78801a18c48cf7ff69efeb7c6e3e9427.ppt

- Количество слайдов: 51

Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux

Outline g g Introduction URSA: Providing Ubiquitous and Robust Security Support for MANET (UCLA proposal) PGP-inspired solution: keys generated by the nodes (EPFL proposal) Mobility helps security (in the Part 2 of 2) 2

Research areas in security for ad hoc networks g g g Key establishment: how to distribute and manage keys in the absence of an on-line authority Secure routing: how to make routing protocols robust against potential attacks Intrusion detection: how to discover that an intruder is attempting to penetrate the network Preventing denial of service: how to avoid that some nodes rationally or maliciously misbehave, e. g. pretend forwarding packets while dropping them Securing sensor networks: how to make the protocols used by sensor networks robust against potential attacks, while coping with the anemic nature of the devices 3

Design Challenges g Security breaches g Service ubiquity in presence of mobility g Network dynamics g Network scale i. Vulnerable wireless links i. Occasional break-ins may be inevitable over long time i. Anywhere, anytime availability i. Wireless channel errors i. Node failures i. Node join/leave 4

Key establishment techniques in ad hoc networks Presence of an authority, at least in the initialization phase Usually based on threshold cryptography Specialized nodes (servers) Centralized secret share dealer No authority: Keys are generated by the nodes PGP-inspired Trust; certificate graph Mobility helps security Exploit node encounters 5

Secret sharing based on threshold cryptography g g g No trusted authority, no central server Threshold crypto makes it possible to distribute specific tasks (e. g. , signature and therefore certificate issuing) among several users Definition: 6

Shamir threshold scheme 7

URSA: Providing Ubiquitous and Robust Security Support for MANET Courtesy of: Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang University of California, Los Angeles {jkong, pzerfos, hluo, slu, lixia}@cs. ucla. edu 8

URSA Approach ¨ Ubiquitous and robust service provision in the presence of random mobility ¨ Localized algorithms and protocols ¨ One-hop wireless communication 9

Why this model? g No single point of compromise i. Hackers must break into K nodes simultaneously to compromise the system g g No single point of Do. S attack & node failure K offers tradeoff between intrusion tolerance and service availability i. K=1, single point of compromise, maximal availability i. K=N, single point of Do. S attack, maximal intrusion tolerance 10

System Overview g g g Each node carries a verifiable, unforgeable personal certificate Certificate is signed by network system key SK Certificate may be issued, renewed, or revoked Every mobile node periodically renews its certificate Ubiquitous services enabled by secret sharing 11

System Components g Certification services g Self-initialization service g Proactive secret share update service i. Localized certificate issuing, renewal, revocation i. To provide a secret share to an entity i. To provide scalable proactive secret share update service i. To resist long-term adversaries without changing the shared secret 12

Network Protocol Certificate issuing, renewal, or explicit revocation Self-initialization 1. Initialization request 1. Service request 2. Return partial certificates (K=5) 2. Unicast shuffling package 3. Routing shuffling package 4. Unicast partial secret share 13

Cryptographic Algorithms: Threshold Secret Sharing g Polynomial-based threshold secret sharing i. Given a secret d and a random polynomial of degree K-1 f(x) = d + f 1 • x + f 2 • x 2 + …… + f. K-1 • x. K-1 mod n i. Each entity vi obtains its secret share “f(vi) mod n” id can be recovered by Lagrange interpolation g In RSA cryptosystem, the d in the signing key SK=(d, n) is shared and distributed 14

Lagrange Interpolation 15

Multi-signature g g Threshold secret sharing reveals d to a coalition d is not revealed if partial certificates are used i. The cornerstone is the equation Xd 1 • Xd 2 • … • Xd. K = X(d 1 + d 2 + … + d. K) i. Each coalition member contributes a signed partial certificate XSKi = (Xdi mod n) which corresponds to an RSA SK-signing in computation i. The certification service requester combines K partialcertificates and obtains a correctly-signed certificate XSK = (Xd mod n) 16

