l. zhou, z.j. haas: securing ad hoc networks, 1999 1 (26) l. zhou and z. j. haas, cornell...

L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 1 (26)

L. Zhou and Z. J. Haas, Cornell University:

Securing Ad Hoc Networks

presented by Johanna Vartiainen

[email protected]

Centre for Wireless CommunicationsUniversity of Oulu, Finland


1. Introduction2. Security Goals and Challenges3. Scope and Roadmap4. Secure Routing5. Key Management Service6. The System Model7. Threshold Cryptography8. Proactive Security and Adaptability9. Conclusions

Outline


1. Introduction

• Ad hoc networks do not rely in any fixed infstractructure, unlike trational mobile wireless networks

• To keep the network connecting, hosts rely on each other• Mobile nodes comminicate directly via wireless links or

rely on other nodes to relay messages as routers• Frequent changes of network topology caused by node

mobility• Main applications are military and other secure-sensitive

operations• Ad hoc networks has unique properties -> commercial

use, e.g. virtual classrooms and sensor networks• Main challenges: vulnerability to security attacks• Article studies the threats and security goals

– New challenges and opportunities– How to defend against denial-of-service attacks

towards routing protocols


2. Security Goals 1/3

• Security is a very important issue for ad hoc networks

• Availability: ensures the survivability of network services despite denial-of-service attacks– A denial-of-service attack could be launched at any

layer• Confidentiality: ensures that certain information is never

disclosed for unauthorized entities• Integrity: guarantees that a message being transferred is

never corrupted• Authentication: enables a node to ensure the identity of

the peer node with which it is communicating• Nonrepudiation: ensures that the origin of a

message cannot deny having sent the message


2. Challenges 2/3

1. To achieving security goals, in ad hoc networks are both challenges and opportunities

2. Wireless links are sensitive to link attacks– eavesdropping is violating confidentiality – active impersonation and active attacks - even

message distortion - are violating availability, integrity, authentication and nonredudiation

3. Nodes in a hostile environment with comparatively poor physical protection are endangered– E.g. nodes in the battlefield– Attacks can be launched from

within the networkDistributed architecture with no central entries to achieve high

survivability


2. Challenges 3/3

3. Because of frequent changes, ad hoc network is dynamic– Changes in topology and in its membership– Among nodes trust relationships also change

Security mechanism should to adapt to the changes

4. Ad hoc networks may consist of hundreds or even thousands of nodes

Security mechanism should be capable to handle such a big group of nodes


3. Scope and Roadmap

• Traditional security mechanisms still have important role in ad hoc networks– ... but these are not sufficient enough

1. We rely on the two principles :2. To achieve availability, we take adavantage of

redundancies in the network topology3. Distribution of trust to an aggregation of nodes

– No single node is trustworthy– Assume: any t+1 nodes are improbable to all be

compromised, consensus of at least t+1 nodes is trustworthy


4. Secure Routing 1/4

• All key-beeping based cryptographic schemes demand a key management service– Responsible for keeping track of bindings between

keys and nodes and assisting the establishment of mutual trust and secure communication between nodes

• Routing protocols should to be robust against dynamically changing topology and hostile attacks

• Proposed routing protocols do cope well with the changing topology

• ... but not against hostile attacks



• In most routing protocols, routers exchange information about the network topology in order to establish routes between nodes– A target for hostile objector who want to bring the

network downnnnn

1. There is two kinds of threats to routing protocols :2. From external attackers

– Injecting erroneous routing information, replaying old routing information, distorting routing information

– Countermeasure: nodes can protect routing information as they protect data traffic

• Cryptographic schemes, e.g. digital signature

– Ineffective against attacks from compromised servers



2. From compromised nodes– More severe kind of threats !– Compromised noise might advertise incorrect

routing information to other nodes– Compromised nodes are still able to generate valid

signatures using their private keys

NOTE : there is always a possibility that the node is compromised !

