Security for Ubiquitous and Adhoc

Networks

Çetin Kaya KoçOregon State University, Professorhttp://islab.oregonstate.edu/kockoc@ece.orst.edu

Mobile Adhoc Networks

Collection of nodes that do not rely on a predefined infrastructure

Adhoc networks can be formed merged together partitioned to separate networks

Not necessarily but often mobile There may exist static and wired nodes

Examples Computer science classroom

adhoc network between student PDAs and workstation of the instructor

Large IT campus Employees of a company moving within a large campus with

PDAs, laptops, and cellphones Moving soldiers with wearable computers

Eavesdropping, denial-of-service and impersonation attacks can be launched

Shopping mall, restaurant, coffee shops Customers spend part of the day in a networked mall of

specialty shops, coffee shops, and restaurants

Examples

12

3

4

56

7

Group A

Group B

Group C

A trust relationship among 3 different adhoc groups

Networking Infrastructure

Networking topologies

Flat infrastructure (zero-tier) All nodes have equivalent routing roles No hierarchy

Hierarchical infrastructure (N-tier) Cluster nodes have different routing roles Control the traffic between cluster and other clusters

Routing Protocols

Proactive: table-driven and distance vector protocols Nodes periodically refresh the existing routing info,

every node can operate with consistent and up-to-date tables

Reactive (on-demand): updates the routing information only when necessary Most routing protocols are reactive

Hybrid: uses both reactive and proactive protocols For example, proactive protocol between networks,

reactive protocol inside of networks

Networking Constraints

Mobility Due to mobility, topology of network can change frequently Nodes can be temporarily off-line or unreachable

Resource constraints Energy constraints Memory and CPU constraints Bandwidth constraints

Prior trust relationship Availability of Internet connection Central trust authority, base station Pre-distributed symmetric keys Pre-defined certificates and certificate revocation lists

Trust Management

Trust model Node-to-node trust Node-to-central authority trust

Cryptosystems Public-key cryptosystem

More convenience Digital signature possibility

Secret-key cryptosystem Less functionality Key distribution problem

Trust Models

Web of Trust Model Hierarchical Model

Key Management

Key creation Central key creation Distributed key creation

Key storage Centralized Replicated storage for fault tolerance Distributed, on each node

Partial key storage (shared secrets) Full key storage

Key distribution Symmetric and private keys: Confidentiality, authenticity and integrity

should not be violated Public keys: Integrity and authenticity should be preserved

Availability

Network services should operate properly Network services should tolerate failures even when DoS

attack threats Several availability attacks:

Network layer: the attacker can modify the routing protocol (divert the traffic to invalid addresses)

Network layer: adversary can shut down the network Session layer: adversary can remove encryption in the session-level

secure channel Application layer: availability of essential services may be threatened

Physical Security

Nodes are assumed to have low physical security Nodes can easily be stolen or compromised by an

adversary Fewer than 1/3 of the principals at the time of network

formation are corrupted or malicious Single or distributed point of failure

Identification and Authentication

Only authorized nodes (subjects) can have access to data (objects)

Only authorized nodes may form, destroy, join or leave groups

Identification can be satisfied by: User ID-Password based authentication systems Presented adequate credentials Delegate certificates

Network Operations

Link layer protections Protects confidentiality Protects authenticity

Network layer protections IPSec in case of IP-based routing

Confidentiality of routing info Authenticity and integrity of routing info

Against impersonation attacks Against destruction and manipulation of messages Against false traffic due to hardware or network failure

Network Operations

Non-repudiation of routing info Routing traffic must leave traces

Management of network Must be protected from disclosure Must be protected against tampering Must be protected against modified configuration tables by

adversary (for reactive routing protocols)

Key Management Security

Environment-specific and efficient key management system Nodes must have made a mutual agreement on a shared

secret or exchanged public keys In more dynamic environments

Exchange of encryption keys may be addressed on-demand In less dynamic environments

Keys are mutually agreed proactively or configured manually

Key Management Security

Private keys have to be stored in the nodes confidentially Encrypted with the system key With proper hardware protection (smart cards) By distributing the key in parts to several nodes

