1
Peer-to-Peer Security in Wireless Ad Hoc Networks
+ CommonSenseNet
Jean-Pierre Hubaux
EPFL, Switzerland
2
Outline
Brief presentation of the MICS/Terminodes project Mobility helps peer-to-peer security Cooperation between nodes in multi-hop wireless
networks Three more projects :
Cooperation without incentives Power-efficient broadcast in all-wireless networks Water management by means of sensor networks
3
National Competence Centers in Research
Initiative of the Swiss National Science Foundation Call for proposals in late 1998, for several scientific areas
(including Medicine and Physics) Proposals have to be substantial (yearly budget around
3 Mio Euros/year) and long term (from 2001 to 2010) 200+ proposals have been submitted in the first round 14 proposals finally selected (in 2000) The Mobile Infomation and Communication Systems or
Terminodes proposal is the only selected in the area of communications; official start : November 2001
4
Terminal + Node = Terminode All network functions (packet
forwarding, flow control, error control,…) and terminal functions (coding/decoding, A/D and D/A, storage, ciphering,…) are embedded in the terminode
A communication must be relayed by intermediate terminodes
The network is self-organized: it is operated by its users
All terminodes are potentially mobile
Destination
Source
Terminodes are the extreme (or academic) case of several concreteincarnations: multi-hop cellular networks, networks of vehicles,sensor networks, self-operated networks, distributed robots,…
Terminodes are the extreme (or academic) case of several concreteincarnations: multi-hop cellular networks, networks of vehicles,sensor networks, self-operated networks, distributed robots,…
5
National Center for Competence in Research: Mobile Information and Communication
Systems
Academicconsortium(in CH):
EPFLUni Lausanne
Uni Bern
Uni St Gallen
Uni ZurichCSEM
ETHZ
Director of NCCRProf. M. Vetterli
Deputy director of NCCRProf. Th. Gross
Fribourg: CCTC
Industrial partners:
• IBM• Microsoft• Samsung• Siemens• Swisscom• Whitestein Technologies
+ many academic partners worldwide
www.terminodes.org
Around 25 faculty membersand 80 PhD students
6
Main challenge and benefit of the research program : working accross layers
Mathem
atical foundation
Information theory
Security
EconomicsS
ystem architecture
Com
municating
embedded system
s
Information systems
Real-time services
Network layer
Physical and MAC layers
Selected application: environmental monitoring (sensor networks)Other possible applications: crisis networks, networks of cars, networks for rural areas
7
Joint work with Levente Buttyan+ and Srdjan Capkun
Mobility Helps Peer-to-Peer Security
Peer-to-peer Authentication and Key Establishment in Mobile Networks
+ Now with Laboratory of Cryptography and Systems Security (CrySyS) Department of Telecommunications, Budapest University of Technology and Economics
8
Secure communication with cryptography(reminder)
Alicex
EK(x) DK’(y)
Key K
y
Mallory (or Oscar)
Bob
Key K’
Sender Receiver
Attacker or opponent or intruder
x: plain texty: cipher text
Symmetric cryptography: if K’ = KAsymmetric cryptography (or public key cryptography): if K’ K
DK’(EK(x)) = x
Encrypter Decrypter
x
9
Digital Signature (reminder)Alice Bob
Messagem
1 ( )APK
e m 1( ( ))A A
PK PKd e m
m
= ?
Signature: sig or σ Verification: ver
( ) : s= mod
In RSA-bas
(
ed s
, ) if mo
ign :
d
aturea
bver m s true m
sig m
s
n
n
m
( ) : s= mod
In RSA-bas
(
ed s
, ) if mo
ign :
d
aturea
bver m s true m
sig m
s
n
n
m
A certificate is an identity or a public keysigned by another entity
A certificate is an identity or a public keysigned by another entity
1
: public key of Alice
: private key of Alice
A
A
PK
PK 1
: public key of Alice
: private key of Alice
A
A
PK
PK
10
Does mobility increase or reduce security ?
