vs. Motion-MIX Motion-MIX : Tracing & Protecting Mobile Wireless Nodes # Jiejun Kong, Jiejun Kong, *Dapeng Wu, + Xiaoyan Hong, # Mario Gerla # Dept of Computer Science *Dept of Computer Science + Dept of EE UCLA University of Florida University of Alabama November 7, 2005 @ACM SASN’05
35
Embed
Motion-MIX Mobile Traffic Sensor Network vs. Motion-MIX : Tracing & Protecting Mobile Wireless Nodes # Jiejun Kong, # # Jiejun Kong, * Dapeng Wu, + Xiaoyan.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Mobile Traffic Sensor Network vs. Motion-MIXMotion-MIX:
If moving faster thanthe transmitter, canalways trace the victim
Outline Background
Proposed solution– In theory: Asymptotic network security model– In practice: Motion-MIX
Security analysis– Motion-MIX satisfies the asymptotic network
security model
Summary
Notion: Security as a “landslide” game
Played by the guard and the adversary– Proposal can be found as early as Shannon’s 1949 paper– Not a 50%-50% chance game, which is too good for the
adversary
The notion has been used in modern crypto since 1970s– Based on NP-complexity – The guard wins the game with 1 - negligible probability– The adversary wins the game with negligible probability– The asymptotic notion of “negligible” applies to one-way
function (encryption, one-way hash), pseudorandom generator, zero-knowledge proof, ……
AND this time ……
Our Asymptotic Network Security Model Concept: the probability of security breach decreases
exponentially toward 0 when network metric increases linearly / polynomially
Consistent with computational cryptography’s asymptotic
notion of “negligible / sub-polynomial”
is negligible by definition
x is key length in computational cryptox is network metric (e.g., # of nodes) in network security
DefinitionDefinition: A function : N R is negligible, if for every positive integer c and all sufficiently large x’s (i.e., there
exists Nc>0, for all x>Nc),
The Asymptotic Cryptography Model
Security can be achieved by a polynomial-bounded guard against a polynomial-bounded adversary
1 2 # of key bits (key length) 128
Prob
abili
ty o
f sec
urity
bre
ach The “negligiblenegligible” line
(sub-polynomialsub-polynomial line)
Insecure Secure(Ambiguous area)
• See Lenstra’s analysis for proper key length(given adversary’s brute-force computational power)
• There are approximately 2268 atoms in the entire universe
Our Asymptotic Network Security Model
Conforming to the classic notion of security used in modern cryptography ! We’ve used the same security notion
Network metric (e.g., # of nodes -- network scale)
Prob
abili
ty o
f net
wor
k se
curit
y br
each
The “negligiblenegligible” line(sub-polynomialsub-polynomial line)
The “exponentialexponential” line
(memory-lessmemory-less line)
Insecure Secure(Ambiguous area)
Design Assumptions Adversary model
– Passive– Few insiders (captured & compromised nodes),– Global (or equivalently, mobile and capable of scanning
the entire network area in short time)– Honest-but-curious (protocol-compliant)– External: polynomially-bounded by key length– Internal: fraction of N (which is # of network nodes)
Network model– Loquor ergo sum (I speak, so I exist): nodes must transmit
upon application demand, cannot shut up– Pairwise key sharing (via Diffie-Hellman, KPS, or
“mobility helps security”)
Venue
Venue
The VIP nodebeing traced
“Venue” is the smallest area that the adversary can “pinpoint” a wireless transmitter via its wireless transmission
Assumption: Imperfect Wireless Positioning
D. Niculescu, B. Nath, “VOR Base Stations for Indoor 802.11 Positioning,” ACM MOBICOM’04, pp.58—69.
Motion Pattern Tracing (1 node)
1 transmitting node in the network No way to protect it
– Just like a cryptographic case using 1-bit key
Motion Pattern Tracing (2 nodes)
2 transmitting nodes in the network; Better security protection What’s the network-based analytic model behind this phenomenon?
What happens if there are many nodes in a scalable network? We need Motion-MIX
Motion-MIX: Design Goal
k incoming mobile nodes or wireless packet flows get fully mixed in the Motion-MIX k-anonymity: the adversary cannot differentiate these k nodes
Motion-MIX vs. Chaumian MIX
Effectiveness determined by the adversary’s capability & the guard’s capability
1. Privacy model: like Chaumian MIX processor, the internal state of Motion-MIX is private The adversarial side cannot position any transmitting
node inside the area quantified by
2. Temporal-spatial model: like Chaumian MIX (e.g., pool mix), the guarding side can delay and gather the protected items in a Motion-MIX Motion-MIX’s size is determined bi-laterally (the adversary & the guard) in terms of time and space
Size of Motion-MIX Adversary determines
inner circle
Guard determines outer ring t is the minimum delay
between any 2 transmissions from a single node
– vavg is the average/expected node mobility speed
Motion-MIX’s size is a bilaterally-determined quantity ’ = ( + vavg*t)
Adversary’s capability
’
Wireless Traffic Mixing Per Venue
Algorithm D -- Wireless traffic mixing:(Each venue transmits approximately k packets per t in a fully distributed manner)
Prerequisite: Pre-defined system parameter k and unit time t. 1 Divide current unit time t into k slices.2 FOR (each time slice i) DO3 IF (I have only heard x<i transmissions so far during the current unit time interval)4 In the next time slice, transmit a decoy packet with probability (i-x)/i.5 END IF6 END FOR
Ensures: Greater-than-zero effect1. If at least a “good” node is in a venue, the adversary can only estimate there are averagely E(k’) nodes inside. Actually # of nodes inside the venue can be from minimally 1 to maximally (N - #_of_non-empty_venues).2. Otherwise, the venue is empty. Motion-MIX is not functional.
