l. zhou, z.j. haas: securing ad hoc networks, 1999 1 (26) l. zhou and z. j. haas, cornell...
Post on 19-Dec-2015
214 views
TRANSCRIPT
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 1 (26)
L. Zhou and Z. J. Haas, Cornell University:
Securing Ad Hoc Networks
presented by Johanna Vartiainen
Centre for Wireless CommunicationsUniversity of Oulu, Finland
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 2 (26)
1. Introduction2. Security Goals and Challenges3. Scope and Roadmap4. Secure Routing5. Key Management Service6. The System Model7. Threshold Cryptography8. Proactive Security and Adaptability9. Conclusions
Outline
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 3 (26)
1. Introduction
• Ad hoc networks do not rely in any fixed infstractructure, unlike trational mobile wireless networks
• To keep the network connecting, hosts rely on each other• Mobile nodes comminicate directly via wireless links or
rely on other nodes to relay messages as routers• Frequent changes of network topology caused by node
mobility• Main applications are military and other secure-sensitive
operations• Ad hoc networks has unique properties -> commercial
use, e.g. virtual classrooms and sensor networks• Main challenges: vulnerability to security attacks• Article studies the threats and security goals
– New challenges and opportunities– How to defend against denial-of-service attacks
towards routing protocols
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 4 (26)
2. Security Goals 1/3
• Security is a very important issue for ad hoc networks
• Availability: ensures the survivability of network services despite denial-of-service attacks– A denial-of-service attack could be launched at any
layer• Confidentiality: ensures that certain information is never
disclosed for unauthorized entities• Integrity: guarantees that a message being transferred is
never corrupted• Authentication: enables a node to ensure the identity of
the peer node with which it is communicating• Nonrepudiation: ensures that the origin of a
message cannot deny having sent the message
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 5 (26)
2. Challenges 2/3
1. To achieving security goals, in ad hoc networks are both challenges and opportunities
2. Wireless links are sensitive to link attacks– eavesdropping is violating confidentiality – active impersonation and active attacks - even
message distortion - are violating availability, integrity, authentication and nonredudiation
3. Nodes in a hostile environment with comparatively poor physical protection are endangered– E.g. nodes in the battlefield– Attacks can be launched from
within the networkDistributed architecture with no central entries to achieve high
survivability
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 6 (26)
2. Challenges 3/3
3. Because of frequent changes, ad hoc network is dynamic– Changes in topology and in its membership– Among nodes trust relationships also change
Security mechanism should to adapt to the changes
4. Ad hoc networks may consist of hundreds or even thousands of nodes
Security mechanism should be capable to handle such a big group of nodes
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 7 (26)
3. Scope and Roadmap
• Traditional security mechanisms still have important role in ad hoc networks– ... but these are not sufficient enough
1. We rely on the two principles :2. To achieve availability, we take adavantage of
redundancies in the network topology3. Distribution of trust to an aggregation of nodes
– No single node is trustworthy– Assume: any t+1 nodes are improbable to all be
compromised, consensus of at least t+1 nodes is trustworthy
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 8 (26)
4. Secure Routing 1/4
• All key-beeping based cryptographic schemes demand a key management service– Responsible for keeping track of bindings between
keys and nodes and assisting the establishment of mutual trust and secure communication between nodes
• Routing protocols should to be robust against dynamically changing topology and hostile attacks
• Proposed routing protocols do cope well with the changing topology
• ... but not against hostile attacks
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 9 (26)
4. Secure Routing 2/4
• In most routing protocols, routers exchange information about the network topology in order to establish routes between nodes– A target for hostile objector who want to bring the
network downnnnn
1. There is two kinds of threats to routing protocols :2. From external attackers
– Injecting erroneous routing information, replaying old routing information, distorting routing information
– Countermeasure: nodes can protect routing information as they protect data traffic
• Cryptographic schemes, e.g. digital signature
– Ineffective against attacks from compromised servers
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 10 (26)
4. Secure Routing 3/4
2. From compromised nodes– More severe kind of threats !– Compromised noise might advertise incorrect
routing information to other nodes– Compromised nodes are still able to generate valid
signatures using their private keys
NOTE : there is always a possibility that the node is compromised !
