510 likes | 664 Views
Key Establishment in Ad Hoc Networks Part 1 of 2. S. Capkun, JP Hubaux. Outline. Introduction URSA: Providing Ubiquitous and Robust Security Support for MANET (UCLA proposal) PGP-inspired solution: keys generated by the nodes (EPFL proposal)
E N D
Key Establishment in Ad Hoc NetworksPart 1 of 2 S. Capkun, JP Hubaux
Outline • Introduction • URSA: Providing Ubiquitous and RobustSecurity Support for MANET (UCLA proposal) • PGP-inspired solution: keys generated by the nodes (EPFL proposal) • Mobility helps security (in the Part 2 of 2)
Research areas in security for ad hoc networks • Key establishment: how to distribute and manage keys in the absence of an on-line authority • Secure routing: how to make routing protocols robust against potential attacks • Intrusion detection: how to discover that an intruder is attempting to penetrate the network • Preventing denial of service: how to avoid that some nodes rationally or maliciously misbehave, e.g. pretend forwarding packets while dropping them • Securing sensor networks: how to make the protocols used by sensor networks robust against potential attacks, while coping with the anemic nature of the devices
Design Challenges • Security breaches • Vulnerable wireless links • Occasional break-ins may be inevitable over long time • Service ubiquity in presence of mobility • Anywhere, anytime availability • Network dynamics • Wireless channel errors • Node failures • Node join/leave • Network scale
Key establishment techniques in ad hoc networks Presence of an authority, at leastin the initialization phase Usually based on threshold cryptography No authority: Keys are generatedby the nodes Specializednodes (servers) Centralized secretshare dealer PGP-inspired Trust; certificate graph Mobility helpssecurity Exploit nodeencounters
Secret sharing based on threshold cryptography • No trusted authority, no central server • Threshold crypto makes it possible to distribute specific tasks (e.g., signature and therefore certificate issuing) among several users • Definition:
URSA: Providing Ubiquitous and RobustSecurity Support for MANET Courtesy of: Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang University of California, Los Angeles {jkong,pzerfos,hluo,slu,lixia}@cs.ucla.edu
URSA Approach • Ubiquitous and robust service provision in the presence of random mobility • Localized algorithms and protocols • One-hop wireless communication
Why this model? • No single point of compromise • Hackers must break into K nodes simultaneously to compromise the system • No single point of DoS attack & node failure • K offers tradeoff between intrusion tolerance and service availability • K=1, single point of compromise, maximal availability • K=N, single point of DoS attack, maximal intrusion tolerance
System Overview • Each node carries a verifiable, unforgeable personal certificate • Certificate is signed by network system key SK • Certificate may be issued, renewed, or revoked • Every mobile node periodically renews its certificate • Ubiquitous services enabled by secret sharing
System Components • Certification services • Localized certificate issuing, renewal, revocation • Self-initialization service • To provide a secret share to an entity • To provide scalable proactive secret share update service • Proactive secret share update service • To resist long-term adversaries without changing the shared secret
Network Protocol Certificate issuing, renewal, or explicit revocation Self-initialization • Initialization request • Unicast shuffling package • Routing shuffling package • Unicast partial secret share • Service request • Return partial certificates (K=5)
Cryptographic Algorithms: Threshold Secret Sharing • Polynomial-based threshold secret sharing • Given a secret d and a random polynomial of degreeK-1f(x) = d + f1•x + f2 •x2 + …… + fK-1 •xK-1mod n • Each entity vi obtains its secret share “f(vi)mod n” • d can be recovered by Lagrange interpolation • In RSA cryptosystem, the d in the signing key SK=(d,n) is shared and distributed
Multi-signature • Threshold secret sharing reveals d to a coalition • d is not revealed if partial certificates are used • The cornerstone is the equationXd1 • Xd2 • … • XdK = X(d1 + d2 + … + dK) • Each coalition member contributes a signed partial certificateXSKi= (Xdimod n)which corresponds to an RSA SK-signing in computation • The certification service requester combines K partial-certificates and obtains a correctly-signed certificate XSK= (Xdmod n)
Simulation: Proactive UpdateUpdated Node Percentage vs. Delay • “Explosion” effect: as more and more entities obtain the new version of secret shares, the task is getting easier and faster
Conclusion on URSA • Certification-based approach • Secret sharing • Multi-signature • Localized and distributed protocols • Faster and more robust than other approaches • Service ubiquity • Scalable • Flexible trade-off between intrusion tolerance & service availability
Full Self-Organization of Public Key Management (EPFL proposal) Security: we use public-key cryptography scheme to support security services in mobile ad hoc networks Problem: How can a user u obtain the authentic public key of another user v in the presence of an active attacker ? Principles: users generate their own keys and issue certificates (no preinstalled keys) no central certification authority no certificate directories no specific role assigned to a subset of nodes
Public-Key Infrastructure • A self-organized mobile ad hoc network has • no infrastructure and therefore: • no server • no certification authority Reminder: Certification Authorities (CAs) (e.g., ISO X.509, used notably in S/MIME): CAz CAY CAX CAW CAV CAU Bob CAz Is it possible to build up a scalable public-key infrastructure for such an infrastructure-less network? Alice
Key management in PGP: Web of trust Bob Irene PuKIrenePrKBob(PuKIrene) Generate a certificate Trust relationship Bob is an introducer for Irene PrKIrene Irene How can Alice get a trustworthy version of the public key of Irene PuKIrene? (She does not know who signed it) PuKIrene PuKAlice PuKBob Alice Bob PrKBob PrKAlice Alice and Bob trust each other and have exchanged each other’s public key in a secure way (e.g., off-line)
PGP: server of certificates Server of certificates Bob Irene PuKIrenePrKBob(PuKIrene) Request for a signed public key of Irene PrKIrene Irene PuKIrene PuKAlice PuKBob Alice Bob PrKBob PrKAlice • Example of server: www.pgpi.org • The servers of certificate are the only centralized components of PGP. Is it possible to get rid of the certificate server(s), without jeopardizing scalability?