Very often, people move to increase security: Face to face meetings Transport of assets and physical documents Authentication by physical presence
In spite of the popularity of PDAs and cellular phones, this mobility has not been exploited so far to provide digital security
Mobility is usually perceived as a major security challenge: Wireless channel Unpredictable location of the user Sporadic availability of the user Higher vulnerability of the device Smaller computing capability of the device
So far, client-server security has been considered as the priority (e-business, cellular telephony,…)
Peer-to-peer security is still in its infancy
11
Security of cellular networksExample: GSM
Mobile station(key stored in The SIM card)
Shared, symmetric key
Base station AuthenticationCenter
ChallengeResponse
Setting up of the encryption key
• The key stored in the SIM card incarnates the contract between the subscriber and the operator• It is established manually when the contract is signed• Only symmetric cryptography is used
• The key stored in the SIM card incarnates the contract between the subscriber and the operator• It is established manually when the contract is signed• Only symmetric cryptography is used
12
Example of security for wireless LANs: standard IEEE 802.1x (*)
Supplicant(Mobile Station)
Authenticator(Access Point)
Authentication Server
EAPOL(over IEEE 802.11)
Encapsulated EAP,Typically on RADIUS
EAP: Extensible Authentication Protocol (RFC 2284, 1998)EAPOL: EAP over LANRADIUS: Remote authentication dial in user service (RFC 2138, 1997)
Features of IEEE 802.1x: - Supports a wide range of authentication schemes, thanks to the usage of EAP- One-way authentication- Optional encryption and data integrity
EAP: Extensible Authentication Protocol (RFC 2284, 1998)EAPOL: EAP over LANRADIUS: Remote authentication dial in user service (RFC 2138, 1997)
Features of IEEE 802.1x: - Supports a wide range of authentication schemes, thanks to the usage of EAP- One-way authentication- Optional encryption and data integrity
(*) Notes:• IEEE 802.1x is not specific to wireless LANs and was not designed specifically for them• New standard: IEEE 802.11i (2003)
13
Wireless Transport Layer Security protocol (WTLS)
WTLS
WAPGateway
SSL
Webserver
Authentication classes of WTLS:Class 1: no authentication Class 2: authentication of the server only (similar to traditional SSL / HTTPS used with Web servers); the server certificateis usually signed by a Trusted Third Party (Verisign, Entrust, Smartrust,…)Class 3: authentication of both server and client; requires aPublic Key Infrastructure and a Wireless Identity Module (WIM);very few implementations so far
(Secure Socket Layer)
14
Security in ad hoc networks
Constraints Mobile devices limited computing capabilities Sporadic connectivity prevents from relying on an on-line
server Solutions proposed so far
Some nodes have a special role; they are entitled to perform threshold cryptography operations (Cornell, 1999)
Generalization: any node can take this responsibility (UCLA, 2001)
Users are all in the same location; they agree on a common password, type it into their device; the protocol creates a strong shared key (Nokia, 2001)
Issue mutual certificates and build up a distributed certificate graph à la PGP (EPFL, 2001)
15
Mobility helps security
Infrared link
(Alice, PuKAlice, XYZ)
(Bob, PuKBob , UVW)
Visual recognition, conscious establishment of
a two-way security association
Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required
Alice Bob
Problem : how to bootstrap security in a mobile network without a central authority ?
Problem : how to bootstrap security in a mobile network without a central authority ?
