Ad hoc networks security - SUPELEC in Wireless Ad hoc Networks Pietro Michiardi ... Self-organized CA ... [Halili, Katz, Arbaugh]

Security in Wireless Ad hoc Networks

Pietro Michiardi – [email protected] Eurecom

Journée Club SEE-SIC, 11 Mars 2004

Monday, March 08, 2004 1

Mobile Ad Hoc Networks (MANET)

Collection of wireless mobile hosts forming a temporary network

No fixed network infrastructureNo (or limited) organization

Applications:Military and EmergencySensor NetworksCivilian applications, ubiquitous computing


Trust in MANETManaged environment

A-priori trustEntity authentication ⇒ correct operationBut: requirement for authentication infrastructure

Open environmentNo a-priori trustAuthentication does not guarantee correct operationNew security paradigm


Node MisbehaviorSelfish Nodes

Do not cooperatePriority: battery savingNo intentional damage to other nodesExposure:

passive denial of service black holeidle status

Malicious Nodes Goal: damage to other nodes Battery saving is not a priority Exposure:

active attacks denial of service traffic subversion attacks exploiting the security mechanism


MANET Requirements

Wireless & MobileLimited energyLack of physical security

Ad hocNo infrastructureLack of organization

Cooperation enforcement

Secure Routing

Key Management


Secure Routing - ObjectivesAuthentication (Integrity) of routing information

Entity authenticationSourceDestinationIntermediate node

Correct behavior (of algorithm, if any)

Asymmetric vs. Symmetric CryptoPro-active vs. Reactive routing protocols


Secure Routing Proposals for MANET

ARIADNE [Hu, et al.]Shared secret known by (src, dst)Prerequisite: distribution of authenticated TESLA keys

Secure Routing Protocol [Papadimitriou, Haas]Security associations between source and destination only

ARAN [Dahill, et al.]PK certificates for IP @

SEAD [Hu, et al.]Proactive routing authenticated hash chains

TESLA with instant key disclosure (TIK)Cope with wormhole attack


Secure Routing Summary

No new requirement other thanself-organized Key management

All solutions rely on some key set-upprior to secure routing operation

Contradiction: long-lived security associations in self-organized MANET


Key Management Challenges

Lack of (or limited)Security infrastructure

Key servers (KDC, CA, RA)

Organization (a priori trust)p2pAuthentication is not sufficient to build trust


Key Management Objectives

Bootstrapping from scratch

Fully distributed

Minimum dependency


Key Management ApproachesBased on symmetric crypto

(ID, PK) bindingPK Certificate = (ID,PK)CA

Self-organized CAWeb of trust(PGP)

No certificateCrypto-based IDs: ID = h(PK)ID-based Crypto: PK = f(ID)

Context-dependent authenticationLocation-limited channelsShared passwords


(ID, PK) binding

Self-organized CA[Zhou, Haas] [Kong, et al.] [Yi, Kravets] [Lehane, et al.]

Based on threshold cryptography

PROs: distributed approach, self-organizedCONs: share distribution during bootstrap phase, network density

[cert(PKi)]SK1

[cert(PKi)]SKi

[cert(PKi)]SK2

CERT(PKi)SK

[cert(PKi)]SK1[cert(PKi)]SK2

…

[cert(PKi)]Ski

…

Verification of CERT(PKi)SK by any node

using well known PK

PKi


(ID, PK) binding

Web of Trust (PGP)[Hubaux, Buttyan, Capkun]

No CAAlice → Bob and Bob → Eve ⇒ Alice → EveMerging of certificate repositories

PROs: no centralized TTPCONs: initialization, storage, transitivity of trust


(ID, PK) binding

Crypto-based IDSPKI [Rivest]Statistically Unique Cryptographically Verifiable IDs [O’Shea, Roe] [Montenegro, Castellucia]

IPv6 @ = NW Prefix | h(PK)

DSR using SUCV-based IP addresses [Bobba, et al.]

PROs: no certificates, no CACONs: generation of bogus IDs


(ID, PK) binding

ID-based Crypto[Halili, Katz, Arbaugh]

[Boneh, Franklin, CRYPTO 2001]

ID-basedPK = h(ID)SK computed by TTP

Threshold Crypto to distribute TTP

PROs: no certificates, no centralized serverCONs: distribution of initial shares


Context-dependent AuthenticationPassword Authenticated Key Exchange[Asokan, Ginzborg]

HyperCube Protocol (Diffie-Hellman)

PROs: self-organized, fully distributedCONs: shared password


Cooperation enforcement mechanisms

Token-based [Yang,Meng,Lu]

Nuglets[Buttyan,Hubaux]SPRITE[Zhong, Chen, Yang]

CONFIDANT [Buchegger,Le Boudec]CORE [Michiardi,Molva]Beta-Reputation [Josang,Ismail]

Threshold cryptography

Micro-payment

Reputation-based


Validation of Cooperation Enforcement Mechanisms

Mechanisms based on reputation difficult to validate

Simulation

Game theory


State of the art - Summary

Specific requirementsCooperation enforcementBootstrapping security associations

Solutions yet to come . . .Interesting applications of cryptographySome untruths and non-sense


Main Flaw

Security requirements in MANET are stronger than in “classical” networks

MANET networking still is a research topic

Security retrofitted as add-on mechanisms as if network technology was established


Right ApproachAddress security at early stages of protocol design: i.e. Routing Protocol dealing with Routing+Cooperation+Key Management

Old model based on verification of credentials and authentication not suitable, identities are meaningless

Further develop & integrate new conceptsA posteriori trust (based on observation, reputation, imprinting)Partial assuranceSubstitute infrastructure with context information(location, physical distance, history)… Others to be invented


Conclusion

Wireless Ad Hoc Security still in its infancy

Lack of integrated approachLooking for suitable new paradigmsPartial coverage (privacy, intrusion detection, physical attacks, etc.)

⇒ Room for creativity

Merci!

Ad hoc networks security - SUPELEC in Wireless Ad hoc Networks Pietro Michiardi ... Self-organized CA ... [Halili, Katz, Arbaugh]

Documents