Simulation: Proactive Updated Node Percentage vs. Delay g “Explosion” effect: as more and more entities obtain the new version of secret shares, the task is getting easier and faster 17

Conclusion on URSA g Certification-based approach g Localized and distributed protocols g Flexible trade-off between intrusion tolerance & service availability i. Secret sharing i. Multi-signature i. Faster and more robust than other approaches i. Service ubiquity i. Scalable 18

Full Self-Organization of Public Key Management (EPFL proposal) Security: we use public-key cryptography scheme to support security services in mobile ad hoc networks Problem: How can a user u obtain the authentic public key of another user v in the presence of an active attacker ? Principles: - users generate their own keys and issue certificates (no preinstalled keys) - no central certification authority - no certificate directories - no specific role assigned to a subset of nodes 19

Public-Key Infrastructure Reminder: Certification Authorities (CAs) (e. g. , ISO X. 509, used notably in S/MIME): CAz CAY CAW CAz Alice CAV A self-organized mobile ad hoc network has no infrastructure and therefore: - no server - no certification authority CAX CAU Bob Is it possible to build up a scalable public-key infrastructure for such an infrastructure-less network? 20

Key management in PGP: Web of trust Bob Irene Pu. KIrene Pr. KBob(Pu. KIrene) Bob is an introducer for Irene How can Alice get a trustworthy version of the public key of Irene Pu. KIrene? (She does not know who signed it) Pu. KIrene Alice Pu. KAlice Pr. KIrene Generate a certificate Pu. KBob Trust relationship Pr. KAlice Pr. KBob Alice and Bob trust each other and have exchanged each other’s public key in a secure way (e. g. , off-line) 21

PGP: server of certificates Server of certificates Bob Irene Pu. KIrene Pr. KBob(Pu. KIrene) Irene Pr. KIrene Pu. KIrene Request for a signed public key of Irene Alice Pr. KAlice • Example of server: www. pgpi. org • The servers of certificate are the only centralized components of PGP. Pu. KAlice Pu. KBob Pr. KBob Is it possible to get rid of the certificate server(s), without jeopardizing scalability? 22

Model We assume that if a user i believes that a given public key belongs to a given user j, then i can issue a publickey certificate to j Certificate graph G(V, E) • V is a set of keys • E is the set of edges, where a directed edge (i, j) is added if i signed a public key certificate to user j Ki Kj 23

Certificate graph K 12 K 8 K 10 K 11 K 3 K 7 K 1 K 9 K 6 K 5 K 4 K 2 authentication via a chain of certificates 24

No authority: Self Organized Public Key Management Each node generates its own private / public key pair (as in PGP) and issues a certificates for the nodes it trusts The system works in two phases: 1. Initialization: each user stores a set of certificates 2. When a user wants to verify the public key of another user, they merge their local repositories and try to find a path of certificates between them 1. i 2. i j 25

Initialization (1) j k i 26

Initialization (2) • Each user builds up a local repository of public-key certificates (a subgraph) • stores the certificates that it issued (outgoing edges) • stores the list of certificates that others issued for it (incoming edges) • stores an additional set of certificates chosen according to some algorithm A • 2 possible scenarios Centralized sub-graph Certificate Server Distributed 1 request 2 sub-graph 27

Verifying the key: merging the local repositories and finding a path of certificates j i 28

Example of an algorithm: Maximum Degree Node K builds its incoming and outgoing path(s) choosing the nodes with the highest degrees. 29

Example: Shortcut Hunter Each node builds its incoming and outgoing path(s) choosing the node that has a highest number of shortcuts connected to it j Small world graphs k i shortcut 30

Algorithm performance 31

Performance of Maximum Degree Node builds its incoming and outgoing path(s) choosing the nodes with the highest degrees. 32

Performance of the Star Shortcut Hunter on real PGP certificate graphs 33

Performance of the shortcut hunter on small world and random graphs • Φ is the fraction of edges which are shortcuts, size of the local repositories = sqrt(n) 34

