1 / 26

L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks

L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks. presented by Johanna Vartiainen johanna.vartiainen@ee.oulu.fi Centre for Wireless Communications University of Oulu, Finland. Outline. 1. Introduction 2. Security Goals and Challenges 3. Scope and Roadmap

lavey
Download Presentation

L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. L. Zhou and Z. J. Haas, Cornell University:Securing Ad Hoc Networks presented by Johanna Vartiainen johanna.vartiainen@ee.oulu.fiCentre for Wireless CommunicationsUniversity of Oulu, Finland

  2. Outline 1. Introduction 2. Security Goals and Challenges 3. Scope and Roadmap 4. Secure Routing 5. Key Management Service 6. The System Model 7. Threshold Cryptography 8. Proactive Security and Adaptability 9. Conclusions

  3. 1. Introduction • Ad hoc networks do not rely in any fixed infstractructure, unlike trational mobile wireless networks • To keep the network connecting, hosts rely on each other • Mobile nodes comminicate directly via wireless links or rely on other nodes to relay messages as routers • Frequent changes of network topology caused by node mobility • Main applications are military and other secure-sensitive operations • Ad hoc networks has unique properties -> commercial use, e.g. virtual classrooms and sensor networks • Main challenges: vulnerability to security attacks • Article studies the threats and security goals • New challenges and opportunities • How to defend against denial-of-service attacks towards routing protocols

  4. 2. Security Goals 1/3 • Security is a very important issue for ad hoc networks • Availability: ensures the survivability of network services despite denial-of-service attacks • A denial-of-service attack could be launched at any layer • Confidentiality: ensures that certain information is never disclosed for unauthorized entities • Integrity: guarantees that a message being transferred is never corrupted • Authentication: enables a node to ensure the identity of the peer node with which it is communicating • Nonrepudiation: ensures that the origin of a message cannot deny having sent the message

  5. 2. Challenges 2/3 • To achieving security goals, in ad hoc networks are both challenges and opportunities • Wireless links are sensitive to link attacks • eavesdropping is violating confidentiality • active impersonation and active attacks - even message distortion - are violating availability, integrity, authentication and nonredudiation • Nodes in a hostile environment with comparatively poor physical protection are endangered • E.g. nodes in the battlefield • Attacks can be launched from within the network Distributed architecture with no central entries to achieve high survivability

  6. 2. Challenges 3/3 • Because of frequent changes, ad hoc network is dynamic • Changes in topology and in its membership • Among nodes trust relationships also change Security mechanism should to adapt to the changes • Ad hoc networks may consist of hundreds or even thousands of nodes Security mechanism should be capable to handle such a big group of nodes

  7. 3. Scope and Roadmap • Traditional security mechanisms still have important role in ad hoc networks • ... but these are not sufficient enough • We rely on the two principles : • To achieve availability, we take adavantage of redundancies in the network topology • Distribution of trust to an aggregation of nodes • No single node is trustworthy • Assume: any t+1 nodes are improbable to all be compromised, consensus of at least t+1 nodes is trustworthy

  8. 4. Secure Routing 1/4 • All key-beeping based cryptographic schemes demand a key management service • Responsible for keeping track of bindings between keys and nodes and assisting the establishment of mutual trust and secure communication between nodes • Routing protocols should to be robust against dynamically changing topology and hostile attacks • Proposed routing protocols do cope well with the changing topology • ... but not against hostile attacks

  9. 4. Secure Routing 2/4 • In most routing protocols, routers exchange information about the network topology in order to establish routes between nodes • A target for hostile objector who want to bring the network downnnnn • There is two kinds of threats to routing protocols : • From external attackers • Injecting erroneous routing information, replaying old routing information, distorting routing information • Countermeasure: nodes can protect routing information as they protect data traffic • Cryptographic schemes, e.g. digital signature • Ineffective against attacks from compromised servers

  10. 4. Secure Routing 3/4 • From compromised nodes • More severe kind of threats ! • Compromised noise might advertise incorrect routing information to other nodes • Compromised nodes are still able to generate valid signatures using their private keys NOTE : there is always a possibility that the node is compromised ! • Because of dynamical nature of ad hoc networks, detection of compromised node is difficult : is a piece of routing information invalid because of compromised node OR because of topology changes ?

  11. 4. Secure Routing 4/4 • Some properties of ad hoc networks can exploit to achieve seecure routing • False routing information by compromised nodes could be considered as an outdated information (to some extent) • If there is enough correct nodes, the routing protocol should be able to find routes that go around compromised nodes • That capability usually relies on the inherent redundancies in ad hoc networks • Multiple routes between nodes, possibly disjoint • Nodes can switch the primary, failed route to an alternative route if routing protocol can discover multiple routes • Diversity codes takes advantage of multiple paths without message retransformation • Redundance information is transmitted through additional routes for error detection and correction • E.g. n disjoint routes, n-r channels for transmitting the data and r channels to transmit redundant information

  12. 5. Key Management Service 1/2 • Use of cryptograpnic schemes requires key management service • A public key infrastructure is adopted • Superiority in distributing keys and achieving integrity and nonrepudiatation • Secret key schemes are used to secure communication after nodes authentication each other and establish a shared secret session key • Each node has public and private key (key pair) in a public key system • Public key is really public, so it can be distributed to other nodes • Private key is absolutely confidential • There is a trusted entity for key management • The certification authority (CA) which has a key pair

  13. 5. Key Management Service 2/2 • The CA has to stay online to reflect the current bindings because the bindings can change • The CA is vulnerable point of network • Unavailability of the CA means that nodes cannot get the current public keys of other nodes or nodes cannot establish secure communication • It is problematic to have only one CA especially if the network is huge • But a replication ot the CA makes the service even more vulnerable • The article distributes trust to a set of nodes by letting these nodes share the key management responsibility

