voip mobility prakash kolan university of north texas

VoIP Mobility

Prakash KolanUniversity of North Texas

Agenda

Mobile Ad-hoc Networks

VoIP in VoIP Ad-hoc Networks

Trust in VoIP Ad-hoc Networks

Issues for trust calculation in VoIP mobile Ad-hoc Networks

and probable solutions

Trust and Mobility Trust during Micro-Mobility

Trust during Macro-Mobility

Inferring a secure routing path in presence of malicious nodes

Authenticating strangers in an ad-hoc network

Mobile Ad-hoc Networks (MANETs)

Self configuring and adaptive networks

Do not need any infrastructure to deploy these networks

Deployed in areas deprived of any existing network

infrastructure

e.g., Battle zones, Villages, Areas suffering with natural

calamities

Every node can act as a router or a relay for forwarding data

from other nodes in the MANET

VoIP Mobile Ad-hoc Networks (VoIP MANETs)

VoIP devices can form a VoIP MANET on the fly New VoIP nodes can join and leave the VoIP MANETS Each VoIP node interacts with other VoIP nodes in the

ad-hoc network either for requesting or serving VoIP services

An Ad-hoc VoIP node can forward data between two other VoIP nodes

In context of these high and anonymous interactions, it is imperative to understand the trust of the communicating nodes

Need for Trust in VoIP MANETs

Open and Anonymous

Lack of Accountability

A central authority for maintaining the authentication information of each and every VoIP device is next to impossible particularly when end devices change their identity and location

PKI – Public Key Infrastructure is not enoughCryptographic algorithms, for instance cannot say if a piece of digitally signed code has been authored by competent programmers and a signed public key certificate does not tell you if the owner is an industrial spy

Trust in VoIP MANETs

Every node learns the behavior of other VoIP nodes in

the VoIP MANET using trust inference

Every node can infer trust of other nodes for

forwarding routing and secure trust information

The nodes can co-operate with each other to know the trustworthiness of other nodes if they do not have first hand information about the possible forwarding nodes

Trust in VoIP MANETs

Issues Trust and mobility in VoIP MANETs Secure Routing in VoIP MANETs Authenticating Strangers in VoIP MANETs

Trust & Mobility

Trust & Mobility

One of the biggest advantages of using VoIP is the ability to function and operate independent of the location

On the other end, rapid advances in wireless networking technologies have enabled mobile devices to be connected anywhere, anytime

Location independent VoIP services can be deployed on top of wireless networks like cellular, WLAN etc.

Trust & Mobility

Wireless handheld devices equipped with VoIP capabilities can roam from one network to another network

Ability to connect to other devices in an ad-hoc fashion

Necessity in understanding the inherent trust issues involved in mobility of these devices

PKI infrastructure is a solution for authentication, authorization and message integrity issues however it does not address the involved trust issues

Trust and Mobility

Trust in mobility can be divided into

Trust in Micro-mobility Refers to the scenario where the VoIP mobile device moves in the

coverage area of same access point Trust associations are local

Trust in Macro-mobility Refers to the scenario where the VoIP mobile device moves from

coverage area of one access point to another Need a global trust framework for inferring trust A trust information protocol is needed which advocates the trust

information exchange when devices change access networks

Principles of Trust

Trust is Subjective: It is the degree of belief about the behavior of other entities (agents) upon which we depend (for example, to have a service delivered)

Trust is Asymmetric: Two agents need not have similar trust in each other

Trust is Context Dependent: Trust in a specific environment does not necessarily transfer to another

Trust is Dynamic: Tends to be reduced if entities are misbehaving and vice versa

hTrust : A human trust model

Trust Formation: How trust is computed

Trust Dissemination: How trust is propagated

Trust evolution: How trust is evolved or updated based on an observed evidence

Trust Formation

Whenever an agent ‘a’ (trustor) has to decide whether to trust another agent ‘b’ (trustee), trust information about ‘b’ has to be collected

Sources of trust information Direct experiences: Represents an agent history of interaction

