jean-pierre hubaux epfl/school of information and communication
DESCRIPTION
Secure Mobility. Jean-Pierre Hubaux EPFL/School of Information and Communication. Some security activities in MICS. IP10. IP8. Business aspects of security in mobile networks. IP5. Secure software, secure applications. Trust in peer-to-peer systems. IP4. - PowerPoint PPT PresentationTRANSCRIPT
1
Jean-Pierre Hubaux
EPFL/School of Information and Communication
Secure Mobility
2
Some security activities in MICS
• Secure software, secure applications
• Tamper-proof device-based security• Protocol analysis (WTLS)• Zero-infrastructure security• Mobility Vs Security : - Mobility helps security - Provable encounters
LastEncounterRouting
• Immune mobile systems• Cooperation issues : - In multi-hop cellular networks - In pure ad hoc networks
IP1
IP4
IP6
IP8
• Trust in peer-to-peer systems
IP5• Business aspects of security in mobile networks
IP10
3
Provable encounters
claimant certifier
1. Encounter
claimant verifier
2. Proof of encounter
Verification is:• a posteriori• frequent
Verification is:• a posteriori• frequent
• claimant : a node claiming that it has met another node at a given time t• certifier : a node that certified the encounter with the claimant• verifier : a node that verifies the encounter between two nodes- Two scenarios :
- any-to-any (typically mobile ad hoc networks, where any node can be a claimant, a verifier and a certifier)- any-to-one (typically hybrid ad hoc networks, where mobile nodes play roles of claimants and certifiers, and base stations perform verification)
- Two building blocks :- Distance bounding- Proving the time of encounter
4
Applications of provable encounters
Secure protocols based on last encounter (e.g., Last Encounter Routing)
Topology tracking in multi-hop cellular networks (e.g, for misbehaviour detection)
Any service requiring to prove previous encounters, including their distance (e.g., liability issues in road traffic)
Distributed robotics Prevention of wormhole attacks …
5
General assumptions
Loose synchronization of the nodes clocks Abilities of each node :
Measure time with a nanosecond precision Perform cryptographic operations (generate keys, check
signatures, compute hash functions,…) No GPS receivers, no system providing location
information Presence of a centralized authority (off-line or on-line):
assigns a unique, certified identity to each node All nodes share pairwise secret keys (other options are
possible) The claimant and the verifier always authenticate each
other at verification time
6
Authenticated distance bounding
• Similar issue: the Chess Grandmaster Problem
• Solution: Distance-Bounding Protocols (Brands and Chaum, Eurocrypt 1993)
• Related problem: Wormhole Attacks in ad hoc networks• Proposed solution: Packet leashes (Hu, Perrig and Johnson, Infocom 2003) (based on precise clock synchronization or on location awareness)
Alice
Secret communicationchannel
Authenticationprotocol
DamienBernard Carole
Authenticationprotocol
Location 1 Location 2
Mafia Fraud Attack (Y. Desmedt, 1988) :
7
Mutual Authentication with Distance Bounding (MAD) (1/2)
Our solution: MAD Improvements wrt Brands and Chaum’s proposal:
Avoid public key cryptography rely on MAC computations Both nodes can measure the distance to the other node
simultaneously
Assumption: special hardware module in each node Can temporarily take over the control of the radio transceiver from
the CPU Able to respond to a one-bit challenge with a one-bit response
8
Mutual Authentication with Distance Bounding (MAD) (2/2)
9
Guaranteeing Encounter Freshness (GEF) (meaning at or before time t)
• 1. Initialization (at each node)
V0 V1 V2 VN
H HH
• 2. Network operation : disclose the values Vi in reverse order
CertCl1
V96
2.1. Encounters :
1.1. Construct the hash chain :
1.2 Distribute VN to all other nodes
2.2. Verification (certifier authentication only, therefore called GEF-Ce) :
Verif
Cl2
V47
Cl1
V96
HN-47(V47) = VN
?
• Almost optimal hash sequence traversal: Coppersmith and Jakobsson, FC’02• If claimant authentication is also desired: each node produces n hash chains instead of one GEF-CeCl
Cl2
V47
10
Guaranteeing the Time of the Encounter (GTE)
v 0
m 0
m 0 1
m 0 3 m 4 7
m 0 7
m 2 3 m 4 5 m 6 7
v 1
m 1
v 2
tim e ran d2 2
==
m 2
v 3
m 3
v 4
m 4
v 5
m 5
v 6
m 6
v 7
m 7
Purpose: The claimant can prove to the verifier that it met the certifier at the time t of the actual encounter (neither before nor later);Basic mechanism: only certifier authentication: GTE-Ce
1. Initialization • Generation of N values (V0 to VN)• Construction of the Merkle tree
• Deliver the root of the tree to allother nodes (in an authentic way)
