250 likes | 524 Views
From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security. Ross Anderson Cambridge. Overview. Eternity Service The Resurrecting Duckling Cocaine Auctions Smart Dust Eternity II – Economics, and Topology Applying it – HomePlug Lessons Learned. Early Days.
E N D
From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security Ross Anderson Cambridge
Overview • Eternity Service • The Resurrecting Duckling • Cocaine Auctions • Smart Dust • Eternity II – Economics, and Topology • Applying it – HomePlug • Lessons Learned
Early Days • Penet.fi remailer operated by Julf Helsingius from 93 to 96 • Scientologists got an order in Feb 95 for access to logs to identify a critic • Same again twice in 96; then Julf shut Penet • What is the scope of legal threats to the information society?
Censorship and Technology • Wycliff translated the Bible into English in 1382 • Fallout contained in most countries… • William Tyndale did it again in the 16th century • But now there was printing! • What happens to society if books that the rich and powerful don’t like can be unpublished? • Next question: can we design a system to withstand compulsion?
The Eternity Service (1996) • Idea: a peer-to-peer file store • You donate some of your own storage • You can then publish documents • Documents protected by encryption, fragmentation, redundancy, scattering • You don’t know which parts of which documents are on your machine • Selective service denial isn’t possible
Peer-to-Peer Security • After Napster was closed down, the ideas in Eternity were adopted by Freenet, Gnutella • Music industry starts trying hard to find real attacks! • Spam it with poisoned content • Download stuff, identify uploaders, and sue them • In other words, in a network that anyone can join, it’s not the initial authentication that matters so much as subsequent conduct
The Resurrecting Duckling (1999) • Initial problem: what does it mean for a medical sensor to be ‘secure’? • The doctor picks up a thermometer from a nursing station and mates it to her PDA • First requirement: bond to the first device you see (like a baby duckling) • Second requirement: the mother should be able to break the bond (kill and resurrect her duckling)
Cocaine Auctions (1999) • If we have the opposite of authenticated principals – anonymous broadcast – can we design systems to do real work? • Surprising answer: yes! • Suppose a dozen Mafiosi are in a room conducting a cocaine auction • Mistrustful principals, no arbitrator, no PKI – just anonymous broadcast devices
Cocaine Auctions (2) • At each successive price, each bidder broadcasts a new Diffie-Hellman key gri • The final bidder claims the coke by setting up a key with the seller who broadcasts gw and the delivery details encrypted under gwri • If the seller cheats the buyer, or vice versa, this can be decrypted and broadcast to support an accusation of cheating • Lesson: you can do standalone transaction crypto. You don’t need long-term security associations
Smart Dust (2002–4) • Battery-powered devices • Wireless comms • Not tamper-proof • Limited CPU, memory • Communicate peer-to-peer • Deployed randomly • Can then be subverted
Smart Dust (2) • How can we load keys? • Public key – need too big a CPU • Combinatorial symmetric keys – messy, fiddly • Single master key – will be compromised after deployment • But – does this really matter? • Same effect as devices broadcasting keys locally in clear on landing, and eavesdropping starts after that
Smart Dust (3) • Mote i, when it comes to rest, transmits key ki • When mote j hears it, it responds with just enough power for the link: j i: {j, kji}ki The key is compromised if a hostile mote lies in the intersection i j i E.g, 1 black mote for 100 white - 97.62% of links secure
Smart Dust (4) • You can improve this will various extra resilience mechanisms – multiple path keys, privacy amplification etc • Economic question: how much do you invest in bootstrapping and how much in later resilience? • Answer: it depends on the initial and marginal costs of both attack and defence! • Smart dust owner will often favour the resilience mechanisms over the bootstrapping mechanisms in order to cause the defender to give up
Eternity Again – Economics • If you have a peer-to-peer system, should you put everything into one pot, or not? • Eternity, freenet, mojonation, chord, oceanstore: everyone shares everything • The systems that prevailed had people share only their own stuff: Gnutella, Kazaa,… • We modelled solidarity versus clubs in defence and explained this (WEIS 2005): people fight harder to defend what they care about • Past a certain point, solidarity will fail
– and Topology (2005) • Real-world physical systems tend not to have every node talking to every other, or even to a random collection of nodes • Instead, there’s often a power-law structure with some ‘popular’ nodes • Knocking these nodes out can disable the network: Ukrainian kulaks, Senegal hookers • What sort of defences are possible?
Naïve Defenses Don’t Work! • Basic vertex-order attack – network dead after 2 rounds • Random replenishment – 3 rounds • Scale-free replenishment – 4 rounds
Evolving Defense Strategies • Black – scalefree replenishment • Green – replace high-order nodes with rings • Cyan - replace high-order nodes with cliques • Cliques work very well against the vertex-order attack
Suicide Bombing (2007) • Revocation is a big problem in real life, and even worse in many ad-hoc network models • Another possibility: node A on seeing node B misbehaving simply declares them both to be dead • This is cheap; it scales well; it’s not much affected by mobility; and it works across interesting parameter ranges • Suicide and high-risk attacks common in nature – bees, helper T-cells, … • Ad-hoc network models help us understand them
HomePlug • HomePlug AV is a 2006 standard for power-line communications at 150Mbps • How do you set up keys between TVs, PVRs, DSL modems, wifi, hifi, PCs, … ? • Somewhat similar to the problems faced by bluetooth, wifi designers • Great variety of devices, some with no decent input and / or output interfaces • Great variety of CPUs, from peanut to Pentium
HomePlug (2) • Most users just want dependability – they want their speakers to mate with their hifi, not their neighbours’ • A handful want security too • Usability is critical • Too many returned devices would be fatal • Big question: do we include a public key mode?
Homeplug (3) • Suppose you have a PK protocol where the user confirms the right key is set up • Attack on high-value home user attorney… • Man in grey van does microwave DoS on set top box, attaches similar to mains • User has no TV, sees on PC “found Philips set-top box with cert ID 4F3D241E… admit/deny?” • Moral: not enough to say Y/N, user must copy text • So might as well just print the key on the label!
HomePlug (4) • That’s why HomePlug has only two modes, Secure and Simple Connect • Simple Connect mode: device on power-up, like duckling, looks for a mummy • Bootstrap key sent in clear, protocols to confirm it’s the right device / network bond • Secure mode: copy the AES key from the device label into your network management station (I.e. your PC) • Is this not optimal?
Lessons Learned • Ad-hoc networks, whether peer-to-peer or wireless, have new needs • Crypto geeks used to focus on authentication. But bootstrapping is only a tiny part of the lifecycle • Most of the work usually goes into managing associations once they’re established • But then that’s how the real world has always worked … can you remember when you first decided to trust your mother?