160 likes | 227 Views
Integrity-regions: Authentication Through Presence in Wireless Networks. Srdjan Č apkun 1 and Mario Č agalj 2 1 Department of Computer Science, ETH Zurich 2 FESB, University of Split, Croatia ACM WiSe 2006. Key Establishment: Diffe-Hellman. . g a mod p. . . g b mod p. Alice. Bob.
E N D
Integrity-regions: Authentication ThroughPresence in Wireless Networks Srdjan Čapkun1 and Mario Čagalj2 1Department of Computer Science, ETH Zurich2FESB, University of Split, Croatia ACM WiSe 2006
Key Establishment: Diffe-Hellman ga mod p gb mod p Alice Bob KAB=(gb)a mod p KAB=(ga)b mod p Mallory
Solution to the MITM: Authentication of DH Contributions ga mod p B A gb mod p, sigB(gb,ga) sigA(ga,gb) Uses signatures ... (DH contributions are authenticated) B A here are the public keys TTP
Our goal: Avoiding Certificates (Reliance on TTPs) ga mod p B A gb mod p Visual recognition, conscious establishment of keys B A h(ga) h(gb)
Existing Solutions • Stajano and Anderson propose the “resurrecting duckling” security policy model (physical contact) • Balfanz et al. “location-limited channel”(e.g., an infrared link) • Asokan and Ginzboorg propose a solution based on a shared password • Perrig and Song, hash visualization (image comparison) • Maher presents several methods to verify DH public parameters (short string comparison), found flawed by Jakobsson • Jakobsson and Larsson proposed two solutions to derive a strong key from a shared weak key • Dohrmann and Ellison propose a method for key verification that is similar to DH-SC (short word comparison) • Gehrmann et al., (short string comparison) • Goodrich et al. Loud And Clear: Human Verifiable Authentication Based on Audio • Cagalj et al. (short string comparison (1/2 string size)) • Capkun, et al. key establishment for self-organized mobile networks (IR channel, mobility) • Castellucia, Mutaf (device signal indistinguishability) • Cagalj, Capkun, Hubaux, distance-based verification, channel anti-blocking • Cagalj, Capkun, ... Integrity-codes (awareness of presence)
The Seriousness of the MITM Attack • Devices using low-power radios can avoid it? • not all radios can control their tx power • the ranges are highly unpredictable • the attacker can use high-gain directional antennas and increase its listening range up to 10x • neighboring/hidden devices • I will establish keys in my own living room, I do not need security ... • maybe your neighbor steals your dvd UWB output? • you meet someone at a conference ... • ad hoc groups of emergency staff, police, ... • ... • yes, you probably do not need any security in your living room
Our Solution: Integrity-regions • Main idea:message authentication through distance verification (e.g. ultrasonic distance-bounding) • Assumption: the user can assume or visually verify that there are no malicious devices within the integrity region • No certificates or preshared keys exchanged prior to the protocol execution
Integrity Region Protocol c,B NA tS NAo tR US channel A’s integrity region M d* d (c,o) = commit(gb) B A d*=(tR-tS)vsound [1]verify (c,o) [2] verify that d* is within its (A's) integrity region d(i.e., d* d) [3] verify that there are no devices at any distance d** d* [4] if verifications (1-3) pass, A accepts message gb as genuine
Diffie-Hellman with Integrity Regions Alice Bob Given gb PickNB U {0,1}k mB 1gbNB (cB ,oB)commit (mB) Given ga PickNA , NA U {0,1}k mA0gaNA (cA ,oA) commit (mA) * cA cB oA mAopen (cA ,oA) Verify 0 in mA sBNBNA oB mBopen (cB ,oB) Verify 1 in mB sANANB * NA * tS RBNA sB RB dA=(tR-tS)vsound Verify sA = NARB tR * Only Alice verifies her integrity region. If verification OK, Alice and Bob accept mB and mA, respectively.
Analysis of the Implementation with Ultrasound (c*,o*) = commit(gm) c*,B NA o* c,B NA tS NAo tR US channel A’s integrity region M d* d (c,o) = commit(gb) B A
Main Consequence of Integrity Regions • Forcing the attacker to be physically close to the devices to perform the MITM attack. with integrity regions without integrity regions
Example Application Scenarios Setup of wireless sensor networks (establishment of keys) Setup of a home network no attackers inthis space (sensors’ I-region)
Summary/Future Work • Physical presence of the attacker (i.e., the attacker cannot be omnipresent (physically)) • Honest devices (users) can have an awareness of presence (distance, space, surrounding devices) • One solution: Integrity regions, message authentication through distance verification • Impact on (mobile) ad hoc / sensor networks: • verification of the distance prevents MITM attacks on key establishment from remote locations • enables P2P key establishment / key pairing
Authentication Through Presence (Awareness) • M. Čagalj, S. Čapkun, R. Rengaswamy, I.Tsigkogiannis, M. Srivastava, and J.-P. Hubaux. Integrity (I) codes: Message Integrity Protection and Authentication Over Insecure Channels. In Proceedings of the IEEE Symposium on Security and Privacy, 2006 • M. Čagalj, S. Čapkun, and J.-P. Hubaux,Key Agreement in Peer-to-Peer Wireless Networks Proceedings of the IEEE (Special Issue on Security and Cryptography), 94(2), 2006