16
Friends mechanism
IR
Colin
Bob(Colin’s friend)
Alice
(Alice, PuKAlice, XYZ)
(Alice, PuKAlice, XYZ)
Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users
Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users
17
Mechanisms to establish Security Associations
Friendship : nodes know each others’ triplets
Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter
i j i knows the triplet of j ; the triplet has been obtained from a friend of i
i
f
j i
f
j
i
f
j i
f
j
i j i ja) Encounter and activation of the Secure Side Channel
b) Mutual friend
c) Friend + encounter
Note: there is no transitivity of trust (beyond your friends)
18
Protocols
19
Pace of establishment of the security associations (1/2)
- Depends on several factors: - Area size- Number of communication partners: s- Number of nodes: n- Number of friends- Mobility model and its parameters (speed, pause times, …)
Established security associations :Desired security associations :
Convergence :
20
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
100 1000 10000 100000 1000000
time (s)
per
cen
tage
of
secu
rity
ass
ocia
tion
s
s=99, f=0, pause=100 s, sr=5 m, v=5 m/s s=99, f=2, pause=100 s, sr=5 m, v=5 m/ss=99, f=0, pause=100 s, sr=5 m, v=20 m/s
5m/s, 2 friends5m/s, 0 friends
20m/s, 0 friends
Pace of establishment of the security associations (2/2)
21
Conclusion on Mobility Helps Security
• Mobility can help security in mobile ad hoc networks, from the networking layer up to the applications
• The proposed solution also supports re-keying• The proposed solution can easily be implemented with both symmetric and
asymmetric cryptography
S. Capkun, J. P. Hubaux, and L. ButtyanMobility Helps Security in Ad Hoc NetworksFourth ACM Symposium on Mobile Networking and Computing (MobiHoc),Annapolis, June 2003
S. Capkun, L. Buttyan, and J.-P. HubauxSelf-Organized Public-Key Management for Mobile Ad Hoc NetworksIEEE Transactions on Mobile Computing, Vol. 2, Nr. 1, 2003
22
Cooperation between Nodes in Hybrid Ad Hoc Networks
Jean-Pierre Hubaux1
Joint work with Naouel Ben Salem1, Levente Buttyan2, and Markus Jakobsson3
1 EPFL/School of Information and Communication 2 Budapest University of Technology and Economics
3 RSA Labs
23
S
D
Hybrid ad hoc networks (1/2)
Set of base stations connected to a backbone (like in cellular)
Potentially, multi-hop communication between the mobile station and the base station (unlike in cellular)
Principle usable for both “classical”, voice centric cellular networks and wireless LANs (e.g., IEEE 802.11)
24
Hybrid ad hoc networks (2/2)
Expected benefits: Energy consumption of the mobile stations can be reduced Immediate side effect: Reduced interference Number of base stations (fixed antennas) can be reduced Coverage of the network can be increased Closely located mobile stations can communicate
independently from the infrastructure (ad hoc networking)
Problem: How to encourage the nodes to relay packets for the benefit of other nodes?
25
Possible solution : systematic micro-payments
A i1 BSA Bj1BSB
Initiator
Correspondent
• Principle: for every packet, the initiator is charged and all relay nodes are rewarded
• Strength : all cheating attempts will be detected
• Weakness : overhead (increase of the communication cost around 3 to 12%)
N. Ben Salem, L. Buttyan, J. P. Hubaux, and M. Jakobsson,"A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks"Fourth ACM Symposium on Mobile Networking and Computing (MobiHoc), Annapolis, June 2003
26
Alternative solution : probabilistic micro-payments
Model for the network: Multi-hop up-link Single-hop down-link
S
D
Proposals for probabilistic payments: D. Wheeler(1996) Jarecki and Odlyzko (1997) S. Micali and R. Rivest (2002) …
27
The solution in three easy steps – Step 1
Assume that all packet sending/receiving events can be observed by an observer
The observer could tell who originated a packet (whom to charge) who forwarded a packet (whom to remunerate) who dropped a packet (whom to punish?)
28
The solution in three easy steps – Step 2
Assume that every node honestly reports its own sending/receiving events to the operator
The operator could tell who originated a packet (whom to charge) who forwarded a packet (whom to remunerate) who dropped a packet (whom to punish?)
