1

Key Establishment in Ad Hoc NetworksPart 1 of 2

S. Capkun, JP Hubaux

2

Outline

Introduction URSA: Providing Ubiquitous and Robust Security

Support for MANET (UCLA proposal) PGP-inspired solution: keys generated by the nodes

(EPFL proposal) Mobility helps security (in the Part 2 of 2)

3

Research areas in security for ad hoc networks

Key establishment: how to distribute and manage keys in the absence of an on-line authority

Secure routing: how to make routing protocols robust against potential attacks

Intrusion detection: how to discover that an intruder is attempting to penetrate the network

Preventing denial of service: how to avoid that some nodes rationally or maliciously misbehave, e.g. pretend forwarding packets while dropping them

Securing sensor networks: how to make the protocols used by sensor networks robust against potential attacks, while coping with the anemic nature of the devices

4

Design Challenges

Security breaches Vulnerable wireless links Occasional break-ins may be inevitable over long time

Service ubiquity in presence of mobility Anywhere, anytime availability

Network dynamics Wireless channel errors Node failures Node join/leave

Network scale

5

Key establishment techniques in ad hoc networks

Presence of an authority, at leastin the initialization phase

Usually based on threshold cryptography

No authority:Keys are generated

by the nodes

Specializednodes (servers)

Centralized secretshare dealer PGP-inspired

Trust; certificate graph

Mobility helpssecurity

Exploit nodeencounters

6

Secret sharing based on threshold cryptography

No trusted authority, no central server Threshold crypto makes it possible to distribute

specific tasks (e.g., signature and therefore certificate issuing) among several users

Definition:Let , be positive integers, . A ( , ) is a method

by which a trusted party (also called a ) computes secret shares , 1

from an initial secret , and securely distributi

t w t w t w threshold scheme

dealer S i w

S

es to user , such that the

following is true: any or more users who pool their shares may easily

recover , but any group knowing only 1 or fewer shares may not.

A threshold scheme is a

i iS P

t

S t

perfect

threshold scheme in which knowing only

1 or fewer shares provide no advantage to an opponent over knowing

no pieces.

t

7

Shamir threshold scheme

pLet 1 be prime. The dealer chooses distinct, non-zero elements of ,

denoted , 1 . Let designate the th participant

Initializatio

(1 ).

gives the values to ; the va

n phase

luei i

i i

p w D w

x i w P i i w

D x P

p

p 1 -1

s are public.

Let be the key that wants to share among the participants.

secretly chooses (independently and at random) 1 elements

of : ,... .

For 1 ,

Share distributio

computes

n

i

t

x

K D

D t

a a

i w D y

-1

1

( ), where

( ) mod

For 1 , gives the share to .

Any group of or more users pool their shares, which provide at

Poo

le

ling of

ast

distinct points

shar

es

( , ) ( , ) allowing

i i

tj

jj

i i

i

a x

a x K a x p

i w D y P

t

t x y i y

computation of the coefficients ,

1 1 and of the key .

This computation can be made by Lagrangian interpolation.

ja

j t K

8

URSAURSA: Providing : Providing UbiquitousUbiquitous and and RobustRobust SecuritySecurity Support for Support for

MANETMANET

Courtesy of:

Jiejun Kong, Petros Zerfos, Haiyun Luo,

Songwu Lu, Lixia ZhangUniversity of California, Los Angeles

{jkong,pzerfos,hluo,slu,lixia}@cs.ucla.edu

9

URSA Approach

Ubiquitous and robust service provision in the presence of random mobility

Localized algorithms and protocols One-hop wireless communication

10

Why this model?

No single point of compromise Hackers must break into K nodes simultaneously to

compromise the system

No single point of DoS attack & node failure K offers tradeoff between intrusion tolerance and

service availability K=1, single point of compromise, maximal availability K=N, single point of DoS attack, maximal intrusion tolerance

11

System Overview

Each node carries a verifiable, unforgeable personal certificate

Certificate is signed by network system key SK Certificate may be issued, renewed, or revoked Every mobile node periodically renews its certificate Ubiquitous services enabled by secret sharing

12

System Components

Certification services Localized certificate issuing, renewal, revocation

Self-initialization service To provide a secret share to an entity To provide scalable proactive secret share update service

