Presd1 14

Security in Delay Tolerant Networks

Dr. Milena RadenkovicPhD (Nottingham, UK), Dipl. Ing., MSc (Nis, Serbia)

Cyber DefenceNational Security in a Borderless World

17th & 18th May 2010, Swissôtel Tallinn, Estonia

University of Nottingham Cyber Defence, Estonia, 2010

Research Overview

Research interests centre on self-organised networkarchitectures that support interactive multiuser applicationsin unstable and heterogeneous environments

Particular concern is with the design and deployment ofnovel more reliable mobile ad-hoc, delay tolerant networksfor data store and query and routing protocols

Multiple projects in location based pervasive gaming,wearable medical and veterinary applications and massenvironmental monitoring: A Novel Routing Protocol for Large Scale Disconnected (PI, EPSRC), Developing Advanced Collaborative Environments for Life Science

Community (PI, EPSRC) Participate (CI, EPSRC), myGrid (CI, EPSRC) IPERG, (WPLead, EU), MIAS (WPLead, EPSRC)


Disconnection Tolerant Networks

Type of challenged networks wherecommunication opportunities are based onsporadic and intermittent contacts, long disconnections and re-connections may frequently

occur, and the assumption on the existence of an end-to-end path

between the source and the destination is dropped

DTN network features pose fundamentalchallenges to the mechanisms needed to secureDTNs and heavily constrain available securitysolutions


The Internet Architecture

Traditional Internet (wired, wireless, mobile, ad hocnetworks) makes strong assumptions about connectivitysuch as: available end to end paths, low RTTs, high availability to naming,

security services, caching and searching infrastructures to providelocator-based access such as DNS

Wired LAN

4

Cell tower Wireless LAN

MANET


Non Internet-like Architecture

When the connectivity assumptions do not hold Applications break / communication disabled Need for fundamentally new communication and security paradigms Support interoperability among radically heterogeneous networks

and achieve good performance with very large delays andunpredictable loss of connectivity

DTNs use “store, carry and forward” to transfer data and securitymessages

Alan Bob Charlie


Applications of DTNs

Started off as inter-planetary communication but now used for enablingcommunication when the infrastructure is difficult to deploy, expensive to deploy or

available, but a DTN can still improve performance

Military, Interplanetary Disconnected kiosks in rural areas Disaster struck areas Remote sensing applications

But also: Bulk data distribution in urban areas Sharing of individual contents in urban areas Mobile location-aware sensing applications Social Mobile Applications


DTN Examples 1:Inter-Planet Satellite Communication Network Internet Service in Space

(Initial concept of DTN) Characteristics

High Intermittent Connectivity Extremely Long Propagation -

Delay: finite speed of light Low Transmission Reliability:

positioning inaccuracy, limitedvisibility

Low Asymmetric Data Rate Current Projects

InterPlaNetary Internet DARPA JPL MITRE, USC, UCLA,

CalTech, etc.

Security: CCSDS protocol space End to end security space end to end reliability

More recently security DTNprotocol


DTN Examples 2:Military Battlefield Network

No consistent networkinfrastructure and frequentdisruptions

Characteristics High Intermittent Connectivity Mobility, destruction, noise, attack,

interference Low Transmission Reliability:

positioning inaccuracy, limitedvisibility

Low data rate Current Projects

DTN Project @ DARPA Security:

Mainly MANET Security Distribution of CAs in mobile ad hoc

networks cannot provide militarylevel security

Combining a self-organizedapproach with an off-line thirdtrusted parties (TTP) promising


DTN Examples 3:Remote Area Networks

Providing Internet connectivityto rural/developing areas e.ge-mail

Characteristics Intermittent Connectivity Mobility, sparse deployment High Propagation Delay Asymmetric Data Rate: heterogeneous

Current Projects First Mile Solutions, KioskNet

Security requirements: integrity of KioskNet components

(gateways, ferries, kiosk controllersand proxies),

security of kiosk terminals,confidentiality and integrity of userdata despite using untrusted ferries

Security used: standard cryptographic techniques

such as PKI and a transparentencrypted file systems.


DTN Examples 4:Sparse Mobile Ad Hoc Networks

Intermittent Autonomous(Opportunistic)Communications

Even when infrastructure isavailable, this providescheaper alternative to cellularnets e.g. google from the buswithout 3G

Characteristics Intermittent Connectivity Mobility, sparse deployment Large end to end delay

Current Projects DieselNet, CarTel Participate DOME : Diverse Outdoor Mobile

Environment @ UMass Haggle Project @ European Union

Framework Program Security: DTN or PSN security

Bui

lt-in

Acc

eler

omet

erAni

mal

Are

aN

etw

ork

Mul

tiH

opW

irele

ssC

omm

unic

atio

n

Not

ifica

tions

and

Que

ryin

g

Gat

eway

Inte

rnet

Gat

eway

Gat

eway

Inte

rnal

Sto

rage

and

Pro

cess

ing


DTN Security Goals

Due to the resource-scarcity that characterizes DTNs, theemphasis of DTN security is on protecting the DTNinfrastructure from unauthorized access and use Prevent access by unauthorized applications, Prevent unauthorized applications from asserting control over the

DTN infrastructure, Prevent authorized applications from sending bundles at a rate or

class of service for which they lack permission, Promptly detect and discard bundles that were not sent by

authorized users, (early detection within infrastructure rather thanat destination),

Promptly detect and discard bundles whose headers have beenmodified

Promptly detect and disable compromised entities Secondary emphasis is on providing optional end-to-end

security services to bundle applications


DTN security challenges

Security/reliability No trusted infrastructure No standard AAA, no PKI No available fully distributed security algorithms New and different classed of application traffic

The challenges facing the network securitycommunity for supporting such applications arefundamentally profound.

