1
An Overview of the Security and Pervasive Computing Initiatives
at WINLAB
Rutgers, The State University of New Jersey
www.winlab.rutgers.edu
2
Talk Overview Overview of the Security and Pervasive Computing Group Security Initiatives:
ORBIT: 3G Multicast Security Multicast Authentication: Staggered TESLA Authentication in Hierarchical Ad Hoc Networks Attack Tolerant, DoS Resistant Wireless Networks Privacy Preservation in Wireless Networks Secure Localization: Defense and Identification Collusion-Resistant Fingerprinting for Multimedia
Pervasive Computing Initiatives: Congestion Control in Sensor Networks Lifetime Extension in Sensor Networks Mobility Emulation
3
WINLAB’s Security and Computing Initiatives WINLAB has a growing initiative in wireless network security
and mobile/pervasive computing Currently the Security Group consists of
3 Faculty Members: Wade Trappe (University of Maryland): Wireless Security, Multimedia Security,
Physical/MAC Layer Security, Multicast, Coding and Cryptography Yanyong Zhang (Penn. State University): Distributed Computing, Sensor Networking,
Pervasive Computing, Fault Tolerant Computing Architectures, Wireless Security Marco Gruteser (University of Colorado): Ubiquitous Computing, Secure Software
Engineering, Privacy in Location Services 14 Students (W. Xu, Q. Li, P. Kamat, Z. Li, Y. Zhang, T. Wood, S. Chao, A.
Chincholi, B. Xue, S. Raj, K. Ma, S. Swami, B. Hoh, K. Ramchandran) Collaboration: Princeton (H. Kobayashi), Columbia (H. Schulzrinne), Bell Labs
(S. Paul), IBM Watson, UMD (KJR Liu, M. Wu), Rutgers CS (B. Nath), UColorado (Grunwald), URI (Y. Sun), UBC (Z. Wang), U. Texas (IAT)
Funding: NSF: ORBIT (joint with Princeton, Columbia, Bell Labs, IBM, Thomson), PARIS Air Force: Multimedia Fingerprinting (joint with UMD) (complete) NICT Japan: Secure Future Wireless Networks (B3G)
4
Wireless Security
5
ORBIT Testbed: Radio Grid
80 ft ( 20 nodes )
70
ft
( 2
0 n
od
es
)
Control switch
Data switch Application Servers
(User applications/ Delay nodes/
Mobility Controllers / Mobile Nodes)
Internet VPN Gateway / Firewall
Back-end servers
Front-endServers
Gigabit backboneVPN Gateway to Wide-Area Testbed
SA1 SA2 SAP IS1 IS2 ISQ
RF/Spectrum Measurements Interference Sources
6
Experiment Patterns
WAN CommunicationMultiple Radios
Peer to peer
Multiple Access Points
Access Point WAN Retrieval
7
ORBIT EWP6: Wireless Security Plans The Princeton EWP6 Security group (led by Prof. Kobayashi) and
the WINLAB Security group (led by Prof. Trappe) have alternated monthly meetings between Princeton and WINLAB
WINLAB collaboration with Lucent on MBMS Security Plans for ORBIT:
Secure Flooding Protocols (Princeton) Fast Authenticated Key Establishment Protocols for Self-Organizing Sensor Networks
(develop ECC for ORBIT Crypto Toolbox) (Princeton) Mobility and Basic Authenticated Handoff Experiments (WINLAB) Development of Basic Cryptographic Toolbox (WINLAB)
ConstructCrypto Toolbox
(8/04-12/04)
MobilityExperiments(9/04-12/04)
Secure FloodingProtocols
(9/04-1/05)…
1 2 3
8
3G Multicast Security
Keys must be shared by multicast group participants As users join and leave, keys must be changed 3GPP has proposed a new entity, the BMSC for managing broadcast and
multicast services The BMSC can perform key management
Node B
Node B
Radio Network Subsystem (RNS)
GGSN
SGSNRNC
Node B
UMTS Terrestrial Radio Access Network
BMSC
UMTS Core Network
Internet
9
3G Multicast Security 3GPP currently is investigating several
multicast frameworks To optimize key management, one
should match the key tree to underlying multicast topology
3GPP has not decided on a multicast topology
We are examining the performance of multicast key management at the BMSC for different 3G multicast scenarios
We have proposed modifications to Qualcomm’s MBMS security scheme that improves communication efficiency
Secure Prototype Multicast Chatting Application has been developed:
Server is implemented in J2SE Clients are implemented in J2ME
W. Xu, W. Trappe and S. Paul, “Key Management for 3G MBMS Security,” to appear Proceedings of 2004 IEEE ICC.
10
Multicast Authentication Delayed Key Disclosure: (e.g. TESLA)
Weakness: Use of buffers allows for a simple denial of service (DoS) attack Since there is no way to check packets until key is disclosed, buffer will overflow
How to protect against DoS attacks?
