a comprehensive approach to secure group communication in wireless networks
DESCRIPTION
A basic slideshow complemented with some other slides I used for illustrating my master's thesis at the Illinois Institute of Technology in the field of cryptography and network security.TRANSCRIPT
A Comprehensive Approach to Secure Group Communication in Wireless
Networks
David González Romero
Chicago, August 2009
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
Introduction
Wireless technology has experienced a persisting burst in recent years
– Raise in portable, handheld and ubiquitous electronic devices for domestic use
– New applications in wireless communication: data exchange, monitoring, remote controlling…
A new set of technology standards (Chapter 2) cover a wide range of needs for casual and professional users
– Bluetooth
– Wi-Fi
– ZigBee
– Wireless USB
– Near Field Communication (NFC)
Concerns about privacy and network security
– Secure Device Pairing (Chapter 3)
– Secure Group Communication (Chapter 4)
- 3 -
Secure Device Pairing
Initial key exchange
Secure communication
Secure Group Communication
Our goal
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
Wireless technologies
- 5 -
Complexity (transmission rate, network topology, protocol stack…)
Dis
tan
ce
ra
ng
e
Security needs
Bluetooth technology
Bluetooth is a protocol used for ad hoc wireless communication within ranges of up to 100 meters
Conceived as a cable replacement for connecting and exchanging data between personal devices such as cell phones, handheld or laptop computers, audio headsets or computer peripherals
– Many other uses. More than a cable replacement
Bluetooth is a standardized technology whose specifications are published by the Bluetooth Special Interest Group (SIG)
The most recent specification, Bluetooth 3.0 + H.S. was released on April 21st, 2009
- 6 -
1) Numeric Comparison
2) Out-of-Band
Bluetooth security
The most recent versions of Bluetooth include Secure Simple Pairing as its main security policy
Secure Simple Pairing aims to simplify the pairing process from the user’s point of view
Secure Simple Pairing defines four different pairing modes
- 7 -
3) Passkey Entry
4) Just Works
123456
OOB channel
?
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
- 9 -
Secure Device Pairing
Secure Device Pairing allows two mobile devices that share no prior context to establish a secure communication between each other
– Secure communication between two devices means that no third party can eavesdrop or alter the content of the communication
The pairing procedure must ensure a secure First Connection between the devices without the need of a third party authority
Once the First Connection is secured, the devices agree a common key which can be securely stored and used in future communications without the need of a new secure pairing
Two basic approaches or a combination of both
– Public-key cryptography
Diffie-Hellman key exchange
Digital signatures
Elliptic Curve Cryptography (Annex 3)
– Human-assisted solutions
Public key cryptography
Public key cryptography uses asymmetric cryptographic algorithms
– Based on the use of public and private keys
A public key is used to encrypt and a private key is used to decrypt
- 10 -
Alice
Message
Bob
Communication channel
Encrypted message
Encryption
Bob’s public key
Encrypted message
Encrypted message
Decryption
Bob’s private key
Message
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange allows two devices that share no prior context to establish a common secret key
D-H Key Exchange is based on the discrete logarithm problem
Both devices agree on two public keys: p and q
Each device has a private key: a and b
Alice computes (gb mod p)a mod p while Bob computes (ga mod p)b mod p, both obtaining the same final value
Given high values of a, b and p, it would be extremely hard for an eavesdropper who doesn’t know any of the secret keys to compute their values
– The more digits involved, the more difficult to solve (analytically or computationally) the discrete logarithm problem
- 11 -
a, g, p
A = ga mod p
K = Ba mod p
Alice
b
B = ga mod p
K= Ab mod p
Bob
g, p, A
B
- 12 -
Digital signatures
Alice
Message
Hash
function
Alice’s private
key
Digital Signature Algorithm – sign
operation
Digital Signature
Digitally signed message
(message + digital signature)