(past interaction b/w trustor & trustee. They are kept in the trustor’s local environment by the TMF

Credentials: Represents what other agents thought of us in previous interactions (e.g., what agent x thought about trustee ‘b’. They are kept in the trustee’s local environment by TMF

Recommendations: Trust information coming from other agents in the social context

Trust Formation

The process that enables a trustor agent to predict a trustee’s trustworthiness before the interaction

Trust data model: A trustor ‘a’ forms a trust opinion about a trustee ‘b’ based on a’s direct experience b’s credentials recommendations coming from social context

Trust Formation: Direct Experiences

Single aggregated trust information tuple

[a, b, l, s, c, k, t] i.e, agent ‘a’ trusts agent ‘b’ at level ‘l’ to carry on services ‘s’ in context ‘c’

The trust ‘l’ varies in range [-1 1] with -1 meaning complete distrust and 1 meaning blind trust

‘k’ is defined as degree of knowledge to distinguish ‘don’t trust’ from ‘don’t know’ (lack of evidence) at time ‘t’ Higher the number of direct experiences between trustor and

trustee, higher the degree of knowledge ‘k’ decays with time – i.e, trustor knowledge decays with time

Trust Formation: Recommendations

When there’s no previous direct experience, the trustor may

ask other agents in the social context to provide him with

recommendations

A recommendation tuple sent by agent ‘x’ regarding trustee ‘b’

is

[x, b, l, s, c, k, t] SKX Є R (R being set of all recommendations)

Each recommendation is signed using the public key of the

recommender

Trust Formation: Credentials

Each agent ‘b’ carries with him (i.e, in his local environment) a portfolio of credentials i.e, a set of letters of presentation detailing how trustworthy ‘b’ has been in one or more previous interactions. Each credential looks like

[x, b, l, s, c, nfrom, nto, t] SKx

Agent ‘x’ considers ‘b’ trustworthy at level ‘l’ to carry on service ‘s’

in context ‘c’ after series of transaction from nfrom to nto

This trust refers to a set of transactions happened in the past between ‘x’ and ‘b’

Trust Formation

Trust Dissemination

Trust information is disseminated upon request from the trustor Step 1: a -> b : req-for-credentials(m) : A request from ‘a’ to ‘b’ to see his

credentials.

‘m’ indicates the maximum no. of letters ‘a’ is willing to accept

Step 2: b -> a : Cti , i Є [1, m] – The trustee ‘b’ replies with a set of utmost ‘m’

letters of presentation (the one he considers to be the best for his own reputation) Step 3: TMF decrypts the letters of presentation and checks the validity of public

keys of all agents who recommended the trustee ‘b’ with an identity management system

Step 4: If ‘a’ then decides to communicate with ‘b’, then after communication ‘a’ and ‘b’ exchange a letter of presentation

a -> b : [a, b, l’, n, n, t]SKa

b -> a : [b, a, l”, n, n, t]SKb

Trust EvolutionContinuous self-adaptation of trust information kept in agents local environment

Updating trust based on the just finished transaction

Updating trust based on the credentials it has received from the trustee

h3 (l1, l2) = w1xl1 + w2xl2 with

w1+w2=1 0<wi<1

l1 -> newly perceived

trustworthiness

l2 -> old opinion

h4(l1, l2, l3) = w1xl1 + w2xl2 + w3xl3 w1+w2+w3=1 0<wi<1l1 -> b’s trust worthiness as perceived by al2 -> opinion previously held by ‘a’ about ‘b’l3 -> b’s expected trustworthiness based on received credentials

Secure Routing in VoIP MANETs

Routing in MANET’s

Nodes communicate among themselves

No central authority in supervising behavior of nodes in MANET’s

Nodes themselves act as routers and relays for forwarding data and control packets

Multi-hop support makes communication possible with nodes outside of coverage area

Secure Routing

Current research assumes that all the nodes in the network share similar goals and would co-operate with each other

Presence of compromised nodes Become antagonistic to other uncompromised nodes Not reliable for retrieving routing information for actual

routing

Nodes with disparate goals Need external co-operation for communication Limiting factors such as power conservation etc.