Necessary Conditions of Motion-MIX
Protocol-stack-wise concerns, not limited to application/middleware layer (unlike MIX-ZoneMIX-Zone)
Building blocks1. Identity-free routing ANODR (MOBIHOC’03)
• Anonymous even against any insider
2. One-time packet contents XOR-tree (TISS’00)• E.g., for 100 packets, the 2 extreme cases (1 sender to 1 1 sender to 1
recipient & 100 different senders to 100 different recipientsrecipient & 100 different senders to 100 different recipients) and all cases in-between are equally probable looks truly random / independent
3. Radio interface calibration to remove RF signatures “Shake them up” (MOBISYS’05)
Identity-free Routing: ANODR (MOBIHOC’03)
ANODR: destination E receives
RREQ, global_trap, onion whereRoute-REQuest
Route-REPly
A
E
KA(hello)KB( KA(hello))KC( KB( KA(hello)))
onion = KD( KC( KB( KA(hello))))
RREP, global_proof, onion
B
C D
#E#D#C
#B
KC( KB( KA(hello)))KB( KA(hello))KA(hello)
RREP, global_proof, onion, #X
#X is a random packet stamp selected by X
and shared on the hop
KKXX(m)(m) denotes using symmetric key K (only known by X) to encrypt a message m
global_trapglobal_trap denotes an encryption of a well-known tag (“You are the destination”) using a key only known by destination E
Identity-free Data Forwarding
Table driven virtual circuit: stores mapping of a pair of packet stamps
Packet marked with #– Matched incoming # is replaced by corresponding
outgoing #– IP address, 802.11 MAC address not used in ANODR
#1 #2 #2 #3 #3 #4
A B C
#1 payload #2 payload #3 payload #4 payload
One-time Packet Contents (cont’d)
“Unpredictable” pseudorandom packet contents– In secular term, looks truly random to the adversary– Key management & distribution needed
1Key 56a35d537fe 56a35d537fe
3 e53410957fa e53410957fa
2 198573f8d5b 198573f8d5b..
. ...
Identity-free Packet Flow (ANODR)
4342747
5422819
5452343
1745634
97464116175747
8543358
Mobile network model Divides the network into large number n of very
small tiles (i.e., possible “positions”)– A node’s presence probability p at each tile is small
Follows a spatial binomial distribution B(n,p)
– When n is large and p is small, B(n,p) is approximately a spatial Poisson distribution with rate 1
– If there are N mobile nodes roaming i.i.d. N = N·1
– The probability of exactly k nodes in an area A’
Venue
Venue
’
Average Venue Publicity assumption (Kerckhoff’s Desiderata): the
adversary knows the entire identity set and the network area, it can estimate that expectation of # of nodes in each venue is – Thus, nodes in each venue transmit k = E(k') real/decoy
packets in a fully distributed manner
A motion-MIX is min(k, E(k'))–anonymouswhere '=(+vavg*t) is the bi-lateral Motion-MIX size– In each non-empty venue, min(k, E(k')) - anonymous– In the entire network, ubiquitously min(k, E(k')) -
anonymous due to identity-free routing, one-time packet contents and RF signature hiding
Untraceable Mobile Nodes (or Packet Flows)
The VIP nodebeing traced
All motion patterns equally likely if contiguous venues are non-emptynon-empty(in the previous time slot t) Untraceable (per Shannon’s information theoretic notion)
Security Analysis: Impact of N (# of nodes)Probability of having less than k good nodes is negligible with respect to network scale N
Probability of tracing a mobile node is negligible with respect to N and motion time |T|
Probability of tracing a packet flow is negligible with respect to N and # of traveled venues |X|
Summary Anonymous communication in mobile networks has its own
idiosyncrasy– Motion pattern of mobile nodes can be traced
Motion-MIX needed We propose a novel asymptotic network security model that
is consistent with classic security notions– Identity-free routing, one-time packet contents, and radio signature
hiding are necessary conditions to implement Motion-MIX– Motion-MIX + ANODR is practical
Work-in-progress: Currently, doing real-world experiments on Motion-MIX and ANODR– Related to MANET localization/positioning, QualNet simulation,
ANODR Linux implementation, UAV experiment– More rigorous formalization & proofs
Security degradation can be defined as the ratio between H(XAS|C) and H(XAS),as demonstrated in 2 PET’02 papers [Serjantov&Danezis,PET’02] and [Diaz et al., PET’02]
This non-scalable solution is not our answer !
Perfect Secrecy H(M|E) = H(M)
Perfect Anonymity H(XAS|C) = H(XAS)
1 Inspired by Bettstetter et al.’s work
– For any mobility model (random walk, random way point), Bettstetter et al. have shown that1 is computable following
– For example, in random way point model
in a square network area of size a£a defined by -a/2·x· a/2 and -a/2·y· a/2
– 1 is “location independent”, yet computable in NS2 & QualNet given any area A’ (using finite element method)
1 in Random Way Point model
[Bettstetter et al.]
a=1000
WASP Micro-Aerial Vehicle (MAV)
Wingspan: 13 inches Combined wing structure (Lithium-Ion battery pack): 4.25 ounces (120 gm) Total weight of the vehicle: 6 ounces (170 gm) Power: 9 Watts during the flight. Flying time: 1 hour and 47 min Good enough to trace a mobile soldier or a few soliders per MAV