K1 K2 K3 K4 K5
All Packets Authenticated with K1 have arrived to all group members
Keys Time
Auth Packetswith K1
RevealK2
Auth Packetswith K2
Auth Packetswith K3
Auth Packetswith K4
RevealK1
Auth Packetswith K5
Q. Li and W. Trappe, “Staggered TESLA: A Scheme for Reduced-Delay Multi-Grade Multicast Authentication,” submitted to IEEE Infocom 2005.
11
Definition of Trust in Delayed Key Disclosure
Assumptions: Adversary has 0 Forge time Adversary has 0-delay link to
receiver Disclosure delay is d
Security Condition Packets sent at interval i will be
discarded if received after i+d
S
A
R
A
i+t
i+d
i+d
> i+d
d-t
Key released at time i+t: Adversaries within delay radius d-t
can forge packets Adversaries outside radius d-t will
cause violation of security condition
Trust:
2
2)(1
1
d
td
NetworkWholeofArea
CapableForgeofArea
12
Staggered TESLA: Sender Setup
The sender attaches d MACs computed by K'i, …,K'i-d+1
TimeInterval i Interval i+1Interval i-1
Ki Ki+1Ki-1
Disclose Ki-d Disclose Ki-d+1Disclose Ki-d-1
…
Mj
MAC(Mj,K'i)
MAC(Mj,K'i-d+1)
Ki-d
…
Mj+1
MAC(Mj+1,K'i+1)
MAC(Mj+1,K'i-d+2)
Ki-d+1
…
Mj-1
MAC(Mj-1,K'i-1)
MAC(Mj-1,K'i-d)
Ki-d-1
13
Staggered TESLA: Authentication at Receiver
Receivers have a chained buffer As keys arrive, MACs are
verified If matches, it puts the packet
into the next layer. If not, the packet is dropped.
As the packets move to lower buffer layers, the trustworthiness of the packets increases
TimeInterval i+d-1 Interval i+dInterval i+d-2
Ki+d-1 Ki+dKi+d-2
Disclose Ki-1 Disclose KiDisclose Ki-2
P
P
No
Drop
Yes
P
No
Drop
Yes
No Yes
Drop Save
14
TESLA & Staggered TESLA
Staggered TESLA Attach d MAC Keys: Ki, …, Ki-d+1
Authenticate: Each interval has a chance
Compute: d MAC Communicate: d MAC
TESLA Attach 1 MAC Key: Ki
Authenticate: d intervals Compute: 1 MAC Communicate: 1 MAC
Packet sent in interval i, key Ki, Delay d
15
Authentication in Hierarchical Ad Hoc Sensor Networks
Public key certificates are not suitable for flat ad hoc networks To check certificate requires expensive public key operations
Three tier architecture: Varying levels of computational power within the sensor network Sensors do not communicate with each other Forwarding nodes are radio-relay
TESLA Certificates Alternative to PK certificates Uses symmetric key cryptography Delayed key disclosure
AP
FN
SN
Authentication framework: Access points provide filter to
application TESLA certificates provide efficient
sensor node handoff Weak and assured data
authentication provided
M. Bohge and W. Trappe, “An Authentication Framework for hierarchical ad hoc sensor networks,” Proceedings of 2003 ACM Workshop on Wireless Security.
16
DoS Resistant Wireless Networks Broadcast radio signals at the
same frequency as the wireless Ethernet transmitters - 2.4 GHz for 802.11b/g!
To jam, you just need to broadcast a radio signal at the same frequency but at a higher power.
Waveform Generators and the Microwave Oven!
Yes, heating up your lunch aggravates your system administrator!
What can one do? WINLAB’s solution, from Sun
Tze’s Art of War: “He who can’t defeat his enemy should retreat!”
Answers: Change your channel allocation Move your location!
