1 Security and Cooperation in Wireless and Mobile Networks Richard Yang.

1

Security and Cooperation in Wireless and Mobile

Networks

Richard Yang

2

Admin.

Homework 4 due Friday Dec. 8th

3

Recap

TinyOSsoftware as hardware components

Mobile CPU scheduling dynamic voltage scaling

4

Mobile File Systems

5

Discussion

What challenges does the file system face in wireless/mobile environment?

6

Problems Facing File System

Disconnected/weakly connected file system read miss

• stalls progress (the user has to stop working)

synchronization/consistency issues• may need to synchronize multiple copies of the same

file• if multiple users, may need to solve consistency

problems

Heterogeneous device types each device has its own file system and naming

convention, e.g., digital camera, ipod

7

Some Approaches

Handling read miss explicit user file selection, e.g., MS briefcase automatic hoarding, e.g., CODA, SEER

Handling synchronization/consistency issues keep modification logs and develop merge tools, e.g.,

Bayou efficient file comparisons and merging, e.g., rsync, low

bandwidth file system (LBFS )

Handling heterogeneous device types mask the differences , e.g., EnsemBlue

8

Security and Cooperation in Wireless and Mobile

Networks

9

Introduction

This is a vast and active field, a course by itself

A good recent book is Thwarting Malicious and Selfish Behavior

in the Age of Ubiquitous Computing, by Levente Buttyan and Jean-Pierre Hubaux, Cambridge University Press, to appear in 2007.

available at: http://secowinet.epfl.ch/

10

Generic Network Security and Cooperation Issues

confidentiality

integrity authenticity; incentive-compatibility

availability

11

Why is Security Challenging in Wireless Networks? No inherent physical protection

physical connections between devices are replaced by logical associations

sending and receiving messages do not need physical access to the network infrastructure (cables, hubs, routers, etc.)

Broadcast communications wireless usually means radio, which has a broadcast

nature transmissions can be overheard by anyone in range anyone can generate transmissions,

• which will be received by other devices in range• which will interfere with other nearby transmissions

Thus it is easier to implement jamming, eavesdropping, injecting bogus messages, and replaying previously recorded messages

12

Why is Security Challenging in Mobile Networks?

Since mobile devices typically have limited resources (e.g., CPU cycles, battery supply), the designer might want to select simple security mechanisms an interesting example: TELSA

However, this may lead to serious security flaws bad example: Wired Equivalent Protection

(WEP), the original security protocol for 802.11

13

WEP: A Bad Example

14

802.11 Message Flow

data messagesprotected by WEP

15

Wired Equivalent Privacy (WEP)

WEP was intended to provide comparable confidentiality to a traditional wired network, thus the name

WEP implements message confidentiality and integrity

WEP encryption is used in 802.11 authentication

16

WEP Security

WEP confidentiality through encryption using RC4, a stream-

based encryption algorithm using a shared key

WEP integrity through message check sum using encrypted

cyclic redundancy check (CRC)

WEP authentication through challenge/response

17

WEP Encryption

For each message to be sent: RC4 is initialized with the shared secret

between station STA and access point (AP)• WEP allows up to 4 shared keys

RC4 produces a pseudo-random byte sequence (key stream) from the shared key

This pseudo-random byte sequence is XORed to the message

18

WEP Encryption To avoid using the same key stream, WEP

encrypts each message with a different key stream the RC4 generator is initialized with the

shared secret plus a 24-bit IV (initial value)• shared secret is the same for each message• 24-bit IV for each message• there is no specification on how to choose the IV;

sender picks the IV value

19

WEP Integrity

WEP integrity protection is based on computing ICV (integrity check value) using CRC and appended to the message

The message and the ICV are encrypted together

20

WEP

IV secret key RC4RC4

message | ICV

message | ICVIV

IV secret key RC4RC4

message | ICV

encode

decode

KS

KS

CRCCRC

check CRC

check CRC

21

Active Attack on WEP: IV Replay Attacks

A known plain-text message is sent to an observable wireless LAN client (e.g., an e-mail message)

The network attacker will sniff the wireless LAN looking for the predicted cipher-text

The network attacker will find the known frame, derive the key stream (corresponds to the give IV+K), and reuse the key stream

The network attacker can "grow" the key stream

22

Active Attack on WEP: Bit-Flipping Attack

The attacker sniffs a frame on the wireless LAN The attacker captures the frame and flips random bits in the data

payload of the frame The attacker modifies the ICV (detailed later) The attacker transmits the modified frame The access point receives the frame and verifies the ICV based

on the frame contents The AP accepts the modified frame The destination receiver de-encapsulates the frame and

processes the Layer 3 packet Because bits are flipped in the higher layer packet, the Layer 3

checksum fails The receiver IP stack generates a predictable ICMP error The attacker sniffs the wireless LAN looking for the encrypted

error message Upon receiving the error message, the attacker derives the key

stream as with the IV replay attack

23

Bit-Flipping Attack

24

Generating Valid CRC

The crucial step of the flipping attack is to allow the frame to pass the ICV check of the AP