Model We assume that if a user i believes that a given public key belongs to a given user j, then i can issue a public-key certificate to j Certificate graph G(V,E) V is a set of keys E is the set of edges, where a directed edge (i,j) is added if i signed a public key certificate to user j Ki Kj
Certificate graph K12 K10 K10 K8 K11 K3 K7 K1 K9 authentication via a chain of certificates K6 K4 K5 K5 K2
No authority: Self Organized Public Key Management Each node generates its own private / public key pair (as in PGP) and issues a certificates for the nodes it trusts The system works in two phases: Initialization: each user stores a set of certificates When a user wants to verify the public key of another user, they merge their local repositories and try to find a path of certificates between them 1. 2. i j i
j Initialization (1) k i
Initialization (2) Each user builds up a local repository of public-key certificates(a subgraph) stores the certificates that it issued (outgoing edges) stores the list of certificates that others issued for it (incoming edges) stores an additional set of certificates chosen according to some algorithm A 2 possible scenarios • Centralized • Distributed sub-graph 1 CertificateServer request 2 sub-graph
Verifying the key: merging the local repositories and finding a path of certificates j i
Example of an algorithm: Maximum Degree Node K builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.
Example: Shortcut Hunter j i • Each node builds its incoming and outgoing path(s) choosing the node that has a highest number of shortcuts connected to it Small world graphs k shortcut
Performance of Maximum Degree Node builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.
Performance of the Star Shortcut Hunter on real PGP certificate graphs
Performance of the shortcut hunter on small world and random graphs • Φ is the fraction of edges which are shortcuts, size of the local repositories = sqrt(n)
K a key controlled by a dishonest user D K' a false key created by a dishonest user j a certificate binding user F to a key K j False certificates K K j i K D K' j
Design goals performance – redefined by taking authentication metrics into account key usage –ideally,all vertices need to be used for authentication an equal number of times (to be on the path an equal number of times) scalability – minimize the size of the local repositories (subgraphs) and the communication cost invariance to certificate graph changes
Performance with authentication metrics Examples of authentication metrics include: number of disjoint paths of certificates, number of bounded and k-bounded disjoint paths ...
Key usage The key usage is defined as the number of times that a key is used for authentication.Formally:
Fundamental design limit (1): size of the repositories Problem 1: Find a set of subgraphs that minimizes the size of local repositories such that p=1 Theorem 1:
Fundamental design limit (2): key usage Problem 2: Find a set of subgraphs that minimizes the size of local repositories such that p=1 and U(Kv)=U(Ku) Theorem 2: |V| = 9, s = 4 |V| = 4, s = 2 Example of construction with:
repository no of paths Maximum degree simulation results No. of paths Mean length Shortest path Maximum degree: PGP (5000 vertices): 1 8.24 8.24 1 3 8.23 7.69 1.42 6 8.15 7.67 1.44 1 17.66 17.66 1 3 18.77 12.55 2.39 6 16 10.53 2.55 Artificial certificate graphs: No. of paths Mean length Shortest path the whole graph: PGP (5000 vertices): 6.6 6.19 1.55 Artificial certificate graphs: 6.8 5.71 3.66
PGP certificate graph The PGP graph is the only known example of self-organized certificate graph creation. Largest connected component of the PGP certificate graph 2001 (8695 keys)
Key usage Certificate usage with Maximum Degree algorithm and the Shortest Paths on PGP graph and artificial certificate graph
Small-world graphs Small world graphs Small world graph characteristics: • a small characteristic length • (the median of the means of the shortest paths • between all pairs of users) • a large clustering coefficient • (a very high likelihood that two friends of a friend • are friends as well) • a logarithmic characteristic length scaling shortcut – an edge upon whose disconnection the shortest path between two vertices previously connected by this edge becomes strictly larger than 2.
Watts f-model lattice f = 0 random graphs f = 1 Small world graphs f is the fraction of shortcuts in the total number of edges of a graph. CONSTRUCTION PRINCIPLE: REWIRE A REGULAR 1-D LATTICE RANDOMLY (CREATING SHORTCUTS)
Construction of the artificialcertificate graph Principle: REWIRE AN IRREGULAR 1-D LATTICE RANDOMLY • Create an irregular lattice, according to the degree distribution provided by the power law • Rewire the lattice (adding or removing the shortcuts) to achieve • the desired f-coefficient
PGP certificate graph artificial certificate graph PGP certificate graph artificial certificate graph Comparison of artificial and PGP graphs
Conclusion on Part 1 of Security for mobile ad hoc networks • Very difficult problem, because of the nature of the network • Crucial issue: ad hoc networks cannot be used in practice if they are not secure • The kind of considered scenario (civilian / military, personal devices / sensors, …) can radically influence the solution to be chosen • The presence or absence of an authority (e.g., in charge of distributing the keys) can lead to very different solutions in terms of key agreement