– Because of dynamical nature of ad hoc networks, detection of compromised node is difficult : is a piece of routing information invalid because of compromised node OR because of topology changes ?


4. Secure Routing 4/4• Some properties of ad hoc networks can exploit to achieve

seecure routing• False routing information by compromised nodes could be

considered as an outdated information (to some extent)• If there is enough correct nodes, the routing protocol

should be able to find routes that go around compromised nodes

• That capability usually relies on the inherent redundancies in ad hoc networks– Multiple routes between nodes, possibly disjoint

• Nodes can switch the primary, failed route to an alternative route if routing protocol can discover multiple routes

• Diversity codes takes advantage of multiple paths without message retransformation– Redundance information is transmitted through

additional routes for error detection and correction• E.g. n disjoint routes, n-r channels for transmitting the

data and r channels to transmit redundant information


5. Key Management Service 1/2

• Use of cryptograpnic schemes requires key management service

• A public key infrastructure is adopted– Superiority in distributing keys and achieving integrity and

nonrepudiatation– Secret key schemes are used to secure communication

after nodes authentication each other and establish a shared secret session key

• Each node has public and private key (key pair) in a public key system

• Public key is really public, so it can be distributed to other nodes

• Private key is absolutely confidential• There is a trusted entity for key management

– The certification authority (CA) which has a key pair


5. Key Management Service 2/2

• The CA has to stay online to reflect the current bindings because the bindings can change

• The CA is vulnerable point of network– Unavailability of the CA means that nodes cannot get the

current public keys of other nodes or nodes cannot establish secure communication

• It is problematic to have only one CA especially if the network is huge

• But a replication ot the CA makes the service even more vulnerable

• The article distributes trust to a set of nodes by letting these nodes share the key management responsibility


6. The System Model 1/2

• Assumptions :• A network without no bound on message delivery and

processing times• The underlying network layer provides reliable links (much

weaker link assumption to a separate article in preparation)• All nodes know the public key of the service and trust any

certificates signed using the corresponding private key• Nodes can submit query request to get other nodes public

key• Nodes can submit update request to change their own keys• (n,t+1) configuration, n>=3t+1

– n special nodes, called servers– Each server has its own key pair and stores the public keys of all

nodes in the network and each server knows the public keys of other servers

– t is the number of servers that the adversary can compromise in any period of time of a certain duration


6. The System Model 2/2

1. The adversary has access to all the secret information stored on the server if a server is compromised

2. The adversary lacks the computational power to break the cryptographic schemes we employ

3. The service is correct if two concitions hold :4. Robustness : the service is always able to process requests

(query and update) from clients5. Confidentiality : the private key of the service is never

disclosed to an adversary


7. Threshold cryptography 1/4• Distribution of trust is accomplished using threshold

cryptography• (n,t+1) threshold cryptography scheme ( n servers, t

compromised servers)• The private key k of the service is divided into n shares

s1, ..., sn , one share for each server

• Each server has also a key pair Ki /ki (public and private key)

• The public key K is known to all nodes in the network

Server 1 Server 2 Server n

..

k

s1 s2 sn

K1/k1 K2/k2Kn/kn

Fig. 1: The configuration of a key management service


7. Threshold cryptography 2/4• For the service to sign a cerfiticate, each server generates a

partial signature for the certificate using its private key share and submits the partial signature to a combiner

• Any server can be a combiner, to ensure that a compromised combiner cannot prevent a signature, it can be used t+1 servers as a combiners

– To make sure that at least one combiner is correct– Compromised servers (at most t ) are not able to generate

correctly signed certificates, because they can generate at most t partial signatures

• With t+1 correct partial signatures, the combiner can compute the signature for the certificate


7. Threshold cryptography 3/4• K/k is the key pair of the server• (3,2) cryptographic scheme, e.g. n=3, t=1 ( 3 servers and 1

of these servers is compromised)

• Each server i gets a share of si of the private key k

• Message m : server i can generate a partial signature PS(m,si ) using its share si . In this case, i=1 and 3.

