bootstrapping security associations in wireless (sensor) networks
DESCRIPTION
Bootstrapping Security Associations in Wireless (Sensor) Networks. Mario Čagalj University of Split, FESB ACROSS, 2013. Briefly a bout the speaker. Mario Čagalj , Associate Professor Department of E lectronics, University of Split, FESB - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/1.jpg)
Bootstrapping Security Associations in Wireless (Sensor)
Networks
Mario Čagalj University of Split, FESB
ACROSS, 2013
![Page 2: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/2.jpg)
Briefly about the speakerMario Čagalj, Associate Professor
Department of Electronics, University of Split, FESB
Ph.D. degree in Communication Systems from EPFL (École Polytechnique Fédérale de Lausanne)
Scientific work and research interestsInformation security, applied cryptography, game
theory, energy-efficient communication, HCI, etc.
For more informationhttp://www.fesb.hr/~mcagalj or [email protected] 2
![Page 3: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/3.jpg)
MotivationBillions of devices will be interconnected in near
futureEricsson forecasts 50 billion M2M connections by
2020IoT, M2M, wearable sensor networks, smart
metering, etc.
Many technologies/systems Include low cost and highly constrained devicesUse wireless channels (highly vulnerable)Operate independently of any authority (are user-
centric)
Prerequisites for adoption of such technologiesData trustworthiness, authenticity and privacy
3
![Page 4: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/4.jpg)
MotivationKey element towards secure communication
Some cryptographic (keying) material (pwds, keys, certs) has to be preloaded into communicating devices
However, users are bad when it comes to securityComplicated setup procedures render the security
features useless (e.g., home WiFi networks)What can we then expect from 2020?
42013 2014 2020
attackeruser’s devices
![Page 5: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/5.jpg)
Our goalDevelop mechanisms for secure initialization of
wireless devices/for bootstrapping initial security associationsUser-friendly – easily administered by non-
specialistsScalable – support a reasonably large number of
devices Compatibile with resource constrained devices –
lacking usual wired interfaces, displays, keypads, etc.
52013 2014 2020
attackeruser’s devices
![Page 6: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/6.jpg)
Talk outlineBasic security problemOptimal message transfer authenticator Group message authentication protocolAuthentication through presence
Integrity codes
6
![Page 7: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/7.jpg)
A B
Basic security problem
Assumptions high bandwidth public/insecure channel
(e.g. radio) low bandwidth authenticated channel (not
secret) E.g., sound, voice, visible light, etc.
Devices A and B share neither secrets nor certificates
Protect message integrity over the public channelMinimize user’s involvement and hardware
requirements
7
attackermessage
user
![Page 8: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/8.jpg)
Attacker modelPeople usually have a wrong mental model
E.g., attacks on Bluetooth (designed for 10m range)Eavesdropping from more than 1.5 km (BlueSniper
rifle)Thanks to high gain/sensitivity antennas and
receivers8
=attacker attackerA B
nominal TX range
A B
![Page 9: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/9.jpg)
Straightforward solutionBased on a weak-collision resistant hash
function h(·) Given message m0 easy to calculate a hash value
h(m0) Hard to find different m1 such that h(m0)= h(m1)
9
A Bm
Calculates sA=h(m)Receives mCalculates sB=h(m)If sA==sB “Accept m”
sA sA
high bandwidth insecure channellow bandwidth authenticated channel
ok
![Page 10: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/10.jpg)
Straightforward solution suboptimalToday, weak-collision implies at least 80-bit hash
valueThe minimum load over low bandwidth (human)
channel
Hash function output sizes tend to increase over time Vulnerabilities (e.g., SHA-1), processing power
incresesE.g., MD5, SHA-1, SHA-2 (128, 160, 256... bit
outputs)
More bits over low bandwidth (human) channel implies increased user’s involvementBig issue when user interacts with constrained
devices
10
![Page 11: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/11.jpg)
Optimal message transfer authenticatorBased on a non-malleable commitment scheme
Functionallity similar to that of an ideal hash function
Transforms message m into commitment/openning pairTo commit to m do: (c,d)=commit(m) and hand out
cTo open c do: hand out d and m=open(c,d)
PropertiesOnce commited to m, cannot change to another mMessage m remins secret until opened using d 11
![Page 12: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/12.jpg)
Optimal message transfer authenticator
12
A Bc
high bandwidth insecure channellow bandwidth authenticated channel
NB
d
sA sA
Pick k random bits NB
m, NA=open(c,d)sB=NA NB
If sA==sB “Accept m”
Given message mPick k random bits
NA
(c,d)=commit(m,N
A)
sA=NA NB
Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
ok
![Page 13: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/13.jpg)
Optimal message transfer authenticator
13
A Bc
high bandwidth insecure channellow bandwidth authenticated channel
NB
d
sA sB
Pick k random bits NB
m, NA=open(c,d)sB=NA NB
Accept m
Given message mPick k random bits
NA
(c,d)=commit(m,N
A)
sA=NA NB
Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
okIf sA==sB “Success”
![Page 14: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/14.jpg)
Optimal message transfer authenticator
TheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of authentication strings sA and sB.
