bootstrapping security associations in wireless (sensor) networks
DESCRIPTION
Bootstrapping Security Associations in Wireless (Sensor) Networks. Mario Čagalj University of Split, FESB ACROSS, 2013. Briefly a bout the speaker. Mario Čagalj , Associate Professor Department of E lectronics, University of Split, FESB - PowerPoint PPT PresentationTRANSCRIPT
Bootstrapping Security Associations in Wireless (Sensor)
Networks
Mario Čagalj University of Split, FESB
ACROSS, 2013
Briefly about the speakerMario Čagalj, Associate Professor
Department of Electronics, University of Split, FESB
Ph.D. degree in Communication Systems from EPFL (École Polytechnique Fédérale de Lausanne)
Scientific work and research interestsInformation security, applied cryptography, game
theory, energy-efficient communication, HCI, etc.
For more informationhttp://www.fesb.hr/~mcagalj or [email protected] 2
MotivationBillions of devices will be interconnected in near
futureEricsson forecasts 50 billion M2M connections by
2020IoT, M2M, wearable sensor networks, smart
metering, etc.
Many technologies/systems Include low cost and highly constrained devicesUse wireless channels (highly vulnerable)Operate independently of any authority (are user-
centric)
Prerequisites for adoption of such technologiesData trustworthiness, authenticity and privacy
3
MotivationKey element towards secure communication
Some cryptographic (keying) material (pwds, keys, certs) has to be preloaded into communicating devices
However, users are bad when it comes to securityComplicated setup procedures render the security
features useless (e.g., home WiFi networks)What can we then expect from 2020?
42013 2014 2020
attackeruser’s devices
Our goalDevelop mechanisms for secure initialization of
wireless devices/for bootstrapping initial security associationsUser-friendly – easily administered by non-
specialistsScalable – support a reasonably large number of
devices Compatibile with resource constrained devices –
lacking usual wired interfaces, displays, keypads, etc.
52013 2014 2020
attackeruser’s devices
Talk outlineBasic security problemOptimal message transfer authenticator Group message authentication protocolAuthentication through presence
Integrity codes
6
A B
Basic security problem
Assumptions high bandwidth public/insecure channel
(e.g. radio) low bandwidth authenticated channel (not
secret) E.g., sound, voice, visible light, etc.
Devices A and B share neither secrets nor certificates
Protect message integrity over the public channelMinimize user’s involvement and hardware
requirements
7
attackermessage
user
Attacker modelPeople usually have a wrong mental model
E.g., attacks on Bluetooth (designed for 10m range)Eavesdropping from more than 1.5 km (BlueSniper
rifle)Thanks to high gain/sensitivity antennas and
receivers8
=attacker attackerA B
nominal TX range
A B
Straightforward solutionBased on a weak-collision resistant hash
function h(·) Given message m0 easy to calculate a hash value
h(m0) Hard to find different m1 such that h(m0)= h(m1)
9
A Bm
Calculates sA=h(m)Receives mCalculates sB=h(m)If sA==sB “Accept m”
sA sA
high bandwidth insecure channellow bandwidth authenticated channel
ok
Straightforward solution suboptimalToday, weak-collision implies at least 80-bit hash
valueThe minimum load over low bandwidth (human)
channel
Hash function output sizes tend to increase over time Vulnerabilities (e.g., SHA-1), processing power
incresesE.g., MD5, SHA-1, SHA-2 (128, 160, 256... bit
outputs)
More bits over low bandwidth (human) channel implies increased user’s involvementBig issue when user interacts with constrained
devices
10
Optimal message transfer authenticatorBased on a non-malleable commitment scheme
Functionallity similar to that of an ideal hash function
Transforms message m into commitment/openning pairTo commit to m do: (c,d)=commit(m) and hand out
cTo open c do: hand out d and m=open(c,d)
PropertiesOnce commited to m, cannot change to another mMessage m remins secret until opened using d 11
Optimal message transfer authenticator
12
A Bc
high bandwidth insecure channellow bandwidth authenticated channel
NB
d
sA sA
Pick k random bits NB
m, NA=open(c,d)sB=NA NB
If sA==sB “Accept m”
Given message mPick k random bits
NA
(c,d)=commit(m,N
A)
sA=NA NB
Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
ok
Optimal message transfer authenticator
13
A Bc
high bandwidth insecure channellow bandwidth authenticated channel
NB
d
sA sB
Pick k random bits NB
m, NA=open(c,d)sB=NA NB
Accept m
Given message mPick k random bits
NA
(c,d)=commit(m,N
A)
sA=NA NB
Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
okIf sA==sB “Success”
Optimal message transfer authenticator
TheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of authentication strings sA and sB.
