securing wireless ad hoc networks: an id-based cryptographic approach

Wireless Information Networking Group (WING)Wireless Information Networking Group (WING)

Securing Wireless Ad Hoc Networks:An ID-Based Cryptographic Approach

Yuguang “Michael” Fang, Professor

JSPS Visiting Invitation Fellow

University of Florida Research Foundation ProfessorDepartment of Electrical & Computer Engineering

University of Florida

Changjiang Scholar Chair Professor Xidian University, China

In Collaboration with Xiaoyan Zhu and Yanchao Zhang

http://winet.ece.ufl.edu/


Outline

• Introduction– Resource-constrained wireless ad hoc networks

– Security requirements

• Security issues to tackle • Our ID-based public key approach• Conclusion & future work

Future Cyberspace:Integrated Wired-Wireless Internet

Mobile Ad-Hoc NetworksCurrent Internet

Current Internet

Wi-Fi Networks Cellular NetworksWiMAX Networks

Wireless Mesh Networks

Wireless Sensor Networks

NSF GENI Visionwww.geni.net


Wireless Movement

• There are many interesting applications – Cellular phones

– PDAs or iPods

– Bluetooth earphones

– Wi-Fi (hot-spot technologies)

– Tactical radios (missions for war or peace keeping))

– Smart phones (healthcare monitoring)

– iPhone

– Wireless sensors (tagging the environments)

– Digital cameras or camcorder (wireless connections)

You are being watched!!!


Wireless Advantage

• There are many good things wireless can offer – Frees us from physical attachment

– Provides freedom of movement while engaging in communications

– Can be self-configured with rapid setup

– Could be made high speed (broadband)

– Could be made small and be embedded in everything (everything goes wireless)


Wireless Disadvantage

• There are many design challenges – Poor channel conditions (e.g., fading)– Time-varying links – Failure due to mobility/power depletion – Susceptible to interference – Limited bandwidth – Limited power – Limited computing resources (memory and CPU) – Open access (subject to interception or eavesdropping) – Lack of trusted infrastructure (sometimes)!


Design Challenges

• Resource constraints pose many secure design challenges– Security schemes for wired networks may NOT be

feasible for wireless networks

– Computationally intensive scheme will not work well

– Power hungry operations should be avoided (due to either computation or communications)

– Trust model should be re-evaluated

– Non-conventional attacks should be investigated and appropriate strategy should be designed


Design Challenges

• PKI or not PKI? This is the question! • Public (asymmetric) key approach: PKI

– Pros: scalable, easier key establishment, better authentication and embedded digital signature

– Cons: computationally intensive, larger key size, demand trusted infrastructure (certificate management) and more overhead due to certificate management, and subject to DoS attacks

• Secret (symmetric) key approach: not PKI – Pros: low computational overhead, no certificate is necessary – Cons: not scalable, more communication overhead, no support of

digital signature

• …dilemma indeed!!!


ID-based Public Key Cryptography (PKC)

• ID-based Signature (Shamir 1984)• ID-based PKC (Non-interactive PKC)

– Joux (2000): pairing does some magic—three-party key agreement

– Boneh and Franklin (2001): alternative PKI (encryption)

– Any string (or ID) such as email, telephone number, or any string can be used as the public key

– No certificate is necessary: does not need to maintain (ID,PublicKey) binding because the public key is directly derivable from the ID

– Elliptic curve cryptography can be easily incorporated


Why ID-based PKC

• Advantages– Non-interactive key establishment: shared secret

without exchanging information—conserving energy!

– No certificate: saving memory space! No need of trusted infrastructure!

– The fact that any string can be a part of public key offers the flexibility of adding specialized property to a user: instead of Michael, we can use Michael @UF

– Scalable: as long as private key is given from the same master secret, secure communication can be enabled


Why ID-based PKC• Disadvantages

– The master secret holder (Trusted Authority or TA) knows everything: somebody is watching!

– Computational complexity of pairing: more complex than exponentiation!

• Fitting Wireless Ad Hoc Networks (WANETs)– WANETs is designed for a single mission, hence collaborative in

nature and TA is the network owner!

