1
Key Establishment in Ad Hoc NetworksPart 1 of 2
S. Capkun, JP Hubaux
2
Outline
Introduction URSA: Providing Ubiquitous and Robust Security
Support for MANET (UCLA proposal) PGP-inspired solution: keys generated by the nodes
(EPFL proposal) Mobility helps security (in the Part 2 of 2)
3
Research areas in security for ad hoc networks
Key establishment: how to distribute and manage keys in the absence of an on-line authority
Secure routing: how to make routing protocols robust against potential attacks
Intrusion detection: how to discover that an intruder is attempting to penetrate the network
Preventing denial of service: how to avoid that some nodes rationally or maliciously misbehave, e.g. pretend forwarding packets while dropping them
Securing sensor networks: how to make the protocols used by sensor networks robust against potential attacks, while coping with the anemic nature of the devices
4
Design Challenges
Security breaches Vulnerable wireless links Occasional break-ins may be inevitable over long time
Service ubiquity in presence of mobility Anywhere, anytime availability
Network dynamics Wireless channel errors Node failures Node join/leave
Network scale
5
Key establishment techniques in ad hoc networks
Presence of an authority, at leastin the initialization phase
Usually based on threshold cryptography
No authority:Keys are generated
by the nodes
Specializednodes (servers)
Centralized secretshare dealer PGP-inspired
Trust; certificate graph
Mobility helpssecurity
Exploit nodeencounters
6
Secret sharing based on threshold cryptography
No trusted authority, no central server Threshold crypto makes it possible to distribute
specific tasks (e.g., signature and therefore certificate issuing) among several users
Definition:Let , be positive integers, . A ( , ) is a method
by which a trusted party (also called a ) computes secret shares , 1
from an initial secret , and securely distributi
t w t w t w threshold scheme
dealer S i w
S
es to user , such that the
following is true: any or more users who pool their shares may easily
recover , but any group knowing only 1 or fewer shares may not.
A threshold scheme is a
i iS P
t
S t
perfect
threshold scheme in which knowing only
1 or fewer shares provide no advantage to an opponent over knowing
no pieces.
t
7
Shamir threshold scheme
pLet 1 be prime. The dealer chooses distinct, non-zero elements of ,
denoted , 1 . Let designate the th participant
Initializatio
(1 ).
gives the values to ; the va
n phase
luei i
i i
p w D w
x i w P i i w
D x P
p
p 1 -1
s are public.
Let be the key that wants to share among the participants.
secretly chooses (independently and at random) 1 elements
of : ,... .
For 1 ,
Share distributio
computes
n
i
t
x
K D
D t
a a
i w D y
-1
1
( ), where
( ) mod
For 1 , gives the share to .
Any group of or more users pool their shares, which provide at
Poo
le
ling of
ast
distinct points
shar
es
( , ) ( , ) allowing
i i
tj
jj
i i
i
a x
a x K a x p
i w D y P
t
t x y i y
computation of the coefficients ,
1 1 and of the key .
This computation can be made by Lagrangian interpolation.
ja
j t K
8
URSAURSA: Providing : Providing UbiquitousUbiquitous and and RobustRobust SecuritySecurity Support for Support for
MANETMANET
Courtesy of:
Jiejun Kong, Petros Zerfos, Haiyun Luo,
Songwu Lu, Lixia ZhangUniversity of California, Los Angeles
{jkong,pzerfos,hluo,slu,lixia}@cs.ucla.edu
9
URSA Approach
Ubiquitous and robust service provision in the presence of random mobility
Localized algorithms and protocols One-hop wireless communication
10
Why this model?