Problems: nodes may not be motivated to send reports nodes may lie (send false reports) reporting all events may be a huge overhead
29
The solution in three easy steps – Step 3
Nodes get paid for their reports nodes are motivated to send reports
• Events to be reported are selected probabilistically this drastically reduces the overhead
• Neighbors are remunerated as well this further increases the motivation to cooperate
• Based on the received reports, the operator performs statistical analysis (auditing) this allows detection of cheating behavior
30
Assumptions
Hybrid ad hoc network with multi-hop up-link and single-hop down-link
Symmetric-key crypto, each node shares a long-term symmetric key with the operator (base stations)
The operator manages numerous base stations and one accounting center
The operator is trusted by every node for not revealing secret keys correctly transmitting packets correctly performing billing and auditing
Users are not trusted to act according to the protocol users behave rationally they can tamper with their devices they can collude
31
Protocol
Setup users register with the operator each registered user u gets an id and a symmetric key Ku Ku is shared by the user and the operator (base stations)
Maintaining connectivity information each user u keeps a list of triplets (ui, di, Li), where
• ui is a neighbor
• with distance (in hops) di from the base station and
• with reward level Li
the list is sorted in terms of increasing values of di and Li
Reward levels packets have reward levels too a higher reward level means higher charge for the originator and
higher reward for the forwarders ui is willing to forward packets with a reward level higher than Li
32
Packet origination
Originator o wants to send payload p o selects a reward level L
computes a MAC: = MACKo( L | p )
transmits [ o | L | p | ] according to the Packet Transmission Protocol
MAC : Message Authentication Code
33
Packet transmission
User u – originator or forwarder – wants to transmit packet P = [ o | L | p | ]1. u selects his first as yet unselected entry (ui, di, Li) where Li < L
2. sends a forward request to ui (contains L and possibly more info)
3. waits for an ack from ui
• if received, then u sends P to ui
• if not received, then u increases i by one and goes to step 2in any case: if u is not the originator, then u performs the Reward
Recording Protocol
u y
z
x
(u=y, d=2, L=53)
(u=z, d=3, L=82)
(u=x, d=3, L=70)
34
Packet processing by the base station
The base station receives a packet P = [ o | L | p | ] it looks up the secret key Ko of the originator o
verifies the MAC
• if not correct, then drops the packet
• if correct, then transmits the packet to the destination keeps a count of the number of packets transmitted for o records a fraction of all triplets (, L, u), where u is the id of the user from
which it received the packet [ o | L | p | ] periodically sends the recorded information to an accounting center
S
D
Accounting Center
21 3
45
6
Retrieve Ko
Verify
P
35
Reward recording
User u has forwarded a packet P = [ o | L | p | ] u interprets as a lottery ticket
the ticket is winning for u iff f(, Ku) = 1 for some function f
if is winning, then u records (u1, u2, , L), where
• u1 is the user from which he received P
• u2 is the user (or base station) to which he forwarded P
u1 u2 (or base station)u
f(, Ku) = 1 ?
Example for f : f(, Ku) = 1 iff dHamming(, Ku) h
• Note: If f is not one-way, then all claims should be encrypted during transmission
36
Reward claim
User u has a list M of reward records when u is adjacent to a base station, he transmits a claim
[ u | M | MACKu(M) ] to the base station
the base station verifies the MAC
• if incorrect, then ignores the claim
• if correct then records the claim and sends an ack when u receives the ack, he deletes M from memory the base station sends the recorded reward claims to the
accounting center
u
Accounting Center
[ u | M | MACKu(M) ]
37
Accounting
The accounting center receives reward claims of the form: “u claims (u1, u2, , L)”
traffic info recorded by the base stations of the form: “(, L, u) from o”
All originators whose identity has been recorded by a base station are charged
All users whose identity figures as a claimant in an accepted reward claim are credited
All users whose identity appears as sending or receiving neighbor in an accepted reward claim are also credited
38
Auditing
The probability for a ticket to win is independent of the identity of the user who evaluates it
each user should appear as a claimant with approximately the same frequency as he figures as either sending or receiving neighbor of a claimant
39
Examples of abuses and their detection
Packet droppingDescription: the user agrees to forward, but he doesn’t forward
Detection: receiving neighbor freq. > sending neighbor freq.
Ticket sniffingDescription: the user claims credit for overheard packets
Detection: claimant freq. > receiving neighbor or sending neighbor freq. conflicting claims
a b c
d
b claims (a, c, , L)
d claims (b, c, , L)
40
Conclusion on the probabilistic encouragement for collaboration
Cooperation between nodes can be fostered by micro-payments
Probabilistic micro-payments can drastically reduce the overhead
The operator can fine tune the detection mechanisms according to the level of observed cheating
Future work Study attacks by malicious users Pricing issues (e.g., computation of the reward levels)
M. Jakobsson, J. P. Hubaux, and L. Buttyan A Micro-Payment Scheme Encouraging Collaboration in Multi-hop Cellular NetworksProceedings of Financial Crypto 2003
41
Cooperation without incentivesin pure ad hoc networks
0)( xi
Examples of strategies:
Strategy Function
Initial cooperation
level
AllD (always defect)
AllC (always cooperate)
TFT (Tit-For-Tat)
0
1
1
1)( xi
xxi )(
σiAi
yi
xi
Conclusion: In a static network, the conditions for spontaneous cooperation are extremely unlikely to be met; but mobility improves things.