Traditional security approaches for wired, wirelessand ad hoc mobile networks assume that a fullyconnected path between all end points that wishto communicate must exist for trust building to bepossible


How do DTN environments constrain availabletrust building mechanisms

High round-trip times and disconnections Do not allow frequent distribution of a large number of certificates

and encryption keys end-to-end More scaleable to use user’s keys and credentials at neighboring or

nearby nodes.

Delayed or loss of connectivity to a key or certificate server Multiple certificate authorities/key servers desirable but not

sufficient and certificate revocation not appropriate

Long delays messages may be valid for days or weeks, so message expiration

may not be able to be depended on to rid the network of unwantedmessages as efficiently as in other types of networks.

Constrained bandwidth Need to minimize cost of security in terms of header bits


Traditional PKI not applicable

Traditional symmetric cryptography and PKI-basedapproaches are not suitable for DTNs for twomajor reasons. In a PKI, a user authenticates another user’s public key

using a certificate signed by a certificate authority (CA).In a disconnected network, without online access to anarbitrary receiver’s public key or certificate, sending anencrypted message on the fly is not possible

Also, PKIs implement key revocation based onfrequently updated online certificate revocation lists(CRLs) posted by CAs. In the absence of instant onlineaccess to CRLs, a receiver cannot authenticate asender’s certificate.


Identity Based Cryptography not applicable

Identity Based Cryptography (IBC) schemes wherethe public key of each entity is replaced by itsidentity and associated public formatting policiesare not suitable for the security in DTNs for tworeasons: IBC does not solve the key management problem in

DTNs and It is not scalable because it assumes that a user must

know the public parameters for all the trusted parties.


Mobile Ad hoc Key Management Proposals not applicable

Virtual Certificate Authority – Threshold Cryptographyapproach. Not applicable due to no existance of Trusted Third Party

(TTP) Certificate Chaining based on Pretty Good Privacy (PGP)

Not applicable due to insufficient density of certificate graphs,compromised nodes not isolated

Peer-to-peer key management based on mobility Not applicable due to certificate revocation mechanism

Eliminating all forms of on-line and off-line TTP degradessecurity.

Combining a self-organized approaches with an off-line TTPcould provide adequate security


Based on the “bundle” protocol Mandatory protection of the DTN infrastructure

from unauthorized use - detect illegitimate trafficASAP and drop it immediately Hop-by-hop bundle header integrity Hop-by-hop bundle sender authentication Access Control (only legitimate applications/users with

appropriate permissions may inject bundles) Limited protection against DoS by detecting illegitimate

traffic at its first hop and discarding it immediately

Existing Mandatory DTN Security


Existing Optional DTN Security

Optional protection of application data—destination application provided with security evenwhen a router may be compromised End-to-end bundle integrity End-to-end bundle source and destination authentication Replay detection at destination Support for end-to-end payload confidentiality

Security policy router capabilities for enforcing afiner-granularity of access control


Summary of DTN Security Mechanisms

Bundle Authentication Header iscomputed at every sending bundleagent and checked at everyreceiving bundle agent on everyhop along the way from the sourceto destination

Bundle Agent

Bundle Application

Region

Security Policy Router(may check PSH value)

SourceApplication Node

DestinationApplication Node

BAH

Payload Security Header iscomputed once at the sourcebundle agent, carried unchanged,and checked at the destinationbundle agent (and possibly also atsecurity boundary bundle agents).

BAH BAH BAH

PSH

• Source vs. Sender• Destination vs. Receiver

Sender Receiver/Sender

Receiver/Sender

Receiver/Sender

Receiver

Source BundleAgent may enforceaccess control andReject traffic from aBundle application.


DTN Security – Current Issues and Future Efforts

The current DTN security initiative is based on a pre-sharedsecret and involves no trust dynamics mechanisms Works well against external threats but is not applicable to internal

threats i.e. there is no mechanism in place to revaluate a node’s credentials

if a node gets compromised Most recent efforts of the DTN community are directed

towards extending DTN security bundle protocol with novel flexible and fluid

trust building, negotiation and propagation mechanisms based on behavioral modeling, anomalous behavior across

disconnections and non consensus asynchronous partial trust claimingand resolving

Closely aligned with visions and goals of IETF DTN-RG and DARPA


Towards Self-Organised DTN Security

21Direct ReputationCollection

IndirectReputation

Eigen Trust, CentralityMeasures, MobilityProfile

Input Credentials

Exiting DTN Security

n

Message Integrity

Sender Authentication

Access Control

Self-organised DTN Security


Conclusions

Despite a great deal of emerging research dealing withsecurity of mobile ad hoc and DTN networks, supportingsecure routing in an environment with little or noinfrastructure remains a difficult and fundamentallyprofound problem Current decentralised self organised ad hoc security approaches do

not integrate support for disconnections, and security approaches for disconnected networks do not support

dynamics and self organisation

As DTNs get more widely deployed, it becomes increasinglyimportant that more commercial and government effortsare directed towards extending current DTN security toallow dynamic trust management


Thank you!

Any Questions?

Presd1 14

Documents

Transcript of Presd1 14