2. Network operation 2.1 Encounters - At each time interval, the certifier broadcasts a Vi with its siblings
2.2 Verification - Example : H(H(m01||H(H(V2)||m3))||m47) = m07 ?
11
The full solution : MAD + GTE-CeCl
Enc
ount
er
Pro
of o
fen
coun
ter
12
Attacks
claimant certifier
1. Encounter
claimant verifier
2. Proof of encounter
Attack-Cl : deceive an honest verifier about previous encounters
Attack-Cl : deceive an honest verifier about previous encounters
Attack-Ce : deceive a honest claimant about its identity or about the time of encounter
Attack-Ce : deceive a honest claimant about its identity or about the time of encounter
Attack-V : deceive a honest verifier (to be met in the future) about previous encounters
Attack-V : deceive a honest verifier (to be met in the future) about previous encounters
13
Resistance to attacks
Resistant to
Attacker-1-0 and
Attacker-0-1
Resistant to
Attacker-x-0 and
Attacker-0-1
Resistant to
Attacker-x-y
Resistant to
Attacker-1-0 and
Attacker-0-1
Resistant to
Attacker-x-0 and
Attacker-0-1
Resistant to
Attacker-x-y
Resistant to
Attacker-1-0
Resistant to
Attacker-x-0
Resistant to
Attacker-x-y
GEF-CeGTE-Ce
GEF-CeGTE-Ce
GEF-CeClGTE-CeCl
With MAD
Attack-Cl
Attack-Ce
Attack-V
Other attacks: AttackClCe,…Attacker-x-yx : # owned nodesy : # compromised nodes
Attacker-x-yx : # owned nodesy : # compromised nodes
14
Conclusion on Provable Encounters
Well-established cryptographic techniques can allow mobile nodes to prove their time and distance of encounters, at a very reasonable cost
Very first contribution to a novel and promising research area Future work:
Study different mobility scenarios Identify applications more precisely; examples:
• Single-hop wireless networks in which the Access Points are not (fully) trusted
• Intelligent Transport Systems
S. Capkun, L. Buttyan, and J. P. HubauxSECTOR : Secure Tracking of Node Encounters in Multi-hop
Wireless NetworksFirst ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN),
Washington, October 2003
15
Mobility helps security
Infrared link
(Alice, PuKAlice, XYZ)
(Bob, PuKBob , UVW)
Visual recognition, conscious establishment of
a two-way security association
Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required
Alice Bob
Problem : how to bootstrap security in a mobile network without a central authority ? Problem : how to bootstrap security in a mobile network without a central authority ?
16
Friends mechanism
IR
Colin
Bob(Colin’s friend)
Alice
(Alice, PuKAlice, XYZ)
(Alice, PuKAlice, XYZ)
Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users
Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users
17
Mechanisms to establish Security Associations
Friendship : nodes know each others’ triplets
Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter
i j i knows the triplet of j ; the triplet has been obtained from a friend of i
i
f
j i
f
j
i
f
j i
f
j
i j i ja) Encounter and activation of the Secure Side Channel
b) Mutual friend
c) Friend + encounter
Note: there is no transitivity of trust (beyond your friends)
18
Pace of establishment of the security associations (1/2)
- Depends on several factors: - Area size- Number of communication partners: s- Number of nodes: n- Number of friends- Mobility model and its parameters (speed, pause times, …)
Established security associations :Desired security associations :
Convergence :
19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
100 1000 10000 100000 1000000
time (s)
per
cen
tage
of
secu
rity
ass
ocia
tion
s
s=99, f=0, pause=100 s, sr=5 m, v=5 m/s s=99, f=2, pause=100 s, sr=5 m, v=5 m/ss=99, f=0, pause=100 s, sr=5 m, v=20 m/s
5m/s, 2 friends5m/s, 0 friends
20m/s, 0 friends
Pace of establishment of the security associations (2/2)
20
Conclusion on Mobility Helps Security
• Mobility can help security in mobile ad hoc networks, from the networking layer up to the applications
• The proposed solution also supports re-keying• The proposed solution can easily be implemented with both
symmetric and asymmetric cryptography
S. Capkun, J. P. Hubaux, and L. Buttyan
Mobility Helps Security in Ad Hoc Networks
Fourth ACM Symposium on Mobile Networking and Computing (MobiHoc), Annapolis, June 2003
21
Conclusion
Security in mobile and wireless networks is a major research area
MICS has pioneered the exploration of mobility Vs. security
MICS is strongly committed to make further fundamental contributions