No single point of compromise Hackers must break into K nodes simultaneously to
compromise the system
No single point of DoS attack & node failure K offers tradeoff between intrusion tolerance and
service availability K=1, single point of compromise, maximal availability K=N, single point of DoS attack, maximal intrusion tolerance
11
System Overview
Each node carries a verifiable, unforgeable personal certificate
Certificate is signed by network system key SK Certificate may be issued, renewed, or revoked Every mobile node periodically renews its certificate Ubiquitous services enabled by secret sharing
12
System Components
Certification services Localized certificate issuing, renewal, revocation
Self-initialization service To provide a secret share to an entity To provide scalable proactive secret share update service
Proactive secret share update service To resist long-term adversaries without changing the shared
secret
13
Network Protocol
1. Service request
2. Return partial certificates (K=5)
1. Initialization request
2. Unicast shuffling package
3. Routing shuffling package
4. Unicast partial secret share
Certificate issuing, renewal,or explicit revocation
Self-initialization
14
Cryptographic Algorithms: Threshold Secret Sharing
Polynomial-based threshold secret sharing Given a secret d and a random polynomial of degree
K-1 f(x) = d + f1•x + f2 • x2 + …… + fK-1 • xK-1 mod n
Each entity vi obtains its secret share “f(vi) mod n”
d can be recovered by Lagrange interpolation
In RSA cryptosystem, the d in the signing key SK=(d,n) is shared and distributed
15
Lagrange Interpolation
f(0)=secret
f(x1) f(x2) f(x3)
f(x4)
f(x5)
x5x4x3x2x10
Polynomial withdegree K-1
K
j
j
K
j
jj ndnlvvfdf1
___
1
)(mod)mod)0()(()0(
)())(()(
)())(()()(
111
111
Kjjjjjj
Kjjj
vvvvvvvv
vxvxvxvxxlv
16
Multi-signature
Threshold secret sharing reveals d to a coalition d is not revealed if partial certificates are used
The cornerstone is the equation Xd1 • Xd2 • … • XdK = X(d1 + d2 + … + dK)
Each coalition member contributes a signed partial certificate XSKi
= (Xdi mod n)which corresponds to an RSA SK-signing in computation
The certification service requester combines K partial-certificates and obtains a correctly-signed certificate XSK
= (Xd mod n)
17
Simulation: Proactive UpdateUpdated Node Percentage vs. Delay
“Explosion” effect: as more and more entities obtain the new version of secret shares, the task is getting easier and faster
18
Conclusion on URSA
Certification-based approach Secret sharing Multi-signature
Localized and distributed protocols Faster and more robust than other approaches Service ubiquity Scalable
Flexible trade-off between intrusion tolerance & service availability
19
Full Self-Organization of Public Key Management (EPFL proposal)
Security: we use public-key cryptography scheme to support security services in mobile ad hoc networks
Problem:How can a user u obtain the authentic public key of another user v in the presence of an active attacker ?
Principles:- users generate their own keys and issue certificates (no preinstalled keys)- no central certification authority- no certificate directories- no specific role assigned to a subset of nodes
20
Public-Key Infrastructure
Reminder: Certification Authorities (CAs)(e.g., ISO X.509, used notably in S/MIME):
CAz
CAW
CAXCAY
CAz
CAUCAV
Bob
Alice
A self-organized mobile ad hoc network hasno infrastructure and therefore:- no server- no certification authority
Is it possible to build up a scalable public-key infrastructure for such aninfrastructure-less network?
21
Key management in PGP: Web of trust
Alice Bob
IrenePrKIrene
PrKAlice
PuKAlice
PuKIrene
PrKBob
PuKBob
Generate a certificate
Trust relationship
Alice and Bob trust each other and have exchanged each other’s public key in a secure way (e.g., off-line)
Bob Irene PuKIrene PrKBob(PuKIrene)
How can Alice get a trustworthy version of the public key of Irene PuKIrene? (She does not know who signed it)
Bob is an introducer for Irene
22
PGP: server of certificates
Alice Bob
Irene
• Example of server: www.pgpi.org• The servers of certificate are the only centralized components of PGP.
Request for a signedpublic key of Irene
Is it possible to get rid of the certificate server(s), without jeopardizing scalability?
Server of certificates
Bob Irene PuKIrene PrKBob(PuKIrene)
PrKAlice
PuKAlice
PrKIrene
PuKIrene
PrKBob
PuKBob
23
Model
We assume that if a user i believes that a given public key belongs to a given user j, then i can issue a public-key certificate to j
Certificate graph G(V,E)• V is a set of keys • E is the set of edges, where a directed edge (i,j) is added if i signed a public key certificate to user jPr{ , }
ij Kj K
Ki Kj
Pr{ , }ij Kj K
24
Certificate graph
authentication via a chain of certificates
K1
K2
K3
K4
K6
K7
K8
K9
K10
K11
K12 K10
K5K5
25
No authority: Self Organized Public Key Management
Each node generates its own private / public key pair (as in PGP) and issues a certificates for the nodes it trusts
The system works in two phases:
1. Initialization: each user stores a set of certificates
2. When a user wants to verify the public key of another user, they merge their local repositories and try to find a path of certificates between them
1.
i
2.
i j
26
Initialization (1)
i
j
k
27
Initialization (2)
• Each user builds up a local repository of public-key certificates (a subgraph)
• stores the certificates that it issued (outgoing edges)• stores the list of certificates that others issued for it (incoming edges)• stores an additional set of certificates chosen according to some algorithm A
• 2 possible scenarios
Centralized
CertificateServer
1
2
request
sub-graph
sub-graph
Distributed
28
Verifying the key: merging the local repositories and finding a path of certificates
i
j
29
Example of an algorithm: Maximum Degree
Node K builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.