  14. 6. The System Model 1/2 • Assumptions : • A network without no bound on message delivery and processing times • The underlying network layer provides reliable links (much weaker link assumption to a separate article in preparation) • All nodes know the public key of the service and trust any certificates signed using the corresponding private key • Nodes can submit query request to get other nodes public key • Nodes can submit update request to change their own keys • (n,t+1) configuration, n>=3t+1 • n special nodes, called servers • Each server has its own key pair and stores the public keys of all nodes in the network and each server knows the public keys of other servers • t is the number of servers that the adversary can compromise in any period of time of a certain duration

  15. 6. The System Model 2/2 • The adversary has access to all the secret information stored on the server if a server is compromised • The adversary lacks the computational power to break the cryptographic schemes we employ • The service is correct if two concitions hold : • Robustness : the service is always able to process requests (query and update) from clients • Confidentiality : the private key of the service is never disclosed to an adversary

  16. k sn s2 s1 .. Kn/kn K1/k1 K2/k2 Server 1 Server 2 Server n 7. Threshold cryptography 1/4 • Distribution of trust is accomplished using threshold cryptography • (n,t+1) threshold cryptography scheme ( n servers, t compromised servers) • The private key kof the service is divided into n shares s1, ..., sn, one share for each server • Each server has also a key pair Ki /ki (public and private key) • The public key K is known to all nodes in the network Fig. 1: The configuration of a key management service

  17. 7. Threshold cryptography 2/4 • For the service to sign a cerfiticate, each server generates a partial signature for the certificate using its private key share and submits the partial signature to a combiner • Any server can be a combiner, to ensure that a compromised combiner cannot prevent a signature, it can be used t+1 servers as a combiners • To make sure that at least one combiner is correct • Compromised servers (at most t ) are not able to generate correctly signed certificates, because they can generate at most t partial signatures • With t+1 correct partial signatures, the combiner can compute the signature for the certificate

  18. s1 PS(m,s1) Server 1 m s2 combiner Server 2 PS(m,s3) s3 Server 3 7. Threshold cryptography 3/4 • K/k is the key pair of the server • (3,2) cryptographic scheme, e.g. n=3, t=1 ( 3 servers and 1 of these servers is compromised) • Each server i gets a share ofsiof the private key k • Message m : server i can generate a partial signature PS(m,si )using its share si . In this case, i=1 and 3. • Correct servers (1 and 3) both generate partial signatures and forward the signatures to a combiner • Combiner can generate the signature of msigned by server private key k Server 2 Fig. 2: Threshold signature K/k

  19. 7. Threshold cryptography 2/4 • Compromised servers ... • ... can generate an incorrect partial signature • That can yield an invalid signature • BUT a combiner can verify the validity of a computed signature using the service public key • If vertification fails, the combiner tries another set of partial signatures ... and continues until the correct signature is constructed

  20. 8. Proactive Security and Adaptability 1/6 • Key management service also employs the share refreshing to tolerate ’mobile’ adversaries and adapt its configuration to changes in the network • Mobile adversary temporarily compromise a server and then move to the next victim • Mobile adversary might be able to compromise all the servers over a long period of time (e.g. viruses) • Compromised servers may be detected and excluded, but the adversary could still gather more than t shares of the private key from compromised servers over time That would allow the adversary to generate any valid certificates signed by the private key • Countermeasure: proactive threshold cryptography scheme

  21. 8. Proactive Security and Adaptability 2/6 • A proactive threshold cryptography scheme uses share refreshing • That enables servers to compute new shares from old ones in collaboration without exposing the service private key to any server • The new share compose a new (n, t+1) sharing of the service private key • Refreshing is done periodically • Servers remove the old shares after refreshing and starts to use new shares The adversary has to compromise t+1 servers every time after refreshing, again and again … • Share refreshing is based on the property called homomorphic [see page 27 in the reference]

  22. 8. Proactive Security and Adaptability 3/6 • Every server generates so called subshares • When server gets subshares, it can compute a new share from these subshares and its old share • Share refreshing must tolerate missing subshares and erroneous subshares from compromised servers • A compromised server may not send any subshares • For servers to detect incorrect subshares, the verifiable secret sharing schemes can be used • That scheme generates extra public information for each (sub)share using a one-way function • The public information can testify to the correctness of the corresponding (sub)shares without disclosing the (sub)shares

  23. 8. Proactive Security and Adaptability 4/6 • A variation of share refreshing also allows the key management service to change its configuration so it can adapt itself to changes in the network • The service should exclude the compromised server and refresh the exposed share • The service should change its configuration if it is no longer available or a new server is added • The original set of servers generate and distribute subshares based on the new configuration of the service • Share refreshing is transparent to all nodes because it does not change the service key pair • The same public key is still in use

  24. 8. Proactive Security and Adaptability 5/6 • Existing threshold cryptography and proactive threshold cryptography scmemes assume a synchronous system • Any synchronos assumption is a weak point in the system • The adversary can launch denial-of-service attacks to slow down a node or to disconnect a node for a long enough period of time to invalidate the synchrony assumption • to attenuate the weak point: key management service presented works in an asynchronous setting • Problems ? yes, one of these is that we don’t know is the server compromised or is it just slow This assumption is not necessarily valid in ad hoc networks

  25. 8. Proactive Security and Adaptability 6/6 • In the paper it is required that there are enough correct servers being up to date • NOT that all the correct servers are consistent after each operation • Also it is required enough signatures • At least one correct server must have provided one signature, thus assuring the validity of the message • Detailed description of the service is not provided

  26. 9. Conclusions • Security threats an ad hoc networks was analyzed • Secure routing • Secure key management service • Threshold cryptography Weaknesses: • prototype, no details • still problems

More Related