Security of Mobile Computing

1
Security of Mobile Computing

• Sheng Zhong
• Yale University

2
Summary of Major Work

• Security of Mobile Computing ? This Talk
• Security in Mobile Ad hoc Networks (ZCY03, IEEE
  INFOCOM03 invited submission to ACM MONET)
• Security of Mobile Agents (ZY03, ACM
  DIALM-POMC03 invited submission to ACM MONET)
• Anonymization (GZ03, ASIACRYPT02)
• Untrusted Storage (AFYZ, Submitted)
• Privacy Preserving Data Mining (Z, Submitted)

3
Mobile Computing - Access information anytime
anywhere

• Paradigm 1 mobile ad hoc network

• Outline of Talk
• Packet Forwarding - A Security Problem in Mobile
  Ad Hoc Networks
• Secure Mobile Agent Computation
• Future Work

• Paradigm 2 mobile software agent

4
Mobile Ad Hoc Network

• Wireless multi-hop network formed by mobile
  nodes No pre-existing infrastructure
• Convenient for people to use in many places, at
  many time points
• - Depends on other nodes to relay packets

packet
5
Potential Problem

• Packet relay consumes energy, which is scarce in
  mobile ad hoc networks
• Different nodes belong to different owners
• ? A node has no incentive to forward others
  packets

6
Two Types of Solutions

• Reputation systems, e.g., MGLB00_at_Stanford,
  BB02a, BB02b_at_Terminodes
• -- security properties not clear
• Payment system each intermediate node is paid
  for forwarding, e.g., HB02_at_Terminodes
• -- we propose one that does not require
  tamper-proof hardware
• -- we focus on security, instead of economics
  (addressed by QM03_at_Toronto SNCR03_at_UCSD)

7
Sprite System Architecture
Credit Clearance System
Internet
Wide-area wireless network
8
Big Picture Saving Receipts
Credit Clearance System
Internet
Wide-area wireless network
A
packet
D
C
B
receipt
receipt
(protected by digital signature)
9
Big Picture Getting Payment
Credit Clearance System
Internet
receipt
C
A
D
B
10
Only Source Pays
Credit Clearance System
Internet
Wide-area wireless network
DoS Attack
D
C
B
11
Pays for Successful Forwards
Credit Clearance System
Internet
Wide-area wireless network
A
successful
D
?
C
B
12
Major Challenges Cheating Prevention

• Cheating behaviors
• Cheating in receipt submission
• A node has received a message but does not submit
  the receipt
• A node does not receive the message but submit a
  (forged or stolen) receipt
• Cheating in forwarding After receiving a
  message, a node saves the receipt but does not
  forward
• Nodes may even collude !

13
Payment (version 1) Motivate nodes to forward

• Pay ? for each successful forward
• Pay ? to last node that receives the message
• ? gt ?

?
?
?
?
-(2? ?)
B
F
D
E
C
A
(Attack D colludes with A by not submitting
receipts)
14
Payment (version 2)Motivate nodes to submit
receipts

• Overcharge ? for each node after D
• So that colluding group will get no advantage

?
?
?
?
-(4? ?)
B
F
D
E
C
A
(Attack D sends only receipt, not packet to E?)
15
Payment (final version) Prevent
receipt-transfer attack

• Reduce payments if F does not receive message
• Do not reduce payment enough to cover expense of
  transferring receipt
• Also reduce the charge to A a little in this case

??
??
??
-(4? ?-2 ? ?)
?
B
F
D
A
E
C
16
Summary of Payment

• Consider path (n0, n1, , ne, , nd)
• Charge to n0 (d-1)??-(d-e) ??
• Payment to ni

17
Formal Analysis (1)

• Model a one-round receipt-submission game
• Players nodes along the path
• Players information whether it has received
  message or not
• Action report having received message or not

18
Formal Analysis (2)

• Cost of Action faking receipts has extra cost
• Payment how much player receives from (or is
  charged by, if negative) system
• Welfare Payment Cost
• -- Selfish player wants to maximize welfare

19
Result of formal analysis

• Theorem
• Cheating cannot increase a players welfare
• In case of collusion, cheating cannot increase
  the sum of colluding players welfares

20
Extension Route Discovery and Multicast

• Similar to message forwarding
• But use more complicated receipt
• -- necessary because a tree is involved
• -- affordable because route discovery is less
  frequent
• Can be extended to multicast as well

21
Evaluation Overhead
22
Effects of Battery on Performance
23
Dynamics of Message Success Rate
24
Summary of Our Results on Mobile Ad Hoc Networks

• We designed a simple scheme to stimulate
  cooperation
• Our system is provably secure against (colluding)
  cheating behaviors
• Evaluations have shown that the system has good
  performance

25
Secure Mobile Agent Computation

• Mobile ad hoc networks are convenient to use in
  many places at many time points
• Question But what if you do not have time to
  spend on your computer?
• Answer Use a mobile software agent that works
  for me!