• Correct servers (1 and 3) both generate partial signatures and forward the signatures to a combiner

• Combiner can generate thesignature of m signed by server private key k

Fig. 2: Threshold signature K/k

Server 2

Server 1

Server 3

m

s1

s2

s3

combiner

PS(m,s1)

PS(m,s3)

Server 2


7. Threshold cryptography 2/4• Compromised servers ...• ... can generate an incorrect partial signature

– That can yield an invalid signature• BUT a combiner can verify the validity of a computed

signature using the service public key• If vertification fails, the combiner tries another set of partial

signatures... and continues until the correct signature is constructed


8. Proactive Security and Adaptability 1/6• Key management service also employs the share refreshing

to tolerate ’mobile’ adversaries and adapt its configuration to changes in the network

– Mobile adversary temporarily compromise a server and then move to the next victim

• Mobile adversary might be able to compromise all the servers over a long period of time (e.g. viruses)

• Compromised servers may be detected and excluded, but the adversary could still gather more than t shares of the private key from compromised servers over time

That would allow the adversary to generate any valid certificates signed by the private key

• Countermeasure: proactive threshold cryptography scheme


8. Proactive Security and Adaptability 2/6• A proactive threshold cryptography scheme uses share

refreshing• That enables servers to compute new shares from old ones in

collaboration without exposing the service private key to any server

• The new share compose a new (n, t+1) sharing of the service private key

• Refreshing is done periodically• Servers remove the old shares after refreshing and starts to

use new shares

The adversary has to compromise t+1 servers every time after refreshing, again and again …

• Share refreshing is based on the property called homomorphic [see page 27 in the reference]


8. Proactive Security and Adaptability 3/6• Every server generates so called subshares• When server gets subshares, it can compute a new share

from these subshares and its old share• Share refreshing must tolerate missing subshares and

erroneous subshares from compromised servers– A compromised server may not send any subshares

• For servers to detect incorrect subshares, the verifiable secret sharing schemes can be used– That scheme generates extra public information for

each (sub)share using a one-way function– The public information can testify to the correctness of

the corresponding (sub)shares without disclosing the (sub)shares


8. Proactive Security and Adaptability 4/6• A variation of share refreshing also allows the key

management service to change its configuration so it can adapt itself to changes in the network – The service should exclude the compromised server and

refresh the exposed share– The service should change its configuration if it is no

longer available or a new server is added• The original set of servers generate and distribute

subshares based on the new configuration of the service • Share refreshing is transparent to all nodes because it does

not change the service key pair– The same public key is still in use


8. Proactive Security and Adaptability 5/6• Existing threshold cryptography and proactive threshold

cryptography scmemes assume a

synchronous system

• Any synchronos assumption is a weak point in the system– The adversary can launch denial-of-service attacks to

slow down a node or to disconnect a node for a long enough period of time to invalidate the synchrony assumption

• to attenuate the weak point: key management service presented works in an asynchronous setting– Problems ? yes, one of these is that we don’t know is the

server compromised or is it just slow

This assumption is not necessarily valid in ad hoc networks


8. Proactive Security and Adaptability 6/6• In the paper it is required that there are enough correct

servers being up to date– NOT that all the correct servers are consistent after

each operation• Also it is required enough signatures

– At least one correct server must have provided one signature, thus assuring the validity of the message

• Detailed description of the service is not provided


9. Conclusions

• Security threats an ad hoc networks was analyzed• Secure routing• Secure key management service• Threshold cryptography

Weaknesses:– prototype, no details– still problems

l. zhou, z.j. haas: securing ad hoc networks, 1999 1 (26) l. zhou and z. j. haas, cornell...

Documents

networks availability

message slide

security attacks article

proactive security

security goals new challenges

service attacks

finland slide

active attacks