1 / 25

From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security

From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security. Ross Anderson Cambridge. Overview. Eternity Service The Resurrecting Duckling Cocaine Auctions Smart Dust Eternity II – Economics, and Topology Applying it – HomePlug Lessons Learned. Early Days.

janna
Download Presentation

From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security Ross Anderson Cambridge

  2. Overview • Eternity Service • The Resurrecting Duckling • Cocaine Auctions • Smart Dust • Eternity II – Economics, and Topology • Applying it – HomePlug • Lessons Learned

  3. Early Days • Penet.fi remailer operated by Julf Helsingius from 93 to 96 • Scientologists got an order in Feb 95 for access to logs to identify a critic • Same again twice in 96; then Julf shut Penet • What is the scope of legal threats to the information society?

  4. Censorship and Technology • Wycliff translated the Bible into English in 1382 • Fallout contained in most countries… • William Tyndale did it again in the 16th century • But now there was printing! • What happens to society if books that the rich and powerful don’t like can be unpublished? • Next question: can we design a system to withstand compulsion?

  5. The Eternity Service (1996) • Idea: a peer-to-peer file store • You donate some of your own storage • You can then publish documents • Documents protected by encryption, fragmentation, redundancy, scattering • You don’t know which parts of which documents are on your machine • Selective service denial isn’t possible

  6. Peer-to-Peer Security • After Napster was closed down, the ideas in Eternity were adopted by Freenet, Gnutella • Music industry starts trying hard to find real attacks! • Spam it with poisoned content • Download stuff, identify uploaders, and sue them • In other words, in a network that anyone can join, it’s not the initial authentication that matters so much as subsequent conduct

  7. The Resurrecting Duckling (1999) • Initial problem: what does it mean for a medical sensor to be ‘secure’? • The doctor picks up a thermometer from a nursing station and mates it to her PDA • First requirement: bond to the first device you see (like a baby duckling) • Second requirement: the mother should be able to break the bond (kill and resurrect her duckling)

  8. Resurrecting Duckling (2)

  9. Cocaine Auctions (1999) • If we have the opposite of authenticated principals – anonymous broadcast – can we design systems to do real work? • Surprising answer: yes! • Suppose a dozen Mafiosi are in a room conducting a cocaine auction • Mistrustful principals, no arbitrator, no PKI – just anonymous broadcast devices

  10. Cocaine Auctions (2) • At each successive price, each bidder broadcasts a new Diffie-Hellman key gri • The final bidder claims the coke by setting up a key with the seller who broadcasts gw and the delivery details encrypted under gwri • If the seller cheats the buyer, or vice versa, this can be decrypted and broadcast to support an accusation of cheating • Lesson: you can do standalone transaction crypto. You don’t need long-term security associations

  11. Smart Dust (2002–4) • Battery-powered devices • Wireless comms • Not tamper-proof • Limited CPU, memory • Communicate peer-to-peer • Deployed randomly • Can then be subverted

  12. Smart Dust (2) • How can we load keys? • Public key – need too big a CPU • Combinatorial symmetric keys – messy, fiddly • Single master key – will be compromised after deployment • But – does this really matter? • Same effect as devices broadcasting keys locally in clear on landing, and eavesdropping starts after that

  13. Smart Dust (3) • Mote i, when it comes to rest, transmits key ki • When mote j hears it, it responds with just enough power for the link: j  i: {j, kji}ki The key is compromised if a hostile mote lies in the intersection i j i E.g, 1 black mote for 100 white - 97.62% of links secure

  14. Smart Dust (4) • You can improve this will various extra resilience mechanisms – multiple path keys, privacy amplification etc • Economic question: how much do you invest in bootstrapping and how much in later resilience? • Answer: it depends on the initial and marginal costs of both attack and defence! • Smart dust owner will often favour the resilience mechanisms over the bootstrapping mechanisms in order to cause the defender to give up

  15. Eternity Again – Economics • If you have a peer-to-peer system, should you put everything into one pot, or not? • Eternity, freenet, mojonation, chord, oceanstore: everyone shares everything • The systems that prevailed had people share only their own stuff: Gnutella, Kazaa,… • We modelled solidarity versus clubs in defence and explained this (WEIS 2005): people fight harder to defend what they care about • Past a certain point, solidarity will fail

  16. – and Topology (2005) • Real-world physical systems tend not to have every node talking to every other, or even to a random collection of nodes • Instead, there’s often a power-law structure with some ‘popular’ nodes • Knocking these nodes out can disable the network: Ukrainian kulaks, Senegal hookers • What sort of defences are possible?

  17. Naïve Defenses Don’t Work! • Basic vertex-order attack – network dead after 2 rounds • Random replenishment – 3 rounds • Scale-free replenishment – 4 rounds

  18. Evolving Defense Strategies • Black – scalefree replenishment • Green – replace high-order nodes with rings • Cyan - replace high-order nodes with cliques • Cliques work very well against the vertex-order attack

  19. Suicide Bombing (2007) • Revocation is a big problem in real life, and even worse in many ad-hoc network models • Another possibility: node A on seeing node B misbehaving simply declares them both to be dead • This is cheap; it scales well; it’s not much affected by mobility; and it works across interesting parameter ranges • Suicide and high-risk attacks common in nature – bees, helper T-cells, … • Ad-hoc network models help us understand them

  20. HomePlug • HomePlug AV is a 2006 standard for power-line communications at 150Mbps • How do you set up keys between TVs, PVRs, DSL modems, wifi, hifi, PCs, … ? • Somewhat similar to the problems faced by bluetooth, wifi designers • Great variety of devices, some with no decent input and / or output interfaces • Great variety of CPUs, from peanut to Pentium

  21. HomePlug (2) • Most users just want dependability – they want their speakers to mate with their hifi, not their neighbours’ • A handful want security too • Usability is critical • Too many returned devices would be fatal • Big question: do we include a public key mode?

  22. Homeplug (3) • Suppose you have a PK protocol where the user confirms the right key is set up • Attack on high-value home user attorney… • Man in grey van does microwave DoS on set top box, attaches similar to mains • User has no TV, sees on PC “found Philips set-top box with cert ID 4F3D241E… admit/deny?” • Moral: not enough to say Y/N, user must copy text • So might as well just print the key on the label!

  23. HomePlug (4) • That’s why HomePlug has only two modes, Secure and Simple Connect • Simple Connect mode: device on power-up, like duckling, looks for a mummy • Bootstrap key sent in clear, protocols to confirm it’s the right device / network bond • Secure mode: copy the AES key from the device label into your network management station (I.e. your PC) • Is this not optimal?

  24. Lessons Learned • Ad-hoc networks, whether peer-to-peer or wireless, have new needs • Crypto geeks used to focus on authentication. But bootstrapping is only a tiny part of the lifecycle • Most of the work usually goes into managing associations once they’re established • But then that’s how the real world has always worked … can you remember when you first decided to trust your mother?

More Related