– Because of dynamical nature of ad hoc networks, detection of compromised node is difficult : is a piece of routing information invalid because of compromised node OR because of topology changes ?
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 11 (26)
4. Secure Routing 4/4• Some properties of ad hoc networks can exploit to achieve
seecure routing• False routing information by compromised nodes could be
considered as an outdated information (to some extent)• If there is enough correct nodes, the routing protocol
should be able to find routes that go around compromised nodes
• That capability usually relies on the inherent redundancies in ad hoc networks– Multiple routes between nodes, possibly disjoint
• Nodes can switch the primary, failed route to an alternative route if routing protocol can discover multiple routes
• Diversity codes takes advantage of multiple paths without message retransformation– Redundance information is transmitted through
additional routes for error detection and correction• E.g. n disjoint routes, n-r channels for transmitting the
data and r channels to transmit redundant information
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 12 (26)
5. Key Management Service 1/2
• Use of cryptograpnic schemes requires key management service
• A public key infrastructure is adopted– Superiority in distributing keys and achieving integrity and
nonrepudiatation– Secret key schemes are used to secure communication
after nodes authentication each other and establish a shared secret session key
• Each node has public and private key (key pair) in a public key system
• Public key is really public, so it can be distributed to other nodes
• Private key is absolutely confidential• There is a trusted entity for key management
– The certification authority (CA) which has a key pair
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 13 (26)
5. Key Management Service 2/2
• The CA has to stay online to reflect the current bindings because the bindings can change
• The CA is vulnerable point of network– Unavailability of the CA means that nodes cannot get the
current public keys of other nodes or nodes cannot establish secure communication
• It is problematic to have only one CA especially if the network is huge
• But a replication ot the CA makes the service even more vulnerable
• The article distributes trust to a set of nodes by letting these nodes share the key management responsibility
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 14 (26)
6. The System Model 1/2
• Assumptions :• A network without no bound on message delivery and
processing times• The underlying network layer provides reliable links (much
weaker link assumption to a separate article in preparation)• All nodes know the public key of the service and trust any
certificates signed using the corresponding private key• Nodes can submit query request to get other nodes public
key• Nodes can submit update request to change their own keys• (n,t+1) configuration, n>=3t+1
– n special nodes, called servers– Each server has its own key pair and stores the public keys of all
nodes in the network and each server knows the public keys of other servers
– t is the number of servers that the adversary can compromise in any period of time of a certain duration
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 15 (26)
6. The System Model 2/2
1. The adversary has access to all the secret information stored on the server if a server is compromised
2. The adversary lacks the computational power to break the cryptographic schemes we employ
3. The service is correct if two concitions hold :4. Robustness : the service is always able to process requests
(query and update) from clients5. Confidentiality : the private key of the service is never
disclosed to an adversary
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 16 (26)
7. Threshold cryptography 1/4• Distribution of trust is accomplished using threshold
cryptography• (n,t+1) threshold cryptography scheme ( n servers, t
compromised servers)• The private key k of the service is divided into n shares
s1, ..., sn , one share for each server
• Each server has also a key pair Ki /ki (public and private key)
• The public key K is known to all nodes in the network
Server 1 Server 2 Server n
..
k
s1 s2 sn
K1/k1 K2/k2Kn/kn
Fig. 1: The configuration of a key management service
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 17 (26)
7. Threshold cryptography 2/4• For the service to sign a cerfiticate, each server generates a
partial signature for the certificate using its private key share and submits the partial signature to a combiner
• Any server can be a combiner, to ensure that a compromised combiner cannot prevent a signature, it can be used t+1 servers as a combiners
– To make sure that at least one combiner is correct– Compromised servers (at most t ) are not able to generate
correctly signed certificates, because they can generate at most t partial signatures
• With t+1 correct partial signatures, the combiner can compute the signature for the certificate
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 18 (26)
7. Threshold cryptography 3/4• K/k is the key pair of the server• (3,2) cryptographic scheme, e.g. n=3, t=1 ( 3 servers and 1
of these servers is compromised)
• Each server i gets a share of si of the private key k
• Message m : server i can generate a partial signature PS(m,si ) using its share si . In this case, i=1 and 3.