Centralized approaches are vulnerable as single point of failures

Adhoc Keying Mechanisms

ID-based cryptography Master public key/secret key is generated by private-key

generation service (PKG) Master keys known to everyone Arbitrary identities are public keys

Identity: “A1” Public key: “MasterPublicKey | A1”

Private keys should be delivered to nodes by PKG

Adhoc Keying Mechanisms

ID-based encryption schemes Setup: input a security parameter, return master public/secret

keys Extract: input master secret key and identity, return the

personal secret key corresponding to identity Encrypt: input master public key, the identity of the recipient

and message, return ciphertext Decrypt: input master public key, ciphertext and a personal

secret key, return plaintext

Adhoc Keying Mechanisms

Threshold cryptography Allows operations to be “split” among multiple users In t-out-of-n threshold scheme, any set of t users can compute

function while any set of t-1 users cannot If adversary compromises even t-1 users, he cannot perform crypto

operation Honest user who needs to perform crypto operation should contact

t of users Secure against Byzantine adversaries exist for t < n/2, secure

against passive adversaries can support t < n

Resurrecting Duckling Security Model

Two state principle (duckling) Imprintable Imprinted

Imprinting principle Transition from imprintable to imprinted Mother node sends imprinting key

Imprintable Imprinted(alive)

imprinting

death

Resurrecting Duckling Security Policy

New node identifies and authenticates itself to the nearest active node (mother) in the group: imprinting

A shared secret key is established between mother and the new node: bootstrapping is generally accomplished by physical contact

This key provides privacy of computations between the node and the mother

A node may die, returning to its imprintable mode A new imprinting by another mother is possible: reverse

metempsychosis

Resurrecting Duckling Principles

Death principle Transition from imprinted to imprintable (death) Death by order of the mother Death by old age after predefined time interval Death on completion of a specific transaction/job

Assassination principle Assassination by attacker may be uneconomical Some suitable level of tamper resistance should be provided

Broken is different from death A node can be broken by an adversary, but it cannot be made

imprintable (it can be smashed, but it will not die)

Resurrecting Duckling Principles

If the shared secret key is lost and beyond recovery, we may want/need to regain control of the node The manufacturer may order the device to commit suicide

(escrowed seppuku) Shogun role by the manufacturer; however, this will cause

centralization If the mother keeps a copy of the imprinting key, localization

can be achieved Multilevel souls

The same node can serve to many mothers establishing different keys

Each soul in the node will have imprinted and imprintable states, souls would be functioning in parallel

Research at Oregon State University

Information Security Laboratory at Oregon State University is working towards developing a distributed Kerberos system for mobile adhoc network of devices Devices with different computing power, memory (code &

RAM) space, and power consumption properties Initial group formation (authentication) is accomplished by

physical contact, touching (imprinting) Symmetric cryptography based hierarchical trust model Key list & Trust list data structures Nodes may join and may gracefully leave the group Ungraceful (abrupt) leaving requires new touching

Group Formation

a

b c

d

Id Relation MAC Key

c Itself … …

a Parent … Kac

d Child … Kcd

Id Relation MAC Key

d Itself … …

c Parent … Kcd

KLc

KLd

KLa

Id Relation MAC

Key

a Itself … …

b Child … Kab

c Child … Kac

KLb

Id Relation MAC

Key

b Itself … …

a Parent … Kab

Node-to-node Key Agreement

a

b

e

d

i

h

g

f

c2

1

34

5

Ancestor SetsASb={a}

ASh={b, a}

ASd={a}

ASi={d, a}

Graceful Leave

a

b

e

d

i

h

g

f

c

j

Node j wants to leave the group

Node f generates new branch key and sends to b, b forwards new branch key to root node a, node a changes the group key and begins the group re-keying with refreshed branch keys

Abrupt Leave

a

b

e

d

i

h

g

f

c

j

Node d leaves the group abruptly

Node a generates new branch key for this branch, but since node i lost its mother, i should touch contact to any node in the group in order to re-join and re-authenticate

Questions & Comments

mail god@heaven.net < Questionsmv Comments /dev/null