Reputation for Secure Routing

Reputation of nodes can be used for instilling the motivation to co-operate

It establishes trust and confidence among the nodes

Motivates to act in a trustworthy fashion and not to maliciously tamper with any data packet

If a node becomes indifferent to its reputation and continues to act maliciously, it is weeded out of the network


The malicious behavior of the node can be estimated

based on

Frames received

Data packets forwarded

Control packets forwarded

Data packets received

Control packets received

Streams established


Message from A -> C. ABC is

the only path from A to C. To

send a message to C, A

sends the message to B. If C

acknowledges receiving the

message RepAB=+1

Reputation is the means of recommendations from all nodes

E

D

CBA


Every node needs to identify the next node in the routing path

Polls all its neighbors for the reputation of all its probable next nodes

Chooses the next node with the highest reputation value


Finding Trusted Routers - Deciding Next Hop

Shortest path to destination - Sorts all the available paths

based on no. of hops

Using only the reputations - Choose the next hop based

on highest reputed neighbor

Shortest path to destination along with the reputation of the neighbors - Sorts all the available paths based on

distance and reputation of next.


Using the Reputation Value

Advantages: Increase in throughput Non co-operative nodes are ostracized

Disadvantage: Poor nodes are penalized

Solution: Using resource availability information along with reputation value

Achieved equilibrium in traffic management Good nodes receive more traffic, becomes overloaded, drops

some packets and decreases their reputation Source nodes use 2nd rank nodes and the system equilibrium is

established

Authenticating Strangers in VoIP MANETs

Authenticating Strangers

One of the primary requirements of ad-hoc networks is that nodes can join and leave the network on the fly

New nodes express their willingness in joining the network

No previous history with any nodes in the network

Need to infer the behavior or trust of new nodes

Pre-Authentication over location-limited channel

Provides a security mechanism for wireless communications via pre-authentication over a location limited channel

Devices exchange a limited amount of public information

over a privileged side-channel

The pre-authentication is used for authenticating one

another on the unsecured wireless link

Provides secure authentication using almost any standard

public key based key exchange protocol


Properties of Location Limited Channel

Demonstrative Identification: Identification based on physical context Audio (both in audible and ultrasonic range) which has limited

transmission range and broadcast characteristics, can be used by a group of PDA’s in a room to demonstratively identify each other

For a single communication end point (e.g., printer across the room), Channels with directionality such as infrared

Authenticity: That it is impossible (or difficult) for an attacker to transmit in that channel, or at least to transmit within being detected by legitimate participants

The participants use the location limited channel for exchanging small cryptographic material for authenticating one another during wireless data transfer

Secure because the pre-authentication data exchanged over a channel with inherent physical limitations

The location limited channel is therefore resistant to eavesdropping

It is difficult for the attackers to mount an attack because of inherent limitations in the chosen location limited channel



Standard public key exchange protocols can be used for bootstrapping this authentication

The participants can exchange their public keys during this pre-authentication phase

Even if the attacker manages to eavesdrop the communication over wireless channel, it would be difficult for him to impersonate as the participants already have their keys exchanged


Basic scheme for pre-authentication

Pre-authentication, taking place over the location-limited channel:

1. A -> B: addrA , h(PKA)

2. B -> A: addrB , h(PKB)

Authentication continues over the wireless channel with any standard key exchange

protocol, e.g., SSL/TLS:

1. A -> B: TLS_CLIENT_HELLO ...and so on.

The various symbols denote:

addrA, addrB: A’s (resp. B’s) address in wireless space, provided strictly for

convenience

PKA, PKB : the public key belonging to A (resp. B), either a long-lived key or an

ephemeral key used only in this exchange

h(PKA) : a commitment to PKA, e.g., a one-way hash of an encoding of the key


Pre-authentication must be mutual – both parties must send and receive pre-authentication data on an ad-hoc node