For example, with k=15 bitsAttacker successful with probability 2-15 (i.e., 5-digit
PIN)User’s involvement only 15 bits (i.e., 2 hex digits)
We can optimally trade security and the user’s loadTime-invariant (independent of the employed hash
function)Not the case with the standard solution (min. load at least
80 bits) 14Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
Optimal message transfer authenticatorOptimality and time-invariance
15
Securing Diffie-Hellman key agreement
16
A BcA
cB
dA
sA sB
Given gXA
Pick k random bits NA
mA=IDA, gXA,NA
(cA,dA)=commit(mA)
mB=open(cB,dB)sA=NA NB
Secret key KAB= gXAXB
dB
Given gXB
Pick k random bits NB
mB=IDB, gXB,NB
(cB,dB)=commit(mB)
mA=open(cA,dA)sB=NA NB
Secret key KAB= gXAXB
ok okIf sA==sB “Success”
Čagalj, et. al. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. (February, 2006)Bluetooth Special Interest Group. Simple Pairing Whitepaper. // (October, 2006)
Example: Initializing home WiFi networkCamera-equipped device and wireless access
point (AP)Single LED at the AP blinks short authentication
string sB
Ephemeral tokens for your guests (AP pwd not disclosed!)
17
MT-auth DH
sA=NA NB
If sA==sB “Success”
KAB= gXAXB
sB
ok ok
sB=NA NB
KAB= gXAXB
Contrast this with insecure WPS: Push-Button-Method by WiFi Alliance (2006)
Example: Initializing a pair of sensorsNo cameras (only LEDs and a pushbutton)
User just checks that the devices blink the same states 18
MT-auth DH
sA=NA NB
KAB= gXAXB
sB=NA NB
KAB= gXAXB
sBsA
If sA==sB “Success”ok ok
1 0 0 1 1 0
Ts
Ts
=
How about securely initializing a larger group of resource-constrained device?
Group message Authentication Protocol (GAP) Generalization of our optimal two-party protocol
19Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
GAP overview Phase 1: insecure radio
channel
Devices exchange messages they want to authenticate and establish Group Authentication String (GAS)
20Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
...D1
D2
Dn
Phase 2: visible light channel
User compares the GAS
...
D1
D2
Dn
User
GAP-Phase 1: insecure radio channelGoal: M devices exchange and authenticate
public keys
21
IDi
ci-1
IDj
ci
ci+1
di
Step I:
Step II:
Step III:
Gi={ID1<ID2<…<IDM}
(ci, di) commit(hGi, IDi, PKi, Ni)
hGi=hash(ID1,…,IDi,…,IDM)
(hGj, IDj, PKj, Nj) open(cj, dj)
GASi Ni
...
Verify hGi, IDj
If OK, GASi GASi Nj
Di
di-1
di+1
......
Di-1
Di+1
GASi =N1 N2 ... Ni ... NM
GAP-Phase 2: authenticated light channelUser enters group size M into one
device/coordinatorPush-button can be used for this taskIf group size OK, the coordinator initiates
synchronized transmission of GAS (blinking LEDs) on all the devices
User verifies simultenously if GASi=GASj, for all devices
22
D1
D2
Dn
...
D1
D2
Dn
...
ok
ok
ok
GAS1
GASn
GAS2 If GAS1=GAS2= ... =GASn
“Success”
GAP securityTheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of the group authentication string (GAS).