For example, with k=15 bitsAttacker successful with probability 2-15 (i.e., 5-digit
PIN)User’s involvement only 15 bits (i.e., 2 hex digits)
We can optimally trade security and the user’s loadTime-invariant (independent of the employed hash
function)Not the case with the standard solution (min. load at least
80 bits) 14Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
![Page 15: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/15.jpg)
Optimal message transfer authenticatorOptimality and time-invariance
15
![Page 16: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/16.jpg)
Securing Diffie-Hellman key agreement
16
A BcA
cB
dA
sA sB
Given gXA
Pick k random bits NA
mA=IDA, gXA,NA
(cA,dA)=commit(mA)
mB=open(cB,dB)sA=NA NB
Secret key KAB= gXAXB
dB
Given gXB
Pick k random bits NB
mB=IDB, gXB,NB
(cB,dB)=commit(mB)
mA=open(cA,dA)sB=NA NB
Secret key KAB= gXAXB
ok okIf sA==sB “Success”
Čagalj, et. al. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. (February, 2006)Bluetooth Special Interest Group. Simple Pairing Whitepaper. // (October, 2006)
![Page 17: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/17.jpg)
Example: Initializing home WiFi networkCamera-equipped device and wireless access
point (AP)Single LED at the AP blinks short authentication
string sB
Ephemeral tokens for your guests (AP pwd not disclosed!)
17
MT-auth DH
sA=NA NB
If sA==sB “Success”
KAB= gXAXB
sB
ok ok
sB=NA NB
KAB= gXAXB
Contrast this with insecure WPS: Push-Button-Method by WiFi Alliance (2006)
![Page 18: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/18.jpg)
Example: Initializing a pair of sensorsNo cameras (only LEDs and a pushbutton)
User just checks that the devices blink the same states 18
MT-auth DH
sA=NA NB
KAB= gXAXB
sB=NA NB
KAB= gXAXB
sBsA
If sA==sB “Success”ok ok
1 0 0 1 1 0
Ts
Ts
=
![Page 19: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/19.jpg)
How about securely initializing a larger group of resource-constrained device?
Group message Authentication Protocol (GAP) Generalization of our optimal two-party protocol
19Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
![Page 20: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/20.jpg)
GAP overview Phase 1: insecure radio
channel
Devices exchange messages they want to authenticate and establish Group Authentication String (GAS)
20Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
...D1
D2
Dn
Phase 2: visible light channel
User compares the GAS
...
D1
D2
Dn
User
![Page 21: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/21.jpg)
GAP-Phase 1: insecure radio channelGoal: M devices exchange and authenticate
public keys
21
IDi
ci-1
IDj
ci
ci+1
di
Step I:
Step II:
Step III:
Gi={ID1<ID2<…<IDM}
(ci, di) commit(hGi, IDi, PKi, Ni)
hGi=hash(ID1,…,IDi,…,IDM)
(hGj, IDj, PKj, Nj) open(cj, dj)
GASi Ni
...
Verify hGi, IDj
If OK, GASi GASi Nj
Di
di-1
di+1
......
Di-1
Di+1
GASi =N1 N2 ... Ni ... NM
![Page 22: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/22.jpg)
GAP-Phase 2: authenticated light channelUser enters group size M into one
device/coordinatorPush-button can be used for this taskIf group size OK, the coordinator initiates
synchronized transmission of GAS (blinking LEDs) on all the devices
User verifies simultenously if GASi=GASj, for all devices
22
D1
D2
Dn
...
D1
D2
Dn
...
ok
ok
ok
GAS1
GASn
GAS2 If GAS1=GAS2= ... =GASn
“Success”
![Page 23: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/23.jpg)
GAP securityTheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of the group authentication string (GAS).