– Pairing computational efficiency is progressing: • Hardware implementation: Tate pairing needs 6ms to compute

• Platform implementation: sub-second implementation on sensor platform has been proposed lately (Wisec’2009)


Notation

1 2

1

1

1

:

: '

:

:

:

:

:

'

,

:

1

p p

A

AID A

q

G G q

s s

L A

q

W G

W W sW G

H

node s ID

a large prime ( 160 bits)

two cyclic grou

node s physical

ps of order

a network master secret, 1

an arbitrary generator of

location

2

1

:

G

H

h mapping inputs to non-zero elements in

mapping inputs

ash function

has to fixed-length funct h ouion tputs


Pairing Technique

1 1 2 1, , , ,

( , ) ( , ) ( , ) ( , ) ( , )

, [1, 1]

( , ) ( , ) ( , ) ( , )

( , ) ( , )

bili

: (pairing

near

bilinear

symme

), such that,

( )

( )

( )tric

b a ab

G G G U V S T G

f U V S T f U S f U T f V S f V T

a b q

f aU bV f aU V f U bV f U V

f U V f V U

f

Similar to the exponentiation function in RSA

Modified Weil pairing or Tate pairing can be used


Key Generation and Establishment

• Key Generation:

• Given (ID, K), it is infeasible to derive s, as the Discrete Logarithm Problem is computationally hard in G1.

• Key establishment: node A (IDA,KA) and node B (IDB,KB)

1 1( )

IDK sH ID G

Public key: Private key:

, 1

1 1

1 1

1

1

,

( , ( ))

( ( ), ( ))

( ( ), ( ))( ( ), )

( , ( ))

A B A B

A B

A B

A B

B A

B A

k f K H ID

f sH ID H ID

f H ID sH ID ff H ID K

f K H ID fk

is bilinear

is symmetric

A shared key is established without exchanging any information!!!


Wireless Sensor Networks• A wireless sensor network (WSN) is composed of a large

number of low-cost sensor nodes randomly deployed to sense/monitor the field of interest, collect and process information, and make intelligent decision (actuation)

• Sensor nodes– Limited in energy, computation, and storage– Sense/monitor their local environment– Perform limited data processing– Communicate over short distances– Actuate/control (decision making)

• E.g., sink model– Gather data from sensor nodes and connect the WSN to the outside

world


Wireless Sensor Networks

sink


Security Requirements

sink

An attacker at (20,18)

A B U

Message confidentiality

An attacker at (20,18)

Message authenticity &

integrity

Node mutual authentication

More …


Security Issues• Authentication

• Key agreement

• Mitigating specific serious attacks

• Secure location discovery

• Broadcast authentication

• Secure data aggregation

• Secure clock synchronization

• Secure routing and MAC protocols

• Intrusion detection

• …


#1 Pair-wise Authentication

• Two neighboring nodes verify that the other party is who it claims to be– Chan et al. (IEEE SP’03)

• Otherwise, attackers can– Inject false data reports via good nodes

– Distribute wrong routing information

– Impersonate good nodes to misbehave

A B“Show me you are B”

“Show me you are A”


#2 Key Agreement• Two neighboring nodes establish a shared secret

key known only to themselves– Eschenauer and Gligor (CCS’03), Chan et al. (SP’03),

Liu and Ning (IEEE CCS’03), …

• The shared key is a prerequisite for – Message encryption/decryption

– Message authentication

A Bencrypt/ authenticate


#3 Sybil Attack• Sybil (1976) staring Sally Field: a girl with at least 13

personalities • A malicious node claims multiple identities

– Severely interrupt routing, fair resource allocation, distributed storage, misbehavior detection …

– Douceur (IPTPS’02), Newsome et al. (IPSN’04)

A

E

“I am F”

CB

“I am V”

“I am W”

“I am U”

D

F

Correct path

wrong path


#4 Node Duplication Attack

• The attacker put clones of a captured node at random or strategic locations in the network– Parno et al. (IEEE SP’05)

sink

A


#5 Random Walk Attack

• The attacker uses secret information of a captured node to roam in the network

sink

A


#6 Wormhole Attack

• Attackers tunnel packets received at one location to another distant network location – Hu et al. (INFOCOM’03), Karlof et al. (SNPA’03)