Hash
function
Digital signature
Digital Signature Algorithm – verify
operation
Bob
Digitally signed
message
Digital signature verified / signature verification failed
Alice’s public key
Public key schemes
- 13 -
The public key schemes presented can be compared in terms of computational complexity for a similar degree of security
Human-Assisted solutions
Public key cryptography relies on the effectiveness of using mathematical problems as the base for the encryption and decryption processes
Some kind of human interaction is required to provide authenticating mechanisms
Several solutions have been proposed
– Talking to Strangers (TtS) (Annex 2)
– Seeing-is-Believing (SiB)
– Loud and Clear (L&C) (Annex 2)
– HAPADEP (Human Assisted Pure Audio Device Pairing)
- 14 -
Seeing is Believing
Seeing is Believing (SiB) makes use of the capability of taking pictures and process the information in them with a mobile device
The ability to take pictures favors the creation of a location-limited visual channel
1) Device A has a 2D barcode (data matrix) attached to it, or is able to display it on a screen. This code represents its public key
2) Device B takes a picture of the code, getting A’s public key
3) Device B will only accept messages authenticated accordingly to the key it has obtained from A
The same process is repeated, authenticating B by showing a public key represented on a data matrix
- 15 -
visual channel
Public key
B A
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
Secure Group Communication
- 17 -
The solutions presented in the previous chapter are oriented to secure point-to-point communications
This approach can be insufficient when dealing with larger networks
Algorithm efficiency, user-friendliness…
Point-to-multipoint or ad hoc solutions can be approached
Resurrecting Duckling
- 18 -
1) Imprinting
2) Secure wireless communication
3) Death
4) Resurrection
Imprintable device
Master device
Trusted channel
Key exchange
Imprinted device
Master device
A slave device (duckling) gets securely attached to a master device (mother duck) which takes full control over it
Any number of slave devices can be associated with a master device in an ad hoc manner
Imprintable state: the slave device is ready to be attached to a master device
Imprinted state: the slave device is attached to the master device, been unable to be imprinted by a third device
Death: the master device release the slave, switching its state from “imprinted” to “imprintable”
Resurrecting: a master device uses the trusted channel to set an imprintable device to imprinted
Assassination?: only the master device should be able to cause the death of the slave
Attacker?
Master deviceImprinted device
Imprintable deviceMaster device
Trusted channel
Key exchange
Message
Identity Based Encryption
Identity Based Encryption (IBE) does not require the constant online presence of a Public Key Infrastructure
Each device/user has a public key that univocally identifies itself (email address, IP address…)
Each user authenticates to a key server, which provides a Private Key
Once the pairing is complete, the presence of the Key Server is not required anymore
- 19 -
PKG
Authentication Private key
Message encrypted with Bob’s public key
Bob Alice
Entity recognition
Entity recognition does not require the presence of an authentication authority, nor the intervention of the user
The goal of entity recognition is that successive messages in one conversation are sent by the entity that started the conversation and no third party can interfere by eavesdropping or tampering the conversation
The Guy Fawkes protocol is an early entity recognition scheme that uses cryptographic hash chains
The Jane Doe protocol uses cryptographic hash chains and message authentication codes (MACs)
– Based on the division of a conversation by different epochs
The process is easily extended to a group communication scenario
– Any number of conversations can be tracked as long as there is enough memory
Vulnerable to MITM attacks
– Can be applied as a supporting technique to public-key schemes
– Useful with low-power devices which may not be able to implement public key
- 20 -
WIRELESS SECURITY
Conclusion
- 21 -
Us
er-
ma
na
ge
d
Technological needs
Ad hoc Certification-authority-dependent
Tra
ns
pa
ren
t to
th
e u
se
r
DH
ECC
Digital signature
Public Key
?