• Correct servers (1 and 3) both generate partial signatures and forward the signatures to a combiner
• Combiner can generate thesignature of m signed by server private key k
Fig. 2: Threshold signature K/k
Server 2
Server 1
Server 3
m
s1
s2
s3
combiner
PS(m,s1)
PS(m,s3)
Server 2
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 19 (26)
7. Threshold cryptography 2/4• Compromised servers ...• ... can generate an incorrect partial signature
– That can yield an invalid signature• BUT a combiner can verify the validity of a computed
signature using the service public key• If vertification fails, the combiner tries another set of partial
signatures... and continues until the correct signature is constructed
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 20 (26)
8. Proactive Security and Adaptability 1/6• Key management service also employs the share refreshing
to tolerate ’mobile’ adversaries and adapt its configuration to changes in the network
– Mobile adversary temporarily compromise a server and then move to the next victim
• Mobile adversary might be able to compromise all the servers over a long period of time (e.g. viruses)
• Compromised servers may be detected and excluded, but the adversary could still gather more than t shares of the private key from compromised servers over time
That would allow the adversary to generate any valid certificates signed by the private key
• Countermeasure: proactive threshold cryptography scheme
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 21 (26)
8. Proactive Security and Adaptability 2/6• A proactive threshold cryptography scheme uses share
refreshing• That enables servers to compute new shares from old ones in
collaboration without exposing the service private key to any server
• The new share compose a new (n, t+1) sharing of the service private key
• Refreshing is done periodically• Servers remove the old shares after refreshing and starts to
use new shares
The adversary has to compromise t+1 servers every time after refreshing, again and again …
• Share refreshing is based on the property called homomorphic [see page 27 in the reference]
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 22 (26)
8. Proactive Security and Adaptability 3/6• Every server generates so called subshares• When server gets subshares, it can compute a new share
from these subshares and its old share• Share refreshing must tolerate missing subshares and
erroneous subshares from compromised servers– A compromised server may not send any subshares
• For servers to detect incorrect subshares, the verifiable secret sharing schemes can be used– That scheme generates extra public information for
each (sub)share using a one-way function– The public information can testify to the correctness of
the corresponding (sub)shares without disclosing the (sub)shares
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 23 (26)
8. Proactive Security and Adaptability 4/6• A variation of share refreshing also allows the key
management service to change its configuration so it can adapt itself to changes in the network – The service should exclude the compromised server and
refresh the exposed share– The service should change its configuration if it is no
longer available or a new server is added• The original set of servers generate and distribute
subshares based on the new configuration of the service • Share refreshing is transparent to all nodes because it does
not change the service key pair– The same public key is still in use
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 24 (26)
8. Proactive Security and Adaptability 5/6• Existing threshold cryptography and proactive threshold
cryptography scmemes assume a
synchronous system
• Any synchronos assumption is a weak point in the system– The adversary can launch denial-of-service attacks to
slow down a node or to disconnect a node for a long enough period of time to invalidate the synchrony assumption
• to attenuate the weak point: key management service presented works in an asynchronous setting– Problems ? yes, one of these is that we don’t know is the
server compromised or is it just slow
This assumption is not necessarily valid in ad hoc networks
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 25 (26)
8. Proactive Security and Adaptability 6/6• In the paper it is required that there are enough correct
servers being up to date– NOT that all the correct servers are consistent after
each operation• Also it is required enough signatures
– At least one correct server must have provided one signature, thus assuring the validity of the message
• Detailed description of the service is not provided
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 26 (26)
9. Conclusions
• Security threats an ad hoc networks was analyzed• Secure routing• Secure key management service• Threshold cryptography
Weaknesses:– prototype, no details– still problems