• Allowing the attacker to– Disrupt routing, selectively drop packets, …

secret Wormhole link

A B


Previous Research

• Many separate solutions exist, but– Difficult to combine due to different or even conflicting

underlying assumptions

– Even if possible, far too complex a solution stack

– Most prior solutions do not work when a small number of nodes are captured by attackers

– Many schemes address one problem but create other problems

– Most schemes apply the symmetric key approach. Many do reduce the computational cost; however, they tend to dramatically increase the communications cost (often ignored by many)


Observation

• Almost all WSN applications are location-dependent and require a sensor node to know its own location– E.g., military sensing and tracking

• Most sensor nodes are stationary once deployed– Can be identified by their IDs plus locations

• Most sensor nodes have a limited comm. range– Can only directly communicate with others inside their

communication range


Location-based Security Solution

• Location-based authentication– Neighbor-to-neighbor authentication

– Key agreement

– Sybil attack

– Node duplication attack

– Random walk attack

– Wormhole attack


Location-based Keys

• Conventional way: ID-based keys– Name a node merely with its ID

– Bind sensor nodes’ keys only to their IDs

– Vulnerable to many attacks, e.g., node duplication

• Our method: location-based keys (LBKs)– Name a node with both its ID and location

• Michael@UF is more specific than Michael!

– Bind sensor nodes’ keys to both IDs and locations


Location-based Keys

• Assume a secure way to decide node locations– Zhang et al., IEEE JSAC’06

• Node A’s LBKs:

– Given (IDA@LA, KA), it is infeasible to derive s, as the Discrete Logarithm Problem is hard in G1.

• Each node only knows its unique LBK pair, and has no knowledge of s – Use a key pre-distribution model

1 1

@( @ )

Public key: Private key:

A A

A A A

ID LK sH ID L G


Neighbor-to-Neighbor Authentication

• Purpose– Discover and perform mutual authentication with

neighboring sensor nodes

• Idea– Check if the candidate is within the comm. range and

has the correct location-based private key


1 1

,

( @ ) ( @ )

@

?

Node : Node :

broadcast

A A A B B B

A A A

B A

A K sH ID L B K sH ID L

ID L n

L L R

, 1

, , 2 ,

, 1

2 , 2

( , ( @ ))

@ ( || ||1 || )

?

( , ( @ ))

? ( || ||1 || ) ( || ||

unicast

B A B A A

B B B A B B A

A B

A B A B B

A B A B A B

k f K H ID L

ID L n H n n k

L L R

k f K H ID L

H n n k H n n

,

2 ,

2 , 2 ,

1|| )

( || || 2 || )

? ( || || 2 || ) ( || || 2 || )

unicast

B A

A B A B

A B B A A B A B

k

H n n k

H n n k H n n k


, 1

1 1

1 1

1

1

,

( , ( @ ))

( ( @ ), ( @ ))

( ( @ ), ( @ ))( ( @ ), )

( , ( @ ))

is bilinear

is symmetric

A B A B B

A A B B

A A B B

A A B

B A A

B A

k f K H ID L

f sH ID L H ID L

f H ID L sH ID L ff H ID L K

f K H ID L fk

1 1

, 1 , 1

( @ ) ( @ )

( , ( @ )) ( , ( @ ))

Node : Node :

A A A B B B

A B A B B B A B A A

A K sH ID L B K sH ID L

k f K H ID L k f K H ID L

2 , 2 ,? ( || ||1 || ) ( || ||1 || )A B A B A B B AH n n k H n n k2 , 2 ,? ( || || 2 || ) ( || || 2 || )A B B A A B A BH n n k H n n k


Resilience to Sybil Attack

• The captured node does not have the correct location-based private keys of the nodes it claims to be

• Comparison to Newsome et al. (IPSN’04)– Our solution has much higher network scalability (Random key pre-

distribution with limited network size)

AB

“I am IDW@LW”

“I am IDV@LV”

“I am IDU@LU”

“I am IDF@LF”