Unfortunately, the CRC algorithm allows generating valid encrypted ICV after bit flipping

25

Bypassing Encrypted ICV

CRC is a linear function wrt to XOR:

CRC(X Y) = CRC(X) CRC(Y)

- Attacker observes (M | CRC(M)) K where K is the key stream output- for any M, the attacker can compute CRC(M) - hence, the attacker can compute:

([M | CRC(M]) K) [M | CRC(M)] = ([M M) | (CRC(M) CRC(M)]) K= [M M) | CRC(M M)] K

26

WEP Authentication

Two authentication modes

open authentication --- means no authentication !

• an AP could use SSID authentication and MAC address filtering, e.g., at Yale, but this is ineffective

shared key authentication based on WEP

27

WEP Shared Key Authentication Shared key authentication is based on a

challenge-response protocol:…AP STA: rSTA AP: (IV | r) K…

where K is a 128 bit RC4 output on IV and the shared secret

An attacker can compute r (r K) = K

Then it can use K to impersonate STA later:…AP attacker: r’attacker AP: (IV | r’) K…

28

WEP: Lessons

WEP has other problems, e.g., short IV space, weak RC4 keys

Engineering security protocols is difficult one can combine otherwise OK building blocks in a

wrong way and obtain an insecure system at the end• example 1:

– stream ciphers alone are OK– challenge-response protocols for entity authentication are OK– but they shouldn’t be combined

• example 2:– encrypting a message digest to obtain an ICV is a good principle– but it doesn’t work if the message digest function is linear wrt to the

encryption function

Avoid the use of WEP (as much as possible)

29

Fixing WEP

After the collapse of WEP, Wi-Fi Protected Access (WPA) was proposed in 2003

Then the full 802.11x standard (also called WPA2) was proposed in 2004

But WEP is still in wide use

30

TELSA: A Positive Example

Digital Signatures Do Not Work

Problem statement: authentication of packets

The typical approach in the Internet is to

attach a digital signature on each packet

However, signatures are expensive, e.g., RSA

1024 on a 2.1 GHz desktop: high signature cost (~5 ms)

high communication cost (128 bytes/packet)

More expensive on low-end processors

http://www.cryptopp.com/benchmarks.html

TESLA

Timed Efficient Stream Loss-tolerant Authentication

Uses only symmetric cryptography

Basic Authentication Mechanism

t

F(K)AuthenticCommitment

P

MAC(K,P)

Kdisclosed

1: Verify K

2: Verify MAC

3: P Authentic!

F: public one-way function; MAC: message digest function

TELSA Security Condition

Sender distributes initial commitment and key

disclosure schedule using, say, digital signature

Security condition (for packet P):

on arrival of P, receiver is certain that sender did not

yet disclose K

If security condition not satisfied, drop packet

TESLA: Example

K4 K5 K6 K7

tTime 4 Time 5 Time 6 Time 7

K3

P5

K5

P3

K3

P2

K2

P1

K2

Verify MACs

P4

K4

FF

Authenticate K3

Keys disclosed 2 time intervals after use

TESLA Summary

Advantages low overhead

• communication (~ 20 bytes)• computation (~ 1 MAC computation per packet)

tolerate packet loss

Problems time synchronization delayed authentication

Secure Efficient Ad hoc Distance Vector (SEAD)

Uses one-way hash chains to authenticate metric and sequence number for DSDV

Assumes a limit k-1 on metric (as in other distance vector protocols such as RIP, where k=16) metric value infinity can be represented as k

SEAD Metric Authenticators

Each node generates a hash chain and distributes the last element (CN+1) to allow verification: chain values CN-k+1, …, CN authenticate metrics

0 through k-1 for sequence number 1 CN-2k+1,…CN-k authenticate metrics 0 through k-1

for sequence number 2 CN-ik+1,…CN-(i-1)k authenticate metrics 0 through k-1

for sequence number iC0 C1 C3C2 C5C4

C6 C7 C9C8 C10 C12C11

SEAD Metric Authenticators

Each node generates a hash chain anddistributes the last element (CN+1) to allow verification: Chain values CN-k+1, …, CN authenticate

metrics 0 through k-1 for sequence number 1

CN-2k+1,…CN-k authenticate metrics 0 through k-1 for sequence number 2

CN-ik+1,…CN-(i-1)k authenticate metrics 0 through k-1 for sequence number i

C0 C1 C3C2 C5C4

C6 C7 C9C8 C10 C12C11

SEAD Metric Authenticators

Each node generates a hash chain and distributes the last element (CN+1) to allow verification: Chain values CN-k+1, …, CN authenticate metrics