TtS
SiB
L&C
HAPADEP
Human-Ass
isted
SSP
Resurrecting Duckling policy
Entity Recognition
IBE
Secure Group Communication
Annex 1: other wireless technologies studied
David González Romero
Chicago, August 2009
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
WLAN: Wireless Local Area Networking
Wireless Local Area Networks operate in the unlicensed 2.4 GHz ISM band
Standardized by the IEEE 802.11 standard and marketed under the name Wi-Fi by the Wi-Fi Alliance
The Wired Equivalent Privacy (WEP) algorithm was the first to provide security in Wi-Fi
– Now deprecated after demonstrated vulnerabilities
WEP was replaced by Wi-Fi Protected Access (WPA) and WPA2
– Based on the Temporal Key Integrity Protocol
- 24 -
ZigBee
Cheap alternative for mid-range personal communications
Lower distance range and transmission rate than Bluetooth and Wi-Fi
Different security configurations
– Tradeoff between security and cost
- 25 -
Applications and Profiles
Application Support (ASP) Layer
IEEE 802.15.4 Medium Access Control (MAC) Layer
IEEE 802.15.4 Physical (PHY) Layer
Network Layer
Defined by IEEE
802.15.4
Defined by ZigBee specification
Defined by application developer
Wireless USB
High transmission rate low-range technology
Suitable for communication between multimedia consumer electronics devices
Ideally presented as a replacement for wired technology Universal Serial Bus (USB)
- 26 -
Near Field Communication (NFC)
Extremely short-range wireless technology
Makes use of the “near field” zone of electromagnetic radiation
Intrinsically protected against external attacks, because of its extreme short rangeç
Complementary to other technologies as out-of-band channel
Promoted by the Near Field Communication Forum since 2004
- 27 -
Annex 2: other human-assisted device pairing solutions
David González Romero
Chicago, August 2009
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
Talking to Strangers
Talking to Strangers avoids the use of a physical out-of-band channel
Talking to Strangers uses a location-limited out-of-band channel for the purpose of the First Connection, instead of the typical wireless medium
An Infrared Data Association (IrDA) can be performed
– Both devices must be able to “see” each other
– A human operator can easily verify which devices are able to establish an infrared connection
– An IrDA connection is limited in space, reducing the risk of eavesdropping
– But it is still invisible
– MiM attack is not impossible
- 30 -
infrared channel (invisible)
Attacker
Loud and Clear (L&C) provides human-assisted device pairing based on audio
Complementary to SiB
Four possible configurations to use depending on the capabilities (has a display, has a speaker…) of each device
3) Hear an audible sequence from the personal device and compare it to text displayed by target device
4) Compare text displayed by the personal device to text displayed by target device (included as an alternative method)
1) Hear and compare two audible sequences, one from each device
2) Hear an audible sequence from the target device and compare it to text displayed by the personal device
Public key exchange
Loud and Clear
- 31 -
Public key exchange
Public key exchangePublic key exchange
Annex 3: other discarded slides
David González Romero
Chicago, August 2009
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
Bluetooth basics
Bluetooth has a star network topology
– Up to seven slave devices can be connected to a master device, forming a piconet
– Each device has a 3-bit Logical Transport Address (LT_ADDR)
000 is reserved for broadcasting
– More devices can be connected in “park state”
8-bit Park Member Address (PM_ADDR)
– Several piconets can be associated forming a scatternet
A Bluetooth profile defines the procedure which must be followed for each particular Bluetooth application
– Generic Access Profile, Headset Profile, File Transfer Profile…
– Each profile makes a different use of the Bluetooth Protocol Stack
- 34 -
Applications and Profiles
L2CAP (Logical Link Control and Adaptation )
HCI (Host Controller Interface)
Link Manager Protocol (LMP)
Baseband [Link controller (LC)]
Bluetooth Radio
SDP (Service
Discovery)
Radio Frequency Communication (RFCOMM)
OBEXPPP
TCP
Host stack
Controller stack
TCS BIN
UDP
IP
- 35 -
Bluetooth network topology
P2P1
P3
M1
S1
S1
S1/S2
M2
S2
M3/S2
S3
Bluetooth security
Bluetooth operates in the 2.4 GHz unlicensed Industrial, Medical and Scientific (ISM) band
Bluetooth uses FHSS (Frequency Hopping Spread Spectrum)
– The frequency range is changed 1600 per second
– A slave device must be synchronized with the master device’s pseudo-random hopping sequence
Before the 2.0 + EDR version, Bluetooth communications were authenticated by the use of a passcode (PIN) which must be entered in both devices as part of the pairing process
– The user acts as an out-of-band channel
Three different security models were defined
– Not secure
– Service level enforced security
– Link level enforced security (security procedure starts before creating the communication channel)
Bluetooth 2.0 + EDR introduced Secure Simple Pairing (SSP)
- 36 -
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
Man-in-the-Middle Attacks
A Man-in-the-Middle (MiM) attack is a form of eavesdropping based on the ability to impersonate any of the extremes of a communication
– The broadcasting nature of the wireless communication makes the MiM attacks a serious security threat
Original Diffie-Hellman Key Exchange is highly vulnerable to MiM attacks, as it doesn’t provide authentication between the two devices
A MiM attacker can establish two independent connections and eavesdrop the communication or deliver new messages
– The attacker can intercept both Alice and Bob’s public keys and substitute them with their own public value
Authenticated Diffie-Hellman Key Exchange tries to avoid eavesdropping by providing some kind of authentication
All known forms of Authenticated Diffie-Hellman Key Exchange require user interaction (sharing a public key previously known, use of an Out-of-Band channel, etc.)
