ad hoc networks security - supelec in wireless ad hoc networks pietro michiardi ... self-organized...
TRANSCRIPT
Security in Wireless Ad hoc Networks
Pietro Michiardi – [email protected] Eurecom
Journée Club SEE-SIC, 11 Mars 2004
Monday, March 08, 2004 1
Mobile Ad Hoc Networks (MANET)
Collection of wireless mobile hosts forming a temporary network
No fixed network infrastructureNo (or limited) organization
Applications:Military and EmergencySensor NetworksCivilian applications, ubiquitous computing
Monday, March 08, 2004 2
Trust in MANETManaged environment
A-priori trustEntity authentication ⇒ correct operationBut: requirement for authentication infrastructure
Open environmentNo a-priori trustAuthentication does not guarantee correct operationNew security paradigm
Monday, March 08, 2004 3
Node MisbehaviorSelfish Nodes
Do not cooperatePriority: battery savingNo intentional damage to other nodesExposure:
passive denial of service black holeidle status
Malicious Nodes Goal: damage to other nodes Battery saving is not a priority Exposure:
active attacks denial of service traffic subversion attacks exploiting the security mechanism
Monday, March 08, 2004 4
MANET Requirements
Wireless & MobileLimited energyLack of physical security
Ad hocNo infrastructureLack of organization
Cooperation enforcement
Secure Routing
Key Management
Monday, March 08, 2004 5
Secure Routing - ObjectivesAuthentication (Integrity) of routing information
Entity authenticationSourceDestinationIntermediate node
Correct behavior (of algorithm, if any)
Asymmetric vs. Symmetric CryptoPro-active vs. Reactive routing protocols
Monday, March 08, 2004 6
Secure Routing Proposals for MANET
ARIADNE [Hu, et al.]Shared secret known by (src, dst)Prerequisite: distribution of authenticated TESLA keys
Secure Routing Protocol [Papadimitriou, Haas]Security associations between source and destination only
ARAN [Dahill, et al.]PK certificates for IP @
SEAD [Hu, et al.]Proactive routing authenticated hash chains
TESLA with instant key disclosure (TIK)Cope with wormhole attack
Monday, March 08, 2004 7
Secure Routing Summary
No new requirement other thanself-organized Key management
All solutions rely on some key set-upprior to secure routing operation
Contradiction: long-lived security associations in self-organized MANET
Monday, March 08, 2004 8
Key Management Challenges
Lack of (or limited)Security infrastructure
Key servers (KDC, CA, RA)
Organization (a priori trust)p2pAuthentication is not sufficient to build trust
Monday, March 08, 2004 9
Key Management Objectives
Bootstrapping from scratch
Fully distributed
Minimum dependency
Monday, March 08, 2004 10
Key Management ApproachesBased on symmetric crypto
(ID, PK) bindingPK Certificate = (ID,PK)CA
Self-organized CAWeb of trust(PGP)
No certificateCrypto-based IDs: ID = h(PK)ID-based Crypto: PK = f(ID)
Context-dependent authenticationLocation-limited channelsShared passwords
Monday, March 08, 2004 11
(ID, PK) binding
Self-organized CA[Zhou, Haas] [Kong, et al.] [Yi, Kravets] [Lehane, et al.]
Based on threshold cryptography
PROs: distributed approach, self-organizedCONs: share distribution during bootstrap phase, network density
[cert(PKi)]SK1
[cert(PKi)]SKi
[cert(PKi)]SK2
CERT(PKi)SK
[cert(PKi)]SK1[cert(PKi)]SK2
…
[cert(PKi)]Ski
…
Verification of CERT(PKi)SK by any node
using well known PK
PKi
Monday, March 08, 2004 12
(ID, PK) binding
Web of Trust (PGP)[Hubaux, Buttyan, Capkun]
No CAAlice → Bob and Bob → Eve ⇒ Alice → EveMerging of certificate repositories
PROs: no centralized TTPCONs: initialization, storage, transitivity of trust
Monday, March 08, 2004 13
(ID, PK) binding
Crypto-based IDSPKI [Rivest]Statistically Unique Cryptographically Verifiable IDs [O’Shea, Roe] [Montenegro, Castellucia]
IPv6 @ = NW Prefix | h(PK)
DSR using SUCV-based IP addresses [Bobba, et al.]
PROs: no certificates, no CACONs: generation of bogus IDs
Monday, March 08, 2004 14
(ID, PK) binding
ID-based Crypto[Halili, Katz, Arbaugh]
[Boneh, Franklin, CRYPTO 2001]
ID-basedPK = h(ID)SK computed by TTP
Threshold Crypto to distribute TTP
PROs: no certificates, no centralized serverCONs: distribution of initial shares
Monday, March 08, 2004 15
Context-dependent AuthenticationPassword Authenticated Key Exchange[Asokan, Ginzborg]
HyperCube Protocol (Diffie-Hellman)
PROs: self-organized, fully distributedCONs: shared password
Monday, March 08, 2004 16
Cooperation enforcement mechanisms
Token-based [Yang,Meng,Lu]
Nuglets[Buttyan,Hubaux]SPRITE[Zhong, Chen, Yang]
CONFIDANT [Buchegger,Le Boudec]CORE [Michiardi,Molva]Beta-Reputation [Josang,Ismail]
Threshold cryptography
Micro-payment
Reputation-based
Monday, March 08, 2004 17
Validation of Cooperation Enforcement Mechanisms
Mechanisms based on reputation difficult to validate
Simulation
Game theory
Monday, March 08, 2004 18
State of the art - Summary
Specific requirementsCooperation enforcementBootstrapping security associations
Solutions yet to come . . .Interesting applications of cryptographySome untruths and non-sense
Monday, March 08, 2004 19
Main Flaw
Security requirements in MANET are stronger than in “classical” networks
MANET networking still is a research topic
Security retrofitted as add-on mechanisms as if network technology was established
Monday, March 08, 2004 20
Right ApproachAddress security at early stages of protocol design: i.e. Routing Protocol dealing with Routing+Cooperation+Key Management
Old model based on verification of credentials and authentication not suitable, identities are meaningless
Further develop & integrate new conceptsA posteriori trust (based on observation, reputation, imprinting)Partial assuranceSubstitute infrastructure with context information(location, physical distance, history)… Others to be invented
Monday, March 08, 2004 21
Conclusion
Wireless Ad Hoc Security still in its infancy
Lack of integrated approachLooking for suitable new paradigmsPartial coverage (privacy, intrusion detection, physical attacks, etc.)
⇒ Room for creativity