• Outline of Talk
• ?Packet Forwarding - A Security Problem in Mobile
  Ad Hoc Networks
• Secure Mobile Agent Computation
• Future Work

26
Problem Formulation

• Mobile Agent A piece of software moving around
  the network, performing a specific task
• Example an agent searching for airline tickets

agent
Internet
27
Problem Formulation (Contd)
Originator
input
output
fun()
28
Security Requirements

• Agent Originators Privacy Originators private
  information (e.g., a buy-it-now price in
  airline-ticket-agent example) in the agent is not
  revealed to hosts
• Hosts Privacy Each hosts private input (e.g.,
  the ask price) and output (e.g., whether to make
  a reservation) to the agent is not revealed to
  other hosts or the originator

29
Solution Framework ACCK01

• Main Idea Use Yaos Garbled Circuit
• Agent is garbled - becomes a blackbox program
  that nobody can read
• Privacy is achieved
• Each host needs to translate I/O of agent to
  complete computation

Translate
(encrypt)
Private Input
Garbled Input
Garbled Output
Private Output
(decrypt)
30
Illustration of Solution Framework
Private Input
Private Output
Input Translation
Output Translation
Garbled Input
Garbled Output
Arrive
Leave
Garbled Agent
31
Need for a Crypto Primitive

• Question How to enable each host to translate
  I/O?
• Output Easy - Supplies translation table to host
• Input Tricky - Must guarantee that only one
  value of input is translated (Dont want host to
  test agent with many possible inputs)

32
Verifiable Distributed Oblivious Transfer (VDOT)

• Introduce a group of proxy servers
• For each input bit Proxy servers hold garbled
  input for 0/1 G(0)/G(1)
• Input bit b ? transfer G(b) to host
• No information about G(1-b) is revealed to host
• No information about b is revealed to proxy
  servers
• Proxy servers cannot cheat host with incorrect
  G(b)

33
VDOT (Contd)

• All the above requirements are satisfied under a
  threshold trust assumption
• VDOT further extends Distributed Oblivious
  Transfer (DOT) NP00, which extends the
  extensively studied Oblivious Transfer (OT)
  Rabin81,
• Difference Consider malicious proxy servers
  instead of semi-honest servers
• Key technical component of our solution

34
Analysis of VDOT Security Requirements

• Input bit b ? transfer G(b) to host
• No information about G(1-b) is revealed to host
• No information about b is revealed to proxy
  servers

1-out-of-2 Oblivious Transfer (OT)

• Detection of Cheating

• Proxy servers cant cheat host w/ incorrect G(b)

• Identification of Cheater

35
Design of VDOT

• First Idea Add Detection of Cheating to
  1-out-of-2 OT
• Choose a distributed variant of Bellare-Micali OT
  BM89 as basis of design
• G(0), G(1) shared among proxy servers
• Transfer shares of G(0), G(1) in encrypted form
• Only shares of G(b) can be decrypted

36
Consistency Verification on Encrypted Shares

• Observation detect cheating detect existence
  of incorrect shares without decrypting any share
• Using variant of Shamir Secret Sharing ?
  existence of incorrect shares inconsistency of
  shares (Why?)

37
Consistency Verification on Encrypted Shares
(Contd)

• Variant of Shamir Secret Sharing based on
  degree-(t-1) polynomial
• Each share a point
• Share is correct point is on polynomial
• Consistent means on same polynomial of
  degree-(t-1)
• Correct shares are all consistent incorrect
  shares are inconsistent with correct ones

38
Illustration of Consistency Verification
Correct share
Incorrect share
39
Achieving Consistency Verification on Encrypted
Shares

• To verify consistency on clear text shares, we
  can use Lagrange interpolation
• Question How can we achieve consistency
  verification on encrypted shares?
• Answer Use Homomorphic property of ElGamal
  Encryption - recall Bellare-Micali OT is based on
  ElGamal Encryption

40
Achieving Consistency Verification on Encrypted
Shares (Contd)
ElGamal Encryption of a Share
For i t1, , n
Need
Consistency verification using Lagrange
interpolation
41
Analysis of Need
Share k among proxy servers using Feldman VSS
share ki private key commitment public key
rj,1rj,2rj,nrj
42
Identification of Cheater

• After Consistency Verification on Encrypted
  Shares What if an inconsistency is found?
• Want Find the cheaters
• Assume of dishonest parties lt (n-t)/2
• Find set S of shares (St) s.t.
• Majority of shares outside S are consistent with
  those in S - let M be the set of all shares
  outside but consistent with S
• Claim 1,2,,n (S ? M) is the set of
  cheaters!

43
Identification of Cheater (Contd)

• Question Why can we make the claim?
• Answer M (n-t)/2 ? S ? M t (n-t)/2
• ? at least t proxy servers in S ? M are honest
• ? the degree-(t-1) polynomial constructed in
  Lagrange interpolation using shares in S is
  correct
• ? all shares in S ? M are correct
• ? the remaining shares belong to cheaters

44
Performance Overhead of Garbled Circuits
45
Future (On-going) Work on Mobile Ad Hoc Networks

• Impossibility Results in Ad Hoc Game
• Impossibility of Dominant Strategy Equilibrium
• Impossibility of Collusion Resistance
• New Solution Concept for the Game
• General Framework for a Secure System for
  Enforcing the Output of the Game

46
Future Work on Mobile Agents

• Eliminate Proxy Servers Possible?
• More Efficient Solutions (so that it will be
  commercially deployable)?

47
THANK YOU