User’s involvement only 15-20 bitsRecall, we can set k as low as 15-20 bits
23Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
1 0 0 1 1 0
Ts
Ts
1 1 1 1 0 0 1 0 0
start
end
![Page 24: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/24.jpg)
GAP usability evaluation27 participants (age 18-25)
GAS verification (GAS match and mismatch tests) and entering group sizes via a push-button (25 sensors)
Average System Usability Score (SUS) 80,8 (max. 100)
24Very easy Easy Medium
difficultDifficult Very difficult
Num
ber o
f te
ster
s
0
4
8
12
16
20 20
36
20 0
21 1
GAS verificationEntering group size
19
![Page 25: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/25.jpg)
Improving usability and scalability of GAPUser records the GAS procedure with a
smartphoneIn turn, reviews the GAS procedure offlineNo special services or software on the smartphone
(zero-configuration auxiliary device)
25
![Page 26: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/26.jpg)
Talk outlineBasic security problemOptimal message transfer authenticator Group message authentication protocolAuthentication through presence
Integrity codes
26
![Page 27: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/27.jpg)
Integrity codes (I-codes)
The presence or absence of energy in a given time slot of duration Ts conveys information
27Čagalj, M.; Čapkun, S.; Rengaswamy, R.; Tsigkogiannis, I.; Srivastava, M.; Hubaux, J.-P.Integrity codes: Message Integrity Protection and Authentication over Insecure Channels // IEEE S&P (2006)
1 0 0 1 1 0
Ts
Ts
1 0 1message m
balanced codec
on-off keying
![Page 28: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/28.jpg)
Integrity codes (I-codes)Balanced code
Injective (one-to-one mapping) Equal number of ones and zerosE.g., Manchester code: 0 01 and 1 10
Imposible to convert a codeword c0 into a different codeword c1 without flipping at least one bit 1 to bit 0message codeword 00 0101 01 0110 10 1001 11 1010
28
![Page 29: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/29.jpg)
I-codes securityAssumptions
A applies I-codes to message mB within the TX range of AB synchronized to A wrt to the start and the end of
cB verifies that the received codeword c is balanced Attacker cannot cancel (erase) a radio signal
TheoremThe attacker cannot trick device B into accepting a message that is different from the original m.
29
A B attackerI-code(m)
![Page 30: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/30.jpg)
I-codes transmission
Delimiter 111000 marks start and end of I-coded mDelimiter and Manchester codewords incongruousIf attacker cannot cancel (erase) a radio signal:Any balanced codword c between delimiters is
authentic
30
ATMEL AT86RF211 transceiver433 MHz, FSK, Ts= 5ms
![Page 31: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/31.jpg)
I-codes reception
Demodulation at the receiverIf average power in the symbol interval high →
output 1If average power in the symbol interval low →
output 0Any balanced codword c between delimiters is
authentic
31
bit 1bit 0
![Page 32: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/32.jpg)
Anti-blocking property of a radio channelReceived signal at B
r(t)=s(t)⊗hAB(t)+a(t)⊗haB(t)+n(t)
Attacker’s goal r(t)≈n(t) I.e., s(t)⊗hAB(t)+a(t)⊗haB(t)< n(t)
Attacker’s challenges s(t) can be made physically unpredictable for the
attackerAccurate estimate of both hAB(t) and haB(t)
Many sources of uncertainty at high frequenciesInacuracies in the antennas positions
32
A B attacker
s(t) a(t)
Gaussian noisechannel between A/attacker and B (i.e., #paths, delay, phase, attenuation)
<
![Page 33: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/33.jpg)
Anti-blocking property of a radio channel0 → 1 easy1 → 0 very hard
33
A B attacker
s(t) a(t)
bit 1bit 0
![Page 34: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/34.jpg)
Authentication through presenceUser’s involvement
minimalEnsures the devices
close-byTurns the devices on
34
TXon
RXon
ok
111000011010…010101111000011010…010101111000…delimiterI-codes(m)
If I-codes(m) balancedAccept m
![Page 35: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/35.jpg)
Effect of noise on I-codes
Implementation on Mica2 sensor motes0s → no signal during T0=10ms1s → 18 bytes randomized packet at 19.2kbps
(T1=7.5ms)35
![Page 36: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/36.jpg)
Securing Diffie-Hellman with I-codes
36
A BcA
cB
dA
Given gXA
Pick k random bits NA
mA=IDA, gXA,NA
(cA,dA)=commit(mA)
mB=open(cB,dB)sA=NA NB
Secret key KAB= gXAXB
dB
Given gXB
Pick k random bits NB
mB=IDB, gXB,NB
(cB,dB)=commit(mB)
mA=open(cA,dA)sB=NA NB
If sA==sB “Success”Secret key KAB= gXAXB
ok ok
I-codes(sA)
![Page 37: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/37.jpg)
Initializing a large sensor networkSimple procedure
Place the devices close-by Run Group message Authentication Protocol (GAP)Let one device I-codes short GAS (group auth.
string)Ensure all the devices show “green” status
37111000011010…010101111000011010…010101111000…delimiterI-codes(GAS)
![Page 38: Bootstrapping Security Associations in Wireless (Sensor) Networks](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816682550346895dda2720/html5/thumbnails/38.jpg)
SummaryPresented mechanisms for bootstrapping initial
security associations in wireless (sensor) networksUser-friendly, scalable and compatibile with
resource constrained devices
Optimal message transfer authenticatorShort authentication stringsOptimal trade-off between security and user’s
involvement
Integrity codesExploit physical properties of a radio channelEnable authentication through presence
38