User’s involvement only 15-20 bitsRecall, we can set k as low as 15-20 bits
23Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
1 0 0 1 1 0
Ts
Ts
1 1 1 1 0 0 1 0 0
start
end
GAP usability evaluation27 participants (age 18-25)
GAS verification (GAS match and mismatch tests) and entering group sizes via a push-button (25 sensors)
Average System Usability Score (SUS) 80,8 (max. 100)
24Very easy Easy Medium
difficultDifficult Very difficult
Num
ber o
f te
ster
s
0
4
8
12
16
20 20
36
20 0
21 1
GAS verificationEntering group size
19
Improving usability and scalability of GAPUser records the GAS procedure with a
smartphoneIn turn, reviews the GAS procedure offlineNo special services or software on the smartphone
(zero-configuration auxiliary device)
25
Talk outlineBasic security problemOptimal message transfer authenticator Group message authentication protocolAuthentication through presence
Integrity codes
26
Integrity codes (I-codes)
The presence or absence of energy in a given time slot of duration Ts conveys information
27Čagalj, M.; Čapkun, S.; Rengaswamy, R.; Tsigkogiannis, I.; Srivastava, M.; Hubaux, J.-P.Integrity codes: Message Integrity Protection and Authentication over Insecure Channels // IEEE S&P (2006)
1 0 0 1 1 0
Ts
Ts
1 0 1message m
balanced codec
on-off keying
Integrity codes (I-codes)Balanced code
Injective (one-to-one mapping) Equal number of ones and zerosE.g., Manchester code: 0 01 and 1 10
Imposible to convert a codeword c0 into a different codeword c1 without flipping at least one bit 1 to bit 0message codeword 00 0101 01 0110 10 1001 11 1010
28
I-codes securityAssumptions
A applies I-codes to message mB within the TX range of AB synchronized to A wrt to the start and the end of
cB verifies that the received codeword c is balanced Attacker cannot cancel (erase) a radio signal
TheoremThe attacker cannot trick device B into accepting a message that is different from the original m.
29
A B attackerI-code(m)
I-codes transmission
Delimiter 111000 marks start and end of I-coded mDelimiter and Manchester codewords incongruousIf attacker cannot cancel (erase) a radio signal:Any balanced codword c between delimiters is
authentic
30
ATMEL AT86RF211 transceiver433 MHz, FSK, Ts= 5ms
I-codes reception
Demodulation at the receiverIf average power in the symbol interval high →
output 1If average power in the symbol interval low →
output 0Any balanced codword c between delimiters is
authentic
31
bit 1bit 0
Anti-blocking property of a radio channelReceived signal at B
r(t)=s(t)⊗hAB(t)+a(t)⊗haB(t)+n(t)
Attacker’s goal r(t)≈n(t) I.e., s(t)⊗hAB(t)+a(t)⊗haB(t)< n(t)
Attacker’s challenges s(t) can be made physically unpredictable for the
attackerAccurate estimate of both hAB(t) and haB(t)
Many sources of uncertainty at high frequenciesInacuracies in the antennas positions
32
A B attacker
s(t) a(t)
Gaussian noisechannel between A/attacker and B (i.e., #paths, delay, phase, attenuation)
<
Anti-blocking property of a radio channel0 → 1 easy1 → 0 very hard
33
A B attacker
s(t) a(t)
bit 1bit 0
Authentication through presenceUser’s involvement
minimalEnsures the devices
close-byTurns the devices on
34
TXon
RXon
ok
111000011010…010101111000011010…010101111000…delimiterI-codes(m)
If I-codes(m) balancedAccept m
Effect of noise on I-codes
Implementation on Mica2 sensor motes0s → no signal during T0=10ms1s → 18 bytes randomized packet at 19.2kbps
(T1=7.5ms)35
Securing Diffie-Hellman with I-codes
36
A BcA
cB
dA
Given gXA
Pick k random bits NA
mA=IDA, gXA,NA
(cA,dA)=commit(mA)
mB=open(cB,dB)sA=NA NB
Secret key KAB= gXAXB
dB
Given gXB
Pick k random bits NB
mB=IDB, gXB,NB
(cB,dB)=commit(mB)
mA=open(cA,dA)sB=NA NB
If sA==sB “Success”Secret key KAB= gXAXB
ok ok
I-codes(sA)
Initializing a large sensor networkSimple procedure
Place the devices close-by Run Group message Authentication Protocol (GAP)Let one device I-codes short GAS (group auth.
string)Ensure all the devices show “green” status
37111000011010…010101111000011010…010101111000…delimiterI-codes(GAS)
SummaryPresented mechanisms for bootstrapping initial
security associations in wireless (sensor) networksUser-friendly, scalable and compatibile with
resource constrained devices
Optimal message transfer authenticatorShort authentication stringsOptimal trade-off between security and user’s
involvement
Integrity codesExploit physical properties of a radio channelEnable authentication through presence
38