W. Xu, T. Wood, W. Trappe and Y. Zhang, “Channel Surfing and Spatial Retreats: Defenses against Wireless Denial o f Service,” Proceedings of 2004 ACM Workshop on Wireless Security.
17
Privacy Issues in Wireless Networks Content-Oriented Security and Privacy:
Issues that arise because an adversary can observe and manipulate the exact content in a sensor message.
Best addressed through cryptography and network security.
Context-Oriented Privacy: Issues that arise because an adversary observes the context surrounding creation and
transmission of a sensor message. Examples:
Source-Location Privacy: The physical location of communication participants may be sensitive. Traffic Privacy: The size and amount of messages originating from a sensor may be sensitive.
For sensor networks, Source-Location Privacy focuses on protecting the monitored asset from traceback.
For tactical networks, Source-Location Privacy focuses on protecting the networked soldier from traceback attacks by adversaries!
C. Ozturk, Y. Zhang, and W. Trappe, “Source Location Privacy in Sensor Networks,” Proceedings of 2004 ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN).
18
Panda-Hunter Game Model Scenario We propose the Panda-Hunter
Game as an example sensor scenario
Panda-Hunter Game: A sensor network has been
deployed to monitor a panda habitat. Sensors send Panda_Here
messages Messages are forwarded to a data
sink. The hunter observes packets and
traces his way back to the panda. Privacy Goal: Increase the time
needed for an adversary to track and capture the panda. Safety Period: The number of
messages transmitted by the source sensor.
Longer safety periods mean more privacy!
Data Sink
Sensor Node
Game Over!
19
Flooding Strategies for Privacy, pg. 1 Flooding is a popular technique
for delivering sensor data Involves each node forwarding a
packet it receives Although many simultaneous
paths to the sink, flooding does not increase the safety period!
Explanation: Flooding contains the shortest
path. Hunter will always follow shortest
path to the panda.
Data Sink
Sensor Node
20
Flooding Strategies for Privacy, pg. 2 Probabilistic Flooding:
An alternative strategy to baseline flooding
Reduces the amount of energy consumed in the sensor network
Each node forwards a received sensor packet with probability Pforward
Small Pforward reduces energy at tradeoff of lower network connectivity
Probabilistic flooding increases the safety period
There is a chance that shortest path will not exist
Adversary may thus follow non-shortest path
Experimental Observations: Lower Pforward increases safety period Lower Pforward also increases the sink miss
ratio Fundamental tradeoff
Other Strategies have been proposed:
Randomized Multipath Routing Phantom Routing
20 30 40 50 60 70 800
50
100
150
200
250
300
350
# of Hops Between Source and Sink
Sa
fety
Pe
rio
d
FloodingPforward=0.75Pforward=0.60Pforward=0.50Pforward=0.40
20 30 40 50 60 70 800
0.1
0.2
0.3
0.4
0.5
0.6
0.7
# of Hops Between Source and Sink
Av
era
ge
Sin
k M
iss
Ra
tio
FloodingPforward=0.75Pforward=0.60Pforward=0.50Pforward=0.40
21
Privacy-observant Location Tracking
Location Information useful for Calibrating the tracking system Location-based applications
Can we perturb time-series information? Individual paths are not identifiable Aggregate information from
multiple users is useful
22
Secure Localization in Wireless Networks Already, many techniques have emerged to localize a
wireless device Enforcement of location-aware security policies (e.g., this
laptop should not be taken out of this building, or this file should not be opened outside of a secure room) requires trusted location information.
As more of these location-dependent services get deployed, the very mechanisms that provide location information will become the target of misuse and attacks.
Two efforts to address this problem: Integrate resilience into localization methods (Z. Li) Modulation of AP transmission powers (Yu Zhang)
Z. Li, Y. Zhang, W. Trappe and B. Nath, “Securing Wireless Localization: Living with Bad Guys,” submitted to 2004 DIMACS Workshop on Wireless and Mobile Security.
23
Collusion-Resistant Traitor Tracing for MultimediaDoD Research: Joint Collaboration with UMD
W. Trappe, M. Wu, Z. Wang, K.J.R. Liu, “Anti-Collusion Fingerprinting for Multimedia,” IEEE Trans. on Signal Processing, Special issue on Signal Processing for Data Hiding in Digital Media & Secure Content Delivery, vol. 51, no. 4, pp.1069-1087, April 2003.