Proactive secret share update service To resist long-term adversaries without changing the shared

secret

13

Network Protocol

1. Service request

2. Return partial certificates (K=5)

1. Initialization request

2. Unicast shuffling package

3. Routing shuffling package

4. Unicast partial secret share

Certificate issuing, renewal,or explicit revocation

Self-initialization

14

Cryptographic Algorithms: Threshold Secret Sharing

Polynomial-based threshold secret sharing Given a secret d and a random polynomial of degree

K-1 f(x) = d + f1•x + f2 • x2 + …… + fK-1 • xK-1 mod n

Each entity vi obtains its secret share “f(vi) mod n”

d can be recovered by Lagrange interpolation

In RSA cryptosystem, the d in the signing key SK=(d,n) is shared and distributed

15

Lagrange Interpolation

f(0)=secret

f(x1) f(x2) f(x3)

f(x4)

f(x5)

x5x4x3x2x10

Polynomial withdegree K-1

K

j

j

K

j

jj ndnlvvfdf1

___

1

)(mod)mod)0()(()0(

)())(()(

)())(()()(

111

111

Kjjjjjj

Kjjj

vvvvvvvv

vxvxvxvxxlv

16

Multi-signature

Threshold secret sharing reveals d to a coalition d is not revealed if partial certificates are used

The cornerstone is the equation Xd1 • Xd2 • … • XdK = X(d1 + d2 + … + dK)

Each coalition member contributes a signed partial certificate XSKi

= (Xdi mod n)which corresponds to an RSA SK-signing in computation

The certification service requester combines K partial-certificates and obtains a correctly-signed certificate XSK

= (Xd mod n)

17

Simulation: Proactive UpdateUpdated Node Percentage vs. Delay

“Explosion” effect: as more and more entities obtain the new version of secret shares, the task is getting easier and faster

18

Conclusion on URSA

Certification-based approach Secret sharing Multi-signature

Localized and distributed protocols Faster and more robust than other approaches Service ubiquity Scalable

Flexible trade-off between intrusion tolerance & service availability

19

Full Self-Organization of Public Key Management (EPFL proposal)

Security: we use public-key cryptography scheme to support security services in mobile ad hoc networks

Problem:How can a user u obtain the authentic public key of another user v in the presence of an active attacker ?

Principles:- users generate their own keys and issue certificates (no preinstalled keys)- no central certification authority- no certificate directories- no specific role assigned to a subset of nodes

20

Public-Key Infrastructure

Reminder: Certification Authorities (CAs)(e.g., ISO X.509, used notably in S/MIME):

CAz

CAW

CAXCAY

CAz

CAUCAV

Bob

Alice

A self-organized mobile ad hoc network hasno infrastructure and therefore:- no server- no certification authority

Is it possible to build up a scalable public-key infrastructure for such aninfrastructure-less network?

21

Key management in PGP: Web of trust

Alice Bob

IrenePrKIrene

PrKAlice

PuKAlice

PuKIrene

PrKBob

PuKBob

Generate a certificate

Trust relationship

Alice and Bob trust each other and have exchanged each other’s public key in a secure way (e.g., off-line)

Bob Irene PuKIrene PrKBob(PuKIrene)

How can Alice get a trustworthy version of the public key of Irene PuKIrene? (She does not know who signed it)

Bob is an introducer for Irene

22

PGP: server of certificates

Alice Bob

Irene

• Example of server: www.pgpi.org• The servers of certificate are the only centralized components of PGP.

Request for a signedpublic key of Irene

Is it possible to get rid of the certificate server(s), without jeopardizing scalability?

Server of certificates

Bob Irene PuKIrene PrKBob(PuKIrene)

PrKAlice

PuKAlice

PrKIrene

PuKIrene

PrKBob

PuKBob

23

Model

We assume that if a user i believes that a given public key belongs to a given user j, then i can issue a public-key certificate to j

Certificate graph G(V,E)• V is a set of keys • E is the set of edges, where a directed edge (i,j) is added if i signed a public key certificate to user jPr{ , }

ij Kj K

Ki Kj

Pr{ , }ij Kj K

24

Certificate graph

authentication via a chain of certificates

K1

K2

K3

K4

K6

K7

K8

K9

K10

K11

K12 K10

K5K5

25

No authority: Self Organized Public Key Management

Each node generates its own private / public key pair (as in PGP) and issues a certificates for the nodes it trusts

The system works in two phases:

1. Initialization: each user stores a set of certificates

2. When a user wants to verify the public key of another user, they merge their local repositories and try to find a path of certificates between them

1.

i

2.

i j

26

Initialization (1)

i

j

k

27

Initialization (2)

• Each user builds up a local repository of public-key certificates (a subgraph)

• stores the certificates that it issued (outgoing edges)• stores the list of certificates that others issued for it (incoming edges)• stores an additional set of certificates chosen according to some algorithm A

• 2 possible scenarios

Centralized

CertificateServer

1

2

request

sub-graph

sub-graph

Distributed

28

Verifying the key: merging the local repositories and finding a path of certificates

i

j

29

Example of an algorithm: Maximum Degree

Node K builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.