In some cases e.g., a server on an ad-hoc node providing a service to another ad-hoc node, the pre-authentication is only in one direction

Depending upon the location limited channel and the public key based protocol during normal wireless data transfer during the pre-authentication phase, a decision can be made to Exchange public keys Certificates Secure digests of the keys using cryptographic hash functions

Group authentication - Multicast

Some of location limited channels have broadcast capability – they can reach more than one target simultaneously. e.g., audio

Many applications can benefit from the ability to designate a group of users in a secured network. e.g. Networked games, Meeting support conferencing

Pre-authentication can be used with two major families of group key exchange protocols

Centrally managed group by designating a specially trusted group member as group manager

Unmanaged groups with no group manager

Centrally Managed Groups

One participant is designated to become the group manager (first one to start)

The group manager establishes point to point links with every other group participant based on pre-authentication

The group manager will then exchange the group shared key with the new participant

When a member leaves a group, the group manager distributes a new group shared key with the remaining participants

Problems with Centrally Managed Groups

Group manager presents a single point of attack

Group manager is trusted to generate and distribute all group keys. Many applications are not compatible with such a distinguished trusted party

The group manager cannot easily leave the group

Unmanaged Groups

By using pre-authentication over a location limited channel, all participants do not need public keys as in case of Diffie-Hellman

Every group member commit their public keys or shared secrets to the group and a random existing group member can respond, thus ensuring mutual authentication

Group members can then proceed with their chosen group key exchange protocol over the wireless link

Unmanaged Groups

References

1. C. Zouridaki, B. L. Mark, M. Hejmo, R. K. Thomas, “A quantitative trust establishment framework for reliable data packet delivery in MANETs”, SASN 2005: 1-10

2. D. Balfanz, D. K. Smetters, P. Stewart, and H. C. Wong. Talking to strangers: Authentication in ad-hoc wireless networks. In Proc. Symp. on Network and Distributed Systems Security (NDSS), 2002.

3. L. Capra, "Engineering Human Trust in Mobile System Collaborations", In Proc. of the 12th International Symposium on the Foundations of Software Engineering (SIGSOFT 2004/FSE-12), pages 107-116. November 2004, Newport Beach, CA, USA. [PDF]

4. Marsh, S. P. (1994), “Formalizing Trust as a Computational Concept”. Ph.D. Thesis. Department of Mathematics and Computer Science, University of Stirling

5. P. Dewan et al, “Trusting Routers and Relays in Ad hoc Networks”, In the International Conference in Parallel Processing Workshops, Kaohsiung, Taiwan, October 06-09, 2003

References

6. F. Stajano and R. J. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In 7th Security Protocols Workshop, volume 1796 of Lecture Notes in Computer Science, pages 172–194, Cambridge, United Kingdom, 1999. Springer-Verlag, Berlin Germany.

7. M. Carbone, M. Nielsen, V. Sassone, “A formal model for trust in dynamic networks”. BRICS

8. G. Theodorakopoulos, J. S. Baras, “Trust Evaluation in Ad-Hoc Networks”, ACMWorkshop on Wireless Security (WiSe’04), Oct. 2004

9. S. Ganeriwal, M. B. Srivastava: Reputation-based framework for high integrity sensor networks. SASN 2004: 66-77

10. S. Buchegger and J.-Y. L. Boudec. A Robust Reputation System for P2P and Mobile Ad-hoc Networks. In Proc. 2nd Workshop on Economics of Peer-to-Peer Systems, June 2004

11. W. K. Wiechers, S. Daskapan, W. G. Vree, “Simulating the Establishment of Trust Infrastructures in Multi-Agent Systems”, In Marijn Janssen, Henk Sol & René Wagenaar (Eds.), Sixth International Conference on Electronic Commerce ICEC04 (pp. 255-264). AM (ISBN 1-58113-930-6).

voip mobility prakash kolan university of north texas

Documents

voip ad

voip manetseach voip

voip manetsopen

voip manetsissuestrust

voip capabilities

voip servicesan ad

flynew voip nodes

voip manetsevery node