False certificates Ki KD Kj K'j KD K'j a key controlled by a dishonest user a false key created by a dishonest user a certificate binding user F to a key K j 35

Design goals performance – redefined by taking authentication metrics into account key usage – ideally, all vertices need to be used for authentication an equal number of times (to be on the path an equal number of times) scalability – minimize the size of the local repositories (subgraphs) and the communication cost invariance to certificate graph changes 36

Performance with authentication metrics Examples of authentication metrics include: number of disjoint paths of certificates, number of bounded and kbounded disjoint paths. . . 37

Key usage The key usage is defined as the number of times that a key is used for authentication. Formally: 38

Fundamental design limit (1): size of the repositories Problem 1: Find a set of subgraphs that minimizes the size of local repositories such that p=1 Theorem 1: 39

Fundamental design limit (2): key usage Problem 2: Find a set of subgraphs that minimizes the size of local repositories such that p=1 and U(Kv)=U(Ku) Theorem 2: |V| = 9, s = 4 |V| = 4, s = 2 Example of construction with: 40

Maximum degree simulation results repository Maximum degree: no of paths 1 8. 24 1 8. 23 7. 69 1. 42 8. 15 7. 67 1. 44 1 17. 66 1 3 18. 77 12. 55 2. 39 6 the whole graph: No. of paths 6 Artificial certificate graphs: Shortest path 3 PGP (5000 vertices): Mean length 16 10. 53 2. 55 Mean length Shortest path No. of paths PGP (5000 vertices): 6. 6 6. 19 1. 55 Artificial certificate graphs: 6. 8 5. 71 3. 66 41

PGP certificate graph The PGP graph is the only known example of self-organized certificate graph creation. Largest connected component of the PGP certificate graph 2001 (8695 keys) 42

Key usage Certificate usage with Maximum Degree algorithm and the Shortest Paths on PGP graph and artificial certificate graph 43

Small-world graphs Small world graph characteristics: - a small characteristic length (the median of the means of the shortest paths between all pairs of users) - a large clustering coefficient (a very high likelihood that two friends of a frien are friends as well) - a logarithmic characteristic length scaling shortcut – an edge upon whose disconnection the shortest path between two vertices previously connected by this edge becomes strictly larger than 2. 44

Watts f-model lattice f=0 Small world graphs random graphs f=1 f is the fraction of shortcuts in the total number of edges of a graph. CONSTRUCTION PRINCIPLE: REWIRE A REGULAR 1 -D LATTICE RANDOMLY (CREATING SHORTCUTS) 45

Characteristics of the PGP graph 46

Power law of the PGP graph 47

Construction of the artificial certificate graph Principle: REWIRE AN IRREGULAR 1 -D LATTICE RANDOMLY 1. Create an irregular lattice, according to the degree distribution provided by the power law 2. Rewire the lattice (adding or removing the shortcuts) to achieve the desired f-coefficient 48

Comparison of artificial and PGP graphs PGP certificate graph artificial certificate graph 49

Conclusion on Part 1 of Security for mobile ad hoc networks g g Very difficult problem, because of the nature of the network Crucial issue: ad hoc networks cannot be used in practice if they are not secure The kind of considered scenario (civilian / military, personal devices / sensors, …) can radically influence the solution to be chosen The presence or absence of an authority (e. g. , in charge of distributing the keys) can lead to very different solutions in terms of key agreement 50

References g g g M. Reiter and S. Stubblebine Authentication metric analysis and design ACM trans. on Information and System Security, 1999 D. Watts: Small Worlds Princeton University Press, 1999 Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang Providing Robust and Ubiquitous Security Support for Mobile Ad Hc Networks. ICNP 2001 S. Capkun, L. Buttyan, JP Hubaux Trust Relationships in Mobile Ad Hoc networks, LCA technical report, 2001 JP Hubaux, L. Buttyan, S. Capkun The Quest for security of mobile ad hoc networks Mobi. Hoc 2001 For security in sensor networks, check: A. Perrig et al. SPINS: Security Protocols for Sensor Networks Mobicom 2001 51