– Not applicable when the users share no prior context
Most of the proposed solutions include the use of additional Out-of-Band channels
- 38 -
Elliptic Curve Cryptography
ECC is a public-key scheme using the concept of elliptic curves over finite fields
A generic elliptic curve over the finite field Fp is formed by the points satisfying the equation y2 = x3 + a4x + a6
– x, y, a4, a6 F∈ p and (x , y) are the coordinates of a bilinear space
The discrete logarithm of Q to the base P is defined as the value k which satisfies the equation k·P = Q, where P and Q are two points of an elliptic curve
ECC is based on the elliptic curve discrete logarithm problem (ECDLP)
– Given k·P and Q and with the coordinates large enough it is infeasible to get the value k
k·P and Q are used in an algorithm to determine a public key and a private key
ECC requires shorter keys than other public-key schemes
It is used in group communication schemes such as the identity based encryption scheme presented in chapter 4
- 39 -
Key agreement in peer-to-peer wireless networks
When two human users try to connect their devices, there are several solutions which do not require de use of a side-channel or additional passwords
The ability of users to authenticate each other by visual or verbal contact is used in a Diffie-Hellman key exchange
1)Visual comparison of short strings (DH-SC)
– Two verification strings are obtained after performing a DH Key Exchange, one for each device
– The users compare the two strings and accept them if equals
2)Distance bounding (DH-DB)
– The devices can estimate the distance between each other by sending messages and measuring the time to obtain a response
– An integrity region is created, with any device out of it being unable to establish a connection
– The users must ensure that there are not other devices inside the integrity region
3) Integrity codes (DH-IC)
– This authentication scheme relies on the knowledge of a common integrity code
- 40 -
Proposed device pairing solutions
- 41 -
Index
Chapter 1: Introduction
Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)
Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions
Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition
Group authentication
A group authentication protocol aims to establish a secret key shared by all the devices in a group
The key must be refreshed every time a new member joins or leaves the group
– The overhead introduced may be excessive
Three main approaches to the group authentication problem
1)Centralized group key distribution
A master device maintains a secure connection to each of the devices at any moment
Too much overhead for Bluetooth technology
2)Decentralized group key distribution
A distributed algorithm selects the device which acts as the master device, changing it periodically
Same limitation as in 1)
3)Contributory group key management
All the devices contribute in the generation of the shared secret key by using broadcasting capabilities
Not applicable for Bluetooth, as it does not provide full support for message broadcasting
- 43 -
Identity Based Encryption (II)
The Private Key Generator (PKG) authenticates all the users in the system and transfer their private keys to them using a secure channel
The PKG also provides all the users with a Master Public Key
The main phases of the standard IBE scheme are:
1) Initial setup
– The PKG generates all public and private keys
2)Private Key Extraction
– Bob authenticates with his identity string, getting the Private Key from the PKG
3)Encryption
– Alice computes Bob’s public key using Bob’s identity and the Master Public Key
– Alice encrypts the message she wants to send using Bob’s Public Key
4)Decryption
– Bob decrypts Alice's message using his own Private Key
- 44 -
Annex 4: selected references
David González Romero
Chicago, August 2009
Selected references
Astuni, S. (2008). Enabling Secure Group Communication for Mobile Devices Using Bluetooth Technology
Stajano, F. & Anderson, R. (1999). The Resurrecting Duckling: security issues for adhoc wireless networks
Diffie, W., & Hellman, M.E. (1976). New directions in cryptography. IEEE transactions on Information Theory, 22, 644-654
Anderson, R., Bergadano, F., Crispo, B., Lee, JH., Manifavas, C., and Needham, R. A New Family of Authentication Protocols. ACM SIGOPS Operating Systems Review, 1998
Miller, VS., Use of Elliptic Curves in Cryptography. Lecture notes in computer sciences; 218 on advances in cryptology---CRYPTO 85, 1986
Duffy, A., Dowling, T., An Object Oriented Approach to an Identity Based Encryption Cryptosystem, Eighth IASTED International Conference on Software Engineering and Applications, 2004
Boneh, D. and Franklin, M., Identity Based Encryption from the Weil Pairing. Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, 2001
- 46 -
Contact
This was just a survey and introduction to the thesis “A Comprehensive Approach to Secure Group Communication in Wireless Networks”. If you need more information or have any suggestion regarding this presentation, contact me at any of the following:
www.linkedin.com/in/davidgonzalezromero
© David González Romero 2009. All rights reserved.
- 47 -