Security in Wireless Ad hoc Networks

Pietro Michiardi – Pietro.Michiardi@eurecom.frInstitut Eurecom

Journée Club SEE-SIC, 11 Mars 2004

Monday, March 08, 2004 1

Mobile Ad Hoc Networks (MANET)

Collection of wireless mobile hosts forming a temporary network

No fixed network infrastructureNo (or limited) organization

Applications:Military and EmergencySensor NetworksCivilian applications, ubiquitous computing

Monday, March 08, 2004 2

Trust in MANETManaged environment

A-priori trustEntity authentication ⇒ correct operationBut: requirement for authentication infrastructure

Open environmentNo a-priori trustAuthentication does not guarantee correct operationNew security paradigm

Monday, March 08, 2004 3

Node MisbehaviorSelfish Nodes

Do not cooperatePriority: battery savingNo intentional damage to other nodesExposure:

passive denial of service black holeidle status

Malicious Nodes Goal: damage to other nodes Battery saving is not a priority Exposure:

active attacks denial of service traffic subversion attacks exploiting the security mechanism

Monday, March 08, 2004 4

MANET Requirements

Wireless & MobileLimited energyLack of physical security

Ad hocNo infrastructureLack of organization

Cooperation enforcement

Secure Routing

Key Management

Monday, March 08, 2004 5

Secure Routing - ObjectivesAuthentication (Integrity) of routing information

Entity authenticationSourceDestinationIntermediate node

Correct behavior (of algorithm, if any)

Asymmetric vs. Symmetric CryptoPro-active vs. Reactive routing protocols

Monday, March 08, 2004 6

Secure Routing Proposals for MANET

ARIADNE [Hu, et al.]Shared secret known by (src, dst)Prerequisite: distribution of authenticated TESLA keys

Secure Routing Protocol [Papadimitriou, Haas]Security associations between source and destination only

ARAN [Dahill, et al.]PK certificates for IP @

SEAD [Hu, et al.]Proactive routing authenticated hash chains

TESLA with instant key disclosure (TIK)Cope with wormhole attack

Monday, March 08, 2004 7

Secure Routing Summary

No new requirement other thanself-organized Key management

All solutions rely on some key set-upprior to secure routing operation

Contradiction: long-lived security associations in self-organized MANET

Monday, March 08, 2004 8

Key Management Challenges

Lack of (or limited)Security infrastructure

Key servers (KDC, CA, RA)

Organization (a priori trust)p2pAuthentication is not sufficient to build trust

Monday, March 08, 2004 9

Key Management Objectives

Bootstrapping from scratch

Fully distributed

Minimum dependency

Monday, March 08, 2004 10

Key Management ApproachesBased on symmetric crypto

(ID, PK) bindingPK Certificate = (ID,PK)CA

Self-organized CAWeb of trust(PGP)

No certificateCrypto-based IDs: ID = h(PK)ID-based Crypto: PK = f(ID)

Context-dependent authenticationLocation-limited channelsShared passwords

Monday, March 08, 2004 11

(ID, PK) binding

Self-organized CA[Zhou, Haas] [Kong, et al.] [Yi, Kravets] [Lehane, et al.]

Based on threshold cryptography

PROs: distributed approach, self-organizedCONs: share distribution during bootstrap phase, network density

[cert(PKi)]SK1

[cert(PKi)]SKi

[cert(PKi)]SK2

CERT(PKi)SK

[cert(PKi)]SK1[cert(PKi)]SK2

…

[cert(PKi)]Ski

…

Verification of CERT(PKi)SK by any node

using well known PK

PKi

Monday, March 08, 2004 12

(ID, PK) binding

Web of Trust (PGP)[Hubaux, Buttyan, Capkun]

No CAAlice → Bob and Bob → Eve ⇒ Alice → EveMerging of certificate repositories

PROs: no centralized TTPCONs: initialization, storage, transitivity of trust

Monday, March 08, 2004 13

(ID, PK) binding

Crypto-based IDSPKI [Rivest]Statistically Unique Cryptographically Verifiable IDs [O’Shea, Roe] [Montenegro, Castellucia]

IPv6 @ = NW Prefix | h(PK)

DSR using SUCV-based IP addresses [Bobba, et al.]

PROs: no certificates, no CACONs: generation of bogus IDs

Monday, March 08, 2004 14

(ID, PK) binding

ID-based Crypto[Halili, Katz, Arbaugh]

[Boneh, Franklin, CRYPTO 2001]

ID-basedPK = h(ID)SK computed by TTP

Threshold Crypto to distribute TTP

PROs: no certificates, no centralized serverCONs: distribution of initial shares

Monday, March 08, 2004 15

Context-dependent AuthenticationPassword Authenticated Key Exchange[Asokan, Ginzborg]

HyperCube Protocol (Diffie-Hellman)

PROs: self-organized, fully distributedCONs: shared password

Monday, March 08, 2004 16

Cooperation enforcement mechanisms

Token-based [Yang,Meng,Lu]

Nuglets[Buttyan,Hubaux]SPRITE[Zhong, Chen, Yang]

CONFIDANT [Buchegger,Le Boudec]CORE [Michiardi,Molva]Beta-Reputation [Josang,Ismail]

Threshold cryptography

Micro-payment

Reputation-based

Monday, March 08, 2004 17

Validation of Cooperation Enforcement Mechanisms

Mechanisms based on reputation difficult to validate

Simulation

Game theory

Monday, March 08, 2004 18

State of the art - Summary

Specific requirementsCooperation enforcementBootstrapping security associations

Solutions yet to come . . .Interesting applications of cryptographySome untruths and non-sense

Monday, March 08, 2004 19

Main Flaw

Security requirements in MANET are stronger than in “classical” networks

MANET networking still is a research topic

Security retrofitted as add-on mechanisms as if network technology was established

Monday, March 08, 2004 20

Right ApproachAddress security at early stages of protocol design: i.e. Routing Protocol dealing with Routing+Cooperation+Key Management

Old model based on verification of credentials and authentication not suitable, identities are meaningless

Further develop & integrate new conceptsA posteriori trust (based on observation, reputation, imprinting)Partial assuranceSubstitute infrastructure with context information(location, physical distance, history)… Others to be invented

Monday, March 08, 2004 21

Conclusion

Wireless Ad Hoc Security still in its infancy

Lack of integrated approachLooking for suitable new paradigmsPartial coverage (privacy, intrusion detection, physical attacks, etc.)

⇒ Room for creativity

Merci!