30
Example: Shortcut Hunter
Each node builds its incoming and outgoing path(s) choosing the node that has a highest number of shortcuts connected to it
i
j
k
Small world graphs
shortcut
31
Algorithm performance
, ,
We define the of the local repository construction
algorithm on the certificate graph as
( , ) :( , )
( , ) :
where is the
p
size of the local re
erforman
s t
c
p
e
o i
( , )
u A v Au G G v
Au G v
A
A G
u v V V K Kp s G
u v V V K K
s
p s G
,
ories of the users (i.e. the number
of edges in the subgraph of each user): ( ) . u As E G
32
Performance of Maximum Degree
Node builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.
0.5
0.6
0.7
0.8
0.9
1
4 14 24 34 44 54 64 74
local repository size (s)
algo
rith
m p
erfo
rman
ce p
MD
(s,P
GP)
c = 1 path
c = 4 paths
PGP graph size = ~ 5000
33
Performance of the Star Shortcut Hunter on real PGP certificate graphs
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190 200 210
In(out)-bound subgraph size (s/2)
Perfo
rman
ce
certificate graph size = 2124
certificate graph size = 3211
certificate graph size = 8695
34
Performance of the shortcut hunter on small world and random graphs
• Φ is the fraction of edges which are shortcuts, size of the local repositories = sqrt(n)
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.01 0.1 1
perfo
rman
ce
certificate graph size = 1000
certificate graph size = 2000
certificate graph size = 4000
small world random graphs
35
False certificates
KD
Ki Kj
Pr{ , }Dj KF K
Pr{ , ' }Dj Kj K
K'j
KD
K'j
j
a key controlled by a dishonest user
a false key created by a dishonest user
a certificate binding user F to a key K
Pr{ , }Dj KF K
36
Design goals
performance – redefined by taking authentication metricsinto account
key usage – ideally, all vertices need to be used for authentication an equal number of times (to be on the path an equal number of times)
scalability – minimize the size of the local repositories (subgraphs) and the communication cost
invariance to certificate graph changes
37
Performance with authentication metrics
,
the value ( , , ) represents the assurance with which
can obtain the authentic public key of using the information in .
Performance of a subg
Authentication
raph selection
me
algorithm
tric
:
:
A
u v G u
v G
p
, ,
( , )
( , , )1( )
( , , )
where ( , ) : ( , , ) 0
u A v A
u v W
u v G GG
u v G
W u v V V u v G
#W
Examples of authentication metrics include: number of disjoint paths of certificates, number of bounded and k-bounded disjoint paths ...
0
0
Special case: binary authentication metric
( , , ) 1 if
( , , ) 0 otherwise Gu v G u v
u v G
38
Key usage
The key usage is defined as the number of times that a key is used for authentication.Formally:
Given a certificate graph ( , ), a local repository construction algorithm and an
authentication metric ;
for each pair of vertices, ( , ) , we define the set of all edges that are used
in the u v
G V E A
K K V V
, , , , , ,
( , ), ,
merged subgraphs, considering that we are using metric :
( , ) ( , ) : ( , , \ ( , )) ( , , )
For each vertex , its usage ( ) in ( , ) is defined
u v w z u A v A u v u A v A w z u v u A v A
w u v A w u v
M K K K K G G K K G G K K K K G G
K V U K M K K
( , ), ,
, ( , ), ,,
as:
( ) ( , ) ( , ) :
The usage of is then defined as :
( ) ( )u v
u v A w z x u v z w
w
A w u v A wK K V
U K K K M K K K K
K V
U K U K
39
Fundamental design limit (1): size of the repositories
Problem 1: Find a set of subgraphs that minimizes the size of local repositories such that p=1
Theorem 1:
00 ,
,
Let us consider a certificate graph ( , ), a subgraph construction algorithm ,
and an authentication metric . If ( , ) 1, then is minimized if
, ( , ) ( , ),
where (
A
v v A v x x v
G V E A
p s G s
K V G sp K K sp K K
sp
,
,
, ) is the shortest path from to in such that minimizes
max ( ( , ) ( , ))
where ( , ) is the length of ( , ).