Z. Wang, M. Wu, W. Trappe, and K.J.R. Liu: "Group-Oriented Fingerprinting for Multimedia Forensics", EURASIP Journal on Applied Signal Processing, Special Issue on Multimedia Security and Rights Management, to appear 2004.
24
Recent Leak: UAV Surveillance Video on bin Laden
High-tech surveillance provide around-the-clock monitoring of terrorist base
Highly classified video captured in 2000 by Unmanned Aerial Vehicle Predator
Video shows a tall man wearing a white robe over Tarnak Farm in Afghanistan
Analysts thought the man as bin Laden
Pentagon & CIA officials have copies of the tape
Video leaked to the press in March 2004, aired in NBC and CNN
CIA investigates the leak of the tape
http://www.cnn.com/2004/WORLD/asiapcf/03/17/predator.video/
25
Digital Fingerprinting and Tracing Traitors
Leak of information as well as alteration and repackaging poses serious threats to government operations and commercial markets e.g., pirated content or
classified document
Promising countermeasure:robustly embed digital fingerprints Insert ID or “fingerprint” (often through conventional watermarking)
to identify each user Purpose: deter information leakage; digital rights management(DRM) Challenge: imperceptibility, robustness, tracing capability
studio
The Lord ofthe Ring
Alice
Bob
Carl
w1
w2
w3
SellSell
26
Embedded Fingerprinting for Multimedia
embedembedDigital
Fingerprint
Multimedia Document
101101 …101101 …
Customer’s ID: Alice
Distribute to Alice
Fingerprinted CopyFingerprinted Copy
embedembedDigital
Fingerprint
Multimedia Document
101101 …101101 …
Customer’s ID: Alice
Distribute to Alice
Fingerprinted CopyFingerprinted Copy
Collusion Attack Collusion Attack (to remove fingerprints)(to remove fingerprints)
AliceAlice
BobBob
Colluded CopyColluded Copy
Unauthorized Unauthorized rere--distributiondistribution
Fingerprinted docfor different users
Collusion Attack Collusion Attack (to remove fingerprints)(to remove fingerprints)
AliceAlice
BobBob
Colluded CopyColluded Copy
Unauthorized Unauthorized rere--distributiondistribution
Fingerprinted docfor different users
Extract Extract FingerprintsFingerprints
Suspicious Suspicious CopyCopy
101110 …101110 …
Codebook
Alice, Bob, …
Identify Identify TraitorsTraitors
Extract Extract FingerprintsFingerprints
Suspicious Suspicious CopyCopy
101110 …101110 …
Codebook
Alice, Bob, …
Identify Identify TraitorsTraitors
Embedded Finger-printing
Multi-user Attacks
Traitor Tracing
27
Group-Oriented Forensics Overcome the limitations of orthogonal fingerprinting
Recall: orthogonal FP treats everybody equally Orthogonal strategy has to suspect more to accurately find a colluder
Colluders often come together in some foreseeable groups Due to their geographic, social, or other connections
Our approach: design users’ FP in a correlated way Cluster users into groups based on prior knowledge
Intra-group collusion is more likely than inter-group
Revise orthogonal FP and add correlation to the same group to help narrow down the suspicion group
28
Group Fingerprinting
Problem: determine the number of colluders ki’s and the Sci’s
Solution: construct intra-group FP in two parts, and use threshold detector (at desired intra-group false alarm) to avoid estimating ki
||||energy equal ;,
,...,1for ),,0(~)( 2
sss
xsy
li
NiNid
lmij
d
ijij
),0( ~},,...,{ where,1 21 NuiiMiiijij Niid Iaeeaes
Can be viewed as a real-valued fingerprint code
29
Two-Stage Detection Scheme Basic idea: first identify groups containing colluders,
then identify colluders within each possible guilty group
ROC Curves Pd vs. Pfp under different collusion settings
Constraint: equal energy 22
02 ||||}||{||}||{|| syy EE c
30
Similarity between Collusion and MU Comm. The Fingerprint Collusion Problem is similar to Multiuser
Communication The colluded signal is simply the host signal plus a mixture of watermarks
For good communication performance: CDMA sequences should have minimum interference between each other. Low Cross-Correlation is Good!