30

Example: Shortcut Hunter

Each node builds its incoming and outgoing path(s) choosing the node that has a highest number of shortcuts connected to it

i

j

k

Small world graphs

shortcut

31

Algorithm performance

, ,

We define the of the local repository construction

algorithm on the certificate graph as

( , ) :( , )

( , ) :

where is the

p

size of the local re

erforman

s t

c

p

e

o i

( , )

u A v Au G G v

Au G v

A

A G

u v V V K Kp s G

u v V V K K

s

p s G

,

ories of the users (i.e. the number

of edges in the subgraph of each user): ( ) . u As E G

32

Performance of Maximum Degree

Node builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.

0.5

0.6

0.7

0.8

0.9

1

4 14 24 34 44 54 64 74

local repository size (s)

algo

rith

m p

erfo

rman

ce p

MD

(s,P

GP)

c = 1 path

c = 4 paths

PGP graph size = ~ 5000

33

Performance of the Star Shortcut Hunter on real PGP certificate graphs

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190 200 210

In(out)-bound subgraph size (s/2)

Perfo

rman

ce

certificate graph size = 2124

certificate graph size = 3211

certificate graph size = 8695

34

Performance of the shortcut hunter on small world and random graphs

• Φ is the fraction of edges which are shortcuts, size of the local repositories = sqrt(n)

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.01 0.1 1

perfo

rman

ce

certificate graph size = 1000

certificate graph size = 2000

certificate graph size = 4000

small world random graphs

35

False certificates

KD

Ki Kj

Pr{ , }Dj KF K

Pr{ , ' }Dj Kj K

K'j

KD

K'j

j

a key controlled by a dishonest user

a false key created by a dishonest user

a certificate binding user F to a key K

Pr{ , }Dj KF K

36

Design goals

performance – redefined by taking authentication metricsinto account

key usage – ideally, all vertices need to be used for authentication an equal number of times (to be on the path an equal number of times)

scalability – minimize the size of the local repositories (subgraphs) and the communication cost

invariance to certificate graph changes

37

Performance with authentication metrics

,

the value ( , , ) represents the assurance with which

can obtain the authentic public key of using the information in .

Performance of a subg

Authentication

raph selection

me

algorithm

tric

:

:

A

u v G u

v G

p

, ,

( , )

( , , )1( )

( , , )

where ( , ) : ( , , ) 0

u A v A

u v W

u v G GG

u v G

W u v V V u v G

#W

Examples of authentication metrics include: number of disjoint paths of certificates, number of bounded and k-bounded disjoint paths ...

0

0

Special case: binary authentication metric

( , , ) 1 if

( , , ) 0 otherwise Gu v G u v

u v G

38

Key usage

The key usage is defined as the number of times that a key is used for authentication.Formally:

Given a certificate graph ( , ), a local repository construction algorithm and an

authentication metric ;

for each pair of vertices, ( , ) , we define the set of all edges that are used

in the u v

G V E A

K K V V

, , , , , ,

( , ), ,

merged subgraphs, considering that we are using metric :

( , ) ( , ) : ( , , \ ( , )) ( , , )

For each vertex , its usage ( ) in ( , ) is defined

u v w z u A v A u v u A v A w z u v u A v A

w u v A w u v

M K K K K G G K K G G K K K K G G

K V U K M K K

( , ), ,

, ( , ), ,,

as:

( ) ( , ) ( , ) :

The usage of is then defined as :

( ) ( )u v

u v A w z x u v z w

w

A w u v A wK K V

U K K K M K K K K

K V

U K U K

39

Fundamental design limit (1): size of the repositories

Problem 1: Find a set of subgraphs that minimizes the size of local repositories such that p=1

Theorem 1:

00 ,

,

Let us consider a certificate graph ( , ), a subgraph construction algorithm ,

and an authentication metric . If ( , ) 1, then is minimized if

, ( , ) ( , ),

where (

A

v v A v x x v

G V E A

p s G s

K V G sp K K sp K K

sp

,

,

, ) is the shortest path from to in such that minimizes

max ( ( , ) ( , ))

where ( , ) is the length of ( , ).