Conclusion: In a static network, the conditions for spontaneous cooperation are extremely unlikely to be met; but mobility improves things.
M. Felegyhazi, Levente Buttyan, and J. P. Hubaux"Equilibrium Analysis of Packet Forwarding Strategies in Wireless Ad Hoc Networks – the Static Case"Proceedings of Personal Wireless Communications (PWC `03), Venice, Italy, September 2003
42
Power-efficient Broadcast in all-wireless networks,α
ijij dc 2
11}{max},{
aax
ihx
da pcp
Calculate gains
6 dacbd
da ppppg
5 eadcbe
ea pppppg
2 cac
ca ppg
6 badcb
ba ppppg
Calculate new transmission power
0},{maxarg
xa
xaa
newa
xa
ggppp
pb=8
8
2
pa=2
d
i
h
c
ab
f
jg
e
1
pc=55
55pe=4
4
pd=4
4
4
Try to remove node d:
M. Cagalj, J. P. Hubaux, and C. Enz,“Minimum-Energy Broadcast in All-Wireless Networks : NP-completeness and Distribution Issues”,Mobicom 2002
43
COMMON-Sense Net:Agriculture and water management with the use of wireless
sensor networks
Joint work with IISc
44
The need for water
Consequence: Growing humanitarian crises and political instability
Water supply, distribution of unserved populations
Sanitation, distribution of unserved populations
45
Water and agriculture
Agriculture consumes 70% of the fresh water used worldwide by human activity
Around 40% of the fresh-water used for agriculture is lost (evaporation, spills, undue absorption)
70%
Agriculture
Industrial
Domestic
Agriculture is largely responsible for ground water’s Agriculture is largely responsible for ground water’s depletion and salinisation. depletion and salinisation.
46
Assumptions
An optimized water management in agriculture is needed
Optimised water management means better information gathering on the soil’s and plants’ condition
Sensors and sensors networks can provide this enhanced information
47
A concrete test case (1)
48
A concrete test case (2)
25 villages over a radius of 25km Marginal farmers (< 1 ha) and small farmers (< 2 ha) No powered irrigation Cultures:
groundnut (for oil), cereals millets (finger millet -locally known as Ragi-, sorghum)rice in some irrigated patches
49
User requirements
A better access to critical data and information to help farmers in their decision making processSoil: humidity, salinityGround-water: level, quality (nitrates,phosphates)Local meteorological data: temperature, radiance, wind velocity and direction...Global meteorological data: weather forecast, seasonal estimates...Cultural and social issues are critical
51
System characteristics
Self-organizing network of heterogenous wireless sensor-nodes (ease of deployment, non-intrusiveness)
Nodes communicate in a multihop fashion Low data-rate Scalability and adaptability to network changes Node failure detection and adaptability Internet-connectivity
52
Technical requirements
Communication Range : around 500m (up to 1 km) Power-saving mechanisms: life-time of every node over 1 year
(the longer the better) Possibility to connect heterogenous sensors to a communication
node: « universal » port Costs-constraints
53
Project consortium
Indian Partners Centre for Electronics Design and Technology (CEDT/IISc) Centre for Atmospheric and Oceanic Studies (CAOS/IISc) Chennakeshava Trust
Swiss Partners Laboratory for computer Communications and Applications
(LCA/EPFL) Laboratory of Hydrology and Planning (HYDRAM/EPFL) HEC, Lausanne (UNIL)
54
COMMON-Sense Agenda
June 2003: Build-up of the consortium July-August 2003: Project proposal Fall 2003: Development of first prototype August 31st: Project submitted to SDC/EPFL cooperation fund January 2004: Project approved February 2004: Project meeting in Bangalore March-April 2004: Gathering of final user requirements May 2004: System High-Level Design June-November 2004: Work on first release December 2004: Outdoor testing of prototype
55
Conclusion
Ad hoc and sensor networks raise new challenges in a number of areas
Security in particular needs to be redesigned from scratch
The solutions very much depend on the presence and role of an authority
This is an exciting and promising research area…
Presented papers available online at:http://lcawww.epfl.ch/hubaux/or Google (hubaux) home page
Top Related