The similarity between Collusion and MU Comm. suggests that good CDMA sequences would be good fingerprints!
tsfingerprin
colluderaisuserjthif1}1,0{
j
1
w
wdxy
j
n
jjjc K
Collusion Fingerprint Problem
sequencessignature)(
1,1
)()()(1
ts
b
tntsbAty
k
k
n
kkkk
Synchronous CDMA Channel
Z. Li and W. Trappe, “Collusion-resistant Fingerprints from WBE Sequence Sets,” to appear Proceedings of 2005 IEEE ICC.
31
Question: How to assign M fingerprints in N dimensions to
facilitate colluder detection? M<N: assign orthogonal fingerprints because they are uncorrelated
M>N: the fingerprints are correlated. How do we find the least
correlated set S of size N by M? Minimize Total Squared Correlation (TSC):
Welch Bound: TSC is lower bounded by M2/N
WBE sequence set:
WBE sequence set is known to be optimal in terms of user capacity in synchronous code-division multiple access
(CDMA) One approach to get WBE sequence set: Eigen-algorithm
N
MTSC
N
MT2
NISS
ACC built from Interference Avoidance
n
i
n
jj
TiTSC
1 1
2)( ss
32
: collusion indicator, M х 1 S: fingerprint matrix, N х M (M>N)
T: detection statistics, N х 1 K: number of colluders
S+: Moore-Penrose generalized inverse of S
• Iterative Generalized Inverse Algorithm
TSΦΦnSΦT KK
1. Initialize Ss= S, i.e. all users are initially under suspicion
2. Fa =Ss+T
3. Choose a threshold g: We choose g = 0 when min(Fa)<0, and g =
0.4max(Fa) when min(Fa)>0.
4. The users whose corresponding entries in Fa are smaller than g are
identified as innocent. Their fingerprints are removed from Ss.
5. Repeat the steps from 2 to 4 with the new Ss until Ss does not change any
more. 6. The users whose fingerprints remain in Ss are the final accused users.
Detection of WBE Fingerprints
33
-25 -24 -23 -22 -21 -20 -19 -18 -17 -16 -150.6
0.65
0.7
0.75
0.8
0.85
0.9
0.95
1
WNR
p d
ACC-SortingACC-AM WBE-Ginv
-25 -24 -23 -22 -21 -20 -19 -18 -17 -16 -150
0.05
0.1
0.15
0.2
0.25
WNR
p fa
ACC-SortingACC-AM WBE-Ginv
-25 -24 -23 -22 -21 -20 -19 -18 -17 -16 -150
0.05
0.1
0.15
0.2
0.25
WNR
p e
ACC-SortingACC-AM WBE-Ginv
-25 -24 -23 -22 -21 -20 -19 -18 -17 -16 -150
0.005
0.01
0.015
0.02
0.025
0.03
WNR
Pro
b. o
f N
o C
atch
ACC-SortingACC-AM WBE-Ginv
Probability of Detection Probability of false accusation
Probability of Error Probability of not capturing any colluder
Performance Comparison with BIBD ACC
34
Future Security Topics? Detecting and Containing Wireless Worms Securing “Networks of Networks” in 4G:
Interoperability and translation of security policies
Securing Multimedia over MANETS
35
Congestion control in sensor networks Why resource control instead of traffic control?
The data during a congestion is valuable and cannot be dropped Sensor network deployments have a large degree of redundancy, so there is
available resources
Research questions to answer: How do you measure congestion level? (channel utilization, queue occupation,
drop rate, etc) How do you measure aggregated traffic volume? If 40% more resources are needed, how can you increase resource accordingly? How can you design a distributed yet low-weight protocol?
36
Coverage, Connectivity, and Lifetime Sensor network deployments have a large degree of
redundancy, so there exists overlapping for both coverage and connectivity
In order to extend lifetime, at any time, we keep a minimal set of active nodes (with radio on), so that the others can sleep
How do you provide coverage/connectivity in case of node failures? In addition to active nodes, leave a small set of nodes always on, like satellites All the other sleeping nodes coordinate their schedules so that every active node
is constantly protected by one or more nodes.
37
Mobility Emulation
Goal: Support experiments that require mobile nodes on the Orbit testbed
802.11 hand-over Ad-hoc routing Location tracking
Idea: Emulate mobility by mapping moving nodes onto changing grid nodes
More reliable, reproducible, and cost-effective than robots (or students)