks. IP5. Secure software, secure applications. Trust in peer-to-peer systems. IP4.
E N D
Secure Mobility Jean-Pierre Hubaux EPFL/School of Information and Communication
Some security activities in MICS IP10 IP8 • Business aspects of security in mobile networks IP5 • Secure software, secure applications • Trust in peer-to-peer systems IP4 • Tamper-proof device-based security • Protocol analysis (WTLS) • Zero-infrastructure security • Mobility Vs Security : • - Mobility helps security • - Provable encounters • Immune mobile systems • Cooperation issues : • - In multi-hop cellular networks • - In pure ad hoc networks IP6 Last Encounter Routing IP1
Provable encounters 1. Encounter 2. Proof of encounter verifier claimant • Verification is: • a posteriori • frequent certifier claimant • claimant : a node claiming that it has met another node at a given time t • certifier : a node that certified the encounter with the claimant • verifier : a node that verifies the encounter between two nodes • - Two scenarios : • any-to-any (typically mobile ad hoc networks, where any node can be a claimant, a verifier and a certifier) • any-to-one (typically hybrid ad hoc networks, where mobile nodes play roles of claimants and certifiers, and base stations perform verification) • Two building blocks : • Distance bounding • Proving the time of encounter
Applications of provable encounters • Secure protocols based on last encounter (e.g., Last Encounter Routing) • Topology tracking in multi-hop cellular networks (e.g, for misbehaviour detection) • Any service requiring to prove previous encounters, including their distance (e.g., liability issues in road traffic) • Distributed robotics • Prevention of wormhole attacks • …
General assumptions • Loose synchronization of the nodes clocks • Abilities of each node : • Measure time with a nanosecond precision • Perform cryptographic operations (generate keys, check signatures, compute hash functions,…) • No GPS receivers, no system providing location information • Presence of a centralized authority (off-line or on-line): assigns a unique, certified identity to each node • All nodes share pairwise secret keys (other options are possible) • The claimant and the verifier always authenticate each other at verification time
Mafia Fraud Attack (Y. Desmedt, 1988) : Authenticated distance bounding Authentication protocol Authentication protocol Secret communication channel Bernard Alice Carole Damien Location 2 Location 1 • Similar issue: the Chess Grandmaster Problem • Solution: Distance-Bounding Protocols (Brands and Chaum, Eurocrypt 1993) • Related problem: Wormhole Attacks in ad hoc networks • Proposed solution: Packet leashes (Hu, Perrig and Johnson, Infocom 2003) (based on precise clock synchronization or on location awareness)
Mutual Authentication with Distance Bounding (MAD) (1/2) • Our solution: MAD • Improvements wrt Brands and Chaum’s proposal: • Avoid public key cryptography rely on MAC computations • Both nodes can measure the distance to the other node simultaneously • Assumption: special hardware module in each node • Can temporarily take over the control of the radio transceiver from the CPU • Able to respond to a one-bit challenge with a one-bit response
Guaranteeing Encounter Freshness (GEF) (meaning at or before time t) 2.2. Verification (certifier authentication only, therefore called GEF-Ce) : V96 Cl1 V96 Verif Cl1 V47 V47 Cl2 ? HN-47(V47) = VN Cl2 • 1. Initialization (at each node) H H H 1.1. Construct the hash chain : 1.2 Distribute VN to all other nodes V2 VN V0 V1 • 2. Network operation : disclose the values Vi in reverse order 2.1. Encounters : Cert • Almost optimal hash sequence traversal: Coppersmith and Jakobsson, FC’02 • If claimant authentication is also desired: each node produces n hash chains instead of one GEF-CeCl
Purpose: The claimant can prove to the verifier that it met the certifier at the time tof the actual encounter (neither before nor later); Basic mechanism: only certifier authentication: GTE-Ce Guaranteeing the Time of the Encounter (GTE) • 1. Initialization • Generation of N values (V0 to VN) • Construction of the Merkle tree • Deliver the root of the tree to allother nodes (in an authentic way) 2. Network operation 2.1 Encounters - At each time interval, the certifier broadcasts a Vi with its siblings 2.2 Verification - Example : H(H(m01||H(H(V2)||m3))||m47) = m07 ?
The full solution : MAD + GTE-CeCl Encounter Proof ofencounter
Attacks 1. Encounter 2. Proof of encounter claimant verifier claimant certifier Attack-Ce : deceive a honest claimant about its identity or about the time of encounter Attack-Cl : deceive an honest verifier about previous encounters • Attack-V : deceive a honest verifier (to be met in the • future) about previous encounters
Resistance to attacks With MAD GEF-CeGTE-Ce GEF-CeGTE-Ce GEF-CeClGTE-CeCl Attack-Cl Attack-Ce Attack-V Attacker-x-y x : # owned nodes y : # compromised nodes Other attacks: AttackClCe,…
Conclusion on Provable Encounters • Well-established cryptographic techniques can allow mobile nodes to prove their time and distance of encounters, at a very reasonable cost • Very first contribution to a novel and promising research area • Future work: • Study different mobility scenarios • Identify applications more precisely; examples: • Single-hop wireless networks in which the Access Points are not (fully) trusted • Intelligent Transport Systems S. Capkun, L. Buttyan, and J. P. Hubaux SECTOR : Secure Tracking of Node Encounters in Multi-hopWireless Networks First ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN),Washington, October 2003
Problem : how to bootstrap security in a mobile network without a central authority ? Mobility helps security Visual recognition, conscious establishment of a two-way security association (Alice, PuKAlice, XYZ) Bob Alice Infrared link (Bob, PuKBob , UVW) • Secure side channel • Typically short distance (a few meters) • Line of sight required • - Ensures integrity • - Confidentiality not required
Colin Friends mechanism (Alice, PuKAlice, XYZ) Alice (Alice, PuKAlice, XYZ) Bob (Colin’s friend) IR • Colin and Bob are friends: • They have established a Security Association at initialisation • They faithfully share with each other the Security Associations • they have set up with other users
i i i i i i f f f f j j j j j j Mechanisms to establish Security Associations a) Encounter and activation of the Secure Side Channel b) Mutual friend c) Friend + encounter Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter Friendship : nodes know each others’ triplets i knows the triplet of j ;the triplet has been obtained from a friend of i j i Note: there is no transitivity of trust (beyond your friends)
Depends on several factors: • Area size • Number of communication partners: s • Number of nodes: n • Number of friends • Mobility model and its parameters (speed, pause times, …) Pace of establishment of the security associations (1/2) Established security associations : Desired security associations : Convergence :
Conclusion on Mobility Helps Security • Mobility can help security in mobile ad hoc networks, from the networking layer up to the applications • The proposed solution also supports re-keying • The proposed solution can easily be implemented with both symmetric and asymmetric cryptography S. Capkun, J. P. Hubaux, and L. Buttyan Mobility Helps Security in Ad Hoc Networks Fourth ACM Symposium on Mobile Networking and Computing (MobiHoc), Annapolis, June 2003
Conclusion • Security in mobile and wireless networks is a major research area • MICS has pioneered the exploration of mobility Vs. security • MICS is strongly committed to make further fundamental contributions