0 through k-1 for sequence number 1 CN-2k+1,…CN-k authenticate metrics 0 through

k-1 for sequence number 2

CN-ik+1,…CN-(i-1)k authenticate metrics 0 through k-1 for sequence number i

C0 C1 C3C2 C5C4

C6 C7 C9C8 C10 C12C11

Each node generates a hash chain and distributes the last element (CN+1) to allow verification: Chain values CN-k+1, …, CN authenticate metrics

0 through k-1 for sequence number 1 CN-2k+1,…CN-k authenticate metrics 0 through k-1

for sequence number 2 CN-ik+1,…CN-(i-1)k authenticate metrics 0 through

k-1 for sequence number i

SEAD Metric Authenticators

C0 C1 C3C2 C5C4

C6 C7 C9C8 C10 C12C11

SEAD Metric Authenticators

Within a sequence number i: CN-ik+1 represents metric 0

CN-ik+2 represents metric 1

CN-ik+m+1 represents metric m

CN-ik+k represents metric k-1

C9 C10 C11

Metric 0 Metric 1 Metric 2When a node receives a routing update:• It first checks the metric authenticator• If the update is to be accepted:

– It increments the metric by one

– and hashes the authenticator

– then adds the metric and authenticator to routing table

43

Cooperation in Wireless, Mobile Networks

44

Cooperation in Wireless Networks

A special case of “security attack” is by rational nodes drop packets, mis-represent information

Motivation wireless networks have limited capacity wireless nodes have limited resource—battery power unlike the Internet, where commercial relationship is

worked out, many ad hoc network nodes belong to different users and have incentive to forward others’ traffic

• similar free-riding problems in P2P applications

45

Cooperation in Wireless Networks

Discussion: how to handle non-malicious but selfish nodes?

46

Payment-based Routing The first setup (kind of the oracle version)

centralized authority: computation and payment Each node has a (private energy/transmission) cost of

sending one packet to a neighbor The network (authority)

pays the nodes so that they will forward traffic from a source to a destination the objective of the

authority is to choose the lowest cost path

• assume cost reflects energy• thus extending network

life time/maximizing capacity—the social welfare

47

Node’s Utility Assume each node wants to maximize its utility Utility is the sum of all source-destination pairs The utility of being on the path P of a source-

destination pair:

where - pi is the amount the network pays node i - 1P(i) is 1 if node i is on the path P; otherwise 0

- ci is the cost of the link used in P, if a link from i is used

)(1 icpu Piii

48

Payment Using VCG Mechanism VCG stands for Vickrey, Clarke and Groves The VCG mechanism

each node sends the costs of its links to the authority the authority computes the lowest cost path from the

source S to the destination D the payment to node i:

where - LCP(S,D) is the lowest cost path from S to D: {S->R1, R1->R2, …, Rk->D}

- LCP(S,D)\{i} is the previous path but does not include the link from i to its next hop, if i is on the path; if i is not on the path, it is just the previous path

- LCP(S,D;-i) is the lowest cost path from S to D without using i, i.e. remove node i from the graph and then find path

}){\),((cost));,((cost iDSLCPiDSLCPpi

49

Example: N1

12

1 3N2

D

N1

S

- assume N1 declares the cost as 2, how much will N1 bepaid according to the VCG mechanism? (1+3)-1 = 3

- assume N1 declares the cost as 1, how much will N1 bepaid according to the VCG mechanism?

- what is the utility of N1? 3 - 2 = 1

(1+3)-1 = 3- what is the utility of N1? 3 - 2 = 1

- assume N1 declares the cost as 4, how much will N1 bepaid according to the VCG mechanism?

Assume the true cost of N1 to D is 2

(1+3)-(1+3) = 0- what is the utility of N1? 0 - 0 = 0

50

Formal Results

Each node reports its link costs truthfully

Thus the network chooses the lowest cost path for each source-destination pair

51

Analysis on Truthfulness

By contradiction Assume node i’s true costs for its links are Ci but

reports Wi

think of Wi and Ci as vectors of link costs

The node decides to declare Wi instead of Ci only if the utility is higher

The best scenario a node can be in is that it is given the declared costs of all other nodes’ links and then decides its declarations of the costs of its links in order to maximize its utility action chosen in this way is called dominant strategy

52

VCG Proof

Assume the lowest cost path computed is - LCP when the node reports Ci, and

- LCP’ when reports Wi

it must be the case that (1P(i) meant i on path P)

)(1}){\),((cost));,((cost

)(1}){\),('(cost));,('(cost ''

iciDSLCPiDSLCP

iciDSLCPiDSLCPLCPLCP

i

LCPLCPi

)(1}){\),((cost)(1}){\),('(cost '' iciDSLCPiciDSLCP LCPLCPi

LCPLCPi

)(1}){\),((cost)(1}){\),('(cost '' iciDSLCPiciDSLCP LCPLCPi

LCPLCPi

Right hand side is LCP we computed; left hand side is one path. Contradiction.