C

E

D


Resilience to Node Duplication Attack

• A duplicate will be detected if talking to good nodes outside the communication range of node A

• The impact range of a captured node is reduced from the whole network to a small circle of radius < R

• Comparison to Parno et al. (IEEE SP’05)– Our solution is much more efficient in both communication and

computation (periodic report on location and witness nodes help)

1( @ ) A A AK sH ID LAR

B@ ,A A AID L n

|| ||B AL L R


Resilience to Random Walk Attack

• The impact range of a capture node is reduced from the whole network to a small circle of radius < R

sinkAR


Resilience to Wormhole Attack

• The wormhole attack is completely defeated• Comparison to Hu et al. (INFOCOM’03)

– Our solution has no stringent requirement on sensor hardware and time synchronization (restrict the maximum transmission distance of any packet)

1( @ ) A A AK sH ID LA

R

1( @ ) B B BK sH ID LB R

Wormhole link

@ ,A A AID L n

|| ||B AL L R


Comparison to Prior Solutions

Our schemeEschenauer’02, Chan’03, Du’03, Liu’03 …

Key agreement Deterministic Probabilistic

Neighborhood authentication

Yes No or very limited

Support for digital signatures

Yes No

Storage cost Low High

Network scalability High Poor

Attack resilience High Poor

Communication overhead

Low High

Computation overhead

High Low

Comm.+Computation overhead

Low High


ID-based Certificateless Key Management

• Propose a novel construction method of ID-based public/private keys, in which each public or private key consists of a node-specific element and a network-wide common element

• Design an efficient protocol to update public & private keys of all non-compromised nodes with one broadcast message & threshold cryptography

Y. Zhang, W. Liu, W. Lou and Yuguang Fang, “Securingmobile ad hoc networks with certificateless public keys,” IEEE Transactions on Dependable and Secure Computing, 3(4): 386-399, 2006.


Anonymity in MANETs

• ID-based approach can be used to generate multiple pseudonyms, which then generate dynamic link identifiers to hide real IDs – Anonymous MAC

• Use pseudonyms instead of MAC addresses

– Anonymous routing • Dynamic pseudo link ID management (dynamic link

identifiers) to hide both source and destination

Y. Zhang, W. Liu, W. Lou and Yuguang Fang, “MASK: anonymous on-demand routing in mobile ad hoc networks,” IEEE Transactions on Wireless Communications, 5(9): 2376-2385, 2006


Security & Billing in Wireless Mesh Networks

• ID-based authentication schemes among mesh routers and mobile clients– Authentication for mesh router-mesh router, mesh

router-mesh client, and client-client

– Countermeasure against DoS attacks

• Micro-payment schemes

Y. Zhang and Y. Fang, “A secure authentication and billing architecture for wireless mesh networks,'' Accepted for publication in ACM Wireless Networks

Y. Zhang and Y. Fang, “ARSA: an attack-resilient security architecture for multi-hop wireless mesh networks,” IEEE Journal on Selected Areas in Communications, 24(10): 1916-1928, 2006.


Conclusions

• Discuss challenges for information insurance • Demonstrate the innovative applications of ID-

based cryptography– Minimize communication overhead (no certificate,

establishing session keys without exchanging keying materials)

• Exemplary application: a location-based unified solution for wireless sensor networks to address – Neighbor-to-neighbor authentication, key agreement,

Sybil attack, node duplication attack, random walk attack, wormhole attack, data injection attack


Future Research Directions

• There are many research challenges ahead – How to reduce the pairing computational complexity (hardware?)– How to deal with heterogeneous ad hoc networks (more powerful

nodes can be better used to our advantage) – How to take advantage of mobile nodes – Mission-dependent, light-weight and adaptive security schemes – How to harness the cooperative nature, if any. – How to proactively detect intrusion – How to secure distributed storage– How to secure routing protocol in the light-weight fashion – How to carry out secure target tracking– How to integrate the security schemes over resource-constrained

networks with those over fixed infrastructure – …

securing wireless ad hoc networks: an id-based cryptographic approach

Documents

wireless networks

wireless advantage

public asymmetric key

good things wireless

easier key establishment

larger key size

public keyno certificate

secret symmetric key