Furthermore,
min max ( ( , ) ( , ))
v v x
x v v x
v x v x x
v x x vK V K K
v x v x
v x x vK V K V K K
K K K K G K
d K K d K K
d K K sp K K
s d K K d K K
40
Fundamental design limit (2): key usageProblem 2: Find a set of subgraphs that minimizes the size of local repositories such
that p=1 and U(Kv)=U(Ku)
Theorem 2:
0
0 0
0
,
, ,
,
Let us consider a certificate graph ( , ), a subgraph construction algorithm ,
and a binary authentication metric .
If (i) ( , ) 1,
(ii) ( ) ( ) ,
and (iii) ( ) for
A
A v A u u v
v A
G V E A
p s G
U K U K K K V
V G s
each ,
then -1.
vK V
s V
|V| = 4, s = 2
|V| = 9, s = 4
2( -1)s VExample of construction with:
41
Maximum degree simulation results
1 8.24 8.24 1
3 8.23 7.69 1.42
6 8.15 7.67 1.44
Mean length No. of paths
PGP (5000 vertices):
Artificialcertificate graphs:
Shortest path
1 17.66 17.66 1
3 18.77 12.55 2.39
6 16 10.53 2.55
PGP (5000 vertices): 6.6 6.19 1.55
Artificialcertificate graphs: 6.8 5.71 3.66
Maximum degree:
the whole graph:
repository no of paths
Mean length No. of pathsShortest path
42
PGP certificate graph
The PGP graph is the only known example of self-organized certificate graph creation.
Largest connected component of the PGP certificate graph 2001 (8695 keys)
43
Key usage
Certificate usage with Maximum Degree algorithm and the Shortest Paths on PGP graph and artificial certificate graph
44
Small-world graphs
- a small characteristic length (the median of the means of the shortest paths between all pairs of users)- a large clustering coefficient (a very high likelihood that two friends of a friendare friends as well)- a logarithmic characteristic length scaling
Small world graphs
shortcut – an edge upon whose disconnectionthe shortest path between two vertices previously connected by this edge becomes strictly larger than 2.
Small world graph characteristics:
45
Watts -model
lattice = 0
random graphs = 1
Small world graphs
is the fraction of shortcuts in the total number of edges of a graph.
CONSTRUCTION PRINCIPLE: REWIRE A REGULAR 1-D LATTICE RANDOMLY (CREATING SHORTCUTS)
46
Characteristics of the PGP graph
3
3.5
4
4.5
5
5.5
6
6.5
7
500 1500 2500 3500 4500 5500 6500 7500 8500 9500 10500 11500 12500
char
acte
rist
ic le
ngth
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000
clus
teri
ng c
oeff
icie
nt
47
Power law of the PGP graph
The degree power law:
the probability that a node has a degree is proportional to
1 for some positive 1, where is called the power factor.
i
pi
k
p pk
48
Construction of the artificialcertificate graph
Principle: REWIRE AN IRREGULAR 1-D LATTICE RANDOMLY
1. Create an irregular lattice, according to the degree distribution provided by the power law
2. Rewire the lattice (adding or removing the shortcuts) to achieve the desired -coefficient
49
Comparison of artificial and PGP graphs
PGP certificate graph
artificial certificate graph
PGP certificate graph
artificial certificate graph
50
Conclusion on Part 1 of Security for mobile ad hoc networks
Very difficult problem, because of the nature of the network
Crucial issue: ad hoc networks cannot be used in practice if they are not secure
The kind of considered scenario (civilian / military, personal devices / sensors, …) can radically influence the solution to be chosen
The presence or absence of an authority (e.g., in charge of distributing the keys) can lead to very different solutions in terms of key agreement
51
References
M. Reiter and S. Stubblebine Authentication metric analysis and design ACM trans. on Information and System Security, 1999
D. Watts: Small Worlds Princeton University Press, 1999 Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang
Providing Robust and Ubiquitous Security Support for Mobile Ad Hc Networks. ICNP 2001
S. Capkun, L. Buttyan, JP Hubaux Trust Relationships in Mobile Ad Hoc networks, LCA technical report, 2001
JP Hubaux, L. Buttyan, S. CapkunThe Quest for security of mobile ad hoc networksMobiHoc 2001
For security in sensor networks, check:A. Perrig et al. SPINS: Security Protocols for Sensor NetworksMobicom 2001