Furthermore,

min max ( ( , ) ( , ))

v v x

x v v x

v x v x x

v x x vK V K K

v x v x

v x x vK V K V K K

K K K K G K

d K K d K K

d K K sp K K

s d K K d K K

40

Fundamental design limit (2): key usageProblem 2: Find a set of subgraphs that minimizes the size of local repositories such

that p=1 and U(Kv)=U(Ku)

Theorem 2:

0

0 0

0

,

, ,

,

Let us consider a certificate graph ( , ), a subgraph construction algorithm ,

and a binary authentication metric .

If (i) ( , ) 1,

(ii) ( ) ( ) ,

and (iii) ( ) for

A

A v A u u v

v A

G V E A

p s G

U K U K K K V

V G s

each ,

then -1.

vK V

s V

|V| = 4, s = 2

|V| = 9, s = 4

2( -1)s VExample of construction with:

41

Maximum degree simulation results

1 8.24 8.24 1

3 8.23 7.69 1.42

6 8.15 7.67 1.44

Mean length No. of paths

PGP (5000 vertices):

Artificialcertificate graphs:

Shortest path

1 17.66 17.66 1

3 18.77 12.55 2.39

6 16 10.53 2.55

PGP (5000 vertices): 6.6 6.19 1.55

Artificialcertificate graphs: 6.8 5.71 3.66

Maximum degree:

the whole graph:

repository no of paths

Mean length No. of pathsShortest path

42

PGP certificate graph

The PGP graph is the only known example of self-organized certificate graph creation.

Largest connected component of the PGP certificate graph 2001 (8695 keys)

43

Key usage

Certificate usage with Maximum Degree algorithm and the Shortest Paths on PGP graph and artificial certificate graph

44

Small-world graphs

- a small characteristic length (the median of the means of the shortest paths between all pairs of users)- a large clustering coefficient (a very high likelihood that two friends of a friendare friends as well)- a logarithmic characteristic length scaling

Small world graphs

shortcut – an edge upon whose disconnectionthe shortest path between two vertices previously connected by this edge becomes strictly larger than 2.

Small world graph characteristics:

45

Watts -model

lattice = 0

random graphs = 1

Small world graphs

is the fraction of shortcuts in the total number of edges of a graph.

CONSTRUCTION PRINCIPLE: REWIRE A REGULAR 1-D LATTICE RANDOMLY (CREATING SHORTCUTS)

46

Characteristics of the PGP graph

3

3.5

4

4.5

5

5.5

6

6.5

7

500 1500 2500 3500 4500 5500 6500 7500 8500 9500 10500 11500 12500

char

acte

rist

ic le

ngth

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000

clus

teri

ng c

oeff

icie

nt

47

Power law of the PGP graph

The degree power law:

the probability that a node has a degree is proportional to

1 for some positive 1, where is called the power factor.

i

pi

k

p pk

48

Construction of the artificialcertificate graph

Principle: REWIRE AN IRREGULAR 1-D LATTICE RANDOMLY

1. Create an irregular lattice, according to the degree distribution provided by the power law

2. Rewire the lattice (adding or removing the shortcuts) to achieve the desired -coefficient

49

Comparison of artificial and PGP graphs

PGP certificate graph

artificial certificate graph

PGP certificate graph

artificial certificate graph

50

Conclusion on Part 1 of Security for mobile ad hoc networks

Very difficult problem, because of the nature of the network

Crucial issue: ad hoc networks cannot be used in practice if they are not secure

The kind of considered scenario (civilian / military, personal devices / sensors, …) can radically influence the solution to be chosen

The presence or absence of an authority (e.g., in charge of distributing the keys) can lead to very different solutions in terms of key agreement

51

References

M. Reiter and S. Stubblebine Authentication metric analysis and design ACM trans. on Information and System Security, 1999

D. Watts: Small Worlds Princeton University Press, 1999 Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang

Providing Robust and Ubiquitous Security Support for Mobile Ad Hc Networks. ICNP 2001

S. Capkun, L. Buttyan, JP Hubaux Trust Relationships in Mobile Ad Hoc networks, LCA technical report, 2001

JP Hubaux, L. Buttyan, S. CapkunThe Quest for security of mobile ad hoc networksMobiHoc 2001

For security in sensor networks, check:A. Perrig et al. SPINS: Security Protocols for Sensor NetworksMobicom 2001