Securing Wireless Ad Hoc Networks: An ID-Based Cryptographic Approach

1
Securing Wireless Ad Hoc NetworksAn ID-Based
Cryptographic Approach
Yuguang Michael Fang, Professor JSPS Visiting
Invitation Fellow University of Florida Research
Foundation Professor Department of Electrical
Computer Engineering University of
Florida Changjiang Scholar Chair Professor
Xidian University, China In Collaboration
with Xiaoyan Zhu and Yanchao Zhang http//winet.
ece.ufl.edu/
2
Outline

• Introduction
• Resource-constrained wireless ad hoc networks
• Security requirements
• Security issues to tackle
• Our ID-based public key approach
• Conclusion future work

3
Future CyberspaceIntegrated Wired-Wireless
Internet
Cellular Networks
Wi-Fi Networks
WiMAX Networks
Current Internet
Mobile Ad-Hoc Networks
Wireless Mesh Networks
NSF GENI Vision
www.geni.net
4
Wireless Movement

• There are many interesting applications
• Cellular phones
• PDAs or iPods
• Bluetooth earphones
• Wi-Fi (hot-spot technologies)
• Tactical radios (missions for war or peace
  keeping))
• Smart phones (healthcare monitoring)
• iPhone
• Wireless sensors (tagging the environments)
• Digital cameras or camcorder (wireless
  connections)

You are being watched!!!
5
Wireless Advantage

• There are many good things wireless can offer
• Frees us from physical attachment
• Provides freedom of movement while engaging in
  communications
• Can be self-configured with rapid setup
• Could be made high speed (broadband)
• Could be made small and be embedded in everything
  (everything goes wireless)

6
Wireless Disadvantage

• There are many design challenges
• Poor channel conditions (e.g., fading)
• Time-varying links
• Failure due to mobility/power depletion
• Susceptible to interference
• Limited bandwidth
• Limited power
• Limited computing resources (memory and CPU)
• Open access (subject to interception or
  eavesdropping)
• Lack of trusted infrastructure (sometimes)!

7
Design Challenges

• Resource constraints pose many secure design
  challenges
• Security schemes for wired networks may NOT be
  feasible for wireless networks
• Computationally intensive scheme will not work
  well
• Power hungry operations should be avoided (due to
  either computation or communications)
• Trust model should be re-evaluated
• Non-conventional attacks should be investigated
  and appropriate strategy should be designed

8
Design Challenges

• PKI or not PKI? This is the question!
• Public (asymmetric) key approach PKI
• Pros scalable, easier key establishment, better
  authentication and embedded digital signature
• Cons computationally intensive, larger key size,
  demand trusted infrastructure (certificate
  management) and more overhead due to certificate
  management, and subject to DoS attacks
• Secret (symmetric) key approach not PKI
• Pros low computational overhead, no certificate
  is necessary
• Cons not scalable, more communication overhead,
  no support of digital signature
• dilemma indeed!!!

9
ID-based Public Key Cryptography (PKC)

• ID-based Signature (Shamir 1984)
• ID-based PKC (Non-interactive PKC)
• Joux (2000) pairing does some magicthree-party
  key agreement
• Boneh and Franklin (2001) alternative PKI
  (encryption)
• Any string (or ID) such as email, telephone
  number, or any string can be used as the public
  key
• No certificate is necessary does not need to
  maintain (ID,PublicKey) binding because the
  public key is directly derivable from the ID
• Elliptic curve cryptography can be easily
  incorporated

10
Why ID-based PKC

• Advantages
• Non-interactive key establishment shared secret
  without exchanging informationconserving energy!
  
• No certificate saving memory space! No need of
  trusted infrastructure!
• The fact that any string can be a part of public
  key offers the flexibility of adding specialized
  property to a user instead of Michael, we can
  use Michael _at_UF
• Scalable as long as private key is given from
  the same master secret, secure communication can
  be enabled

11
Why ID-based PKC

• Disadvantages
• The master secret holder (Trusted Authority or
  TA) knows everything somebody is watching!
• Computational complexity of pairing more complex
  than exponentiation!
• Fitting Wireless Ad Hoc Networks (WANETs)
• WANETs is designed for a single mission, hence
  collaborative in nature and TA is the network
  owner!
• Pairing computational efficiency is progressing
• Hardware implementation Tate pairing needs 6ms
  to compute
• Platform implementation sub-second
  implementation on sensor platform has been
  proposed lately (Wisec2009)

12
Notation
13
Pairing Technique
Similar to the exponentiation function in RSA
Modified Weil pairing or Tate pairing can be
used
14
Key Generation and Establishment

• Key Generation
• Given (ID, K), it is infeasible to derive s, as
  the Discrete Logarithm Problem is computationally
  hard in G1.
• Key establishment node A (IDA,KA) and node B
  (IDB,KB)

A shared key is established without exchanging
any information!!!
15
Wireless Sensor Networks

• A wireless sensor network (WSN) is composed of a
  large number of low-cost sensor nodes randomly
  deployed to sense/monitor the field of interest,
  collect and process information, and make
  intelligent decision (actuation)
• Sensor nodes
• Limited in energy, computation, and storage
• Sense/monitor their local environment
• Perform limited data processing
• Communicate over short distances
• Actuate/control (decision making)
• E.g., sink model
• Gather data from sensor nodes and connect the WSN
  to the outside world

16
Wireless Sensor Networks
sink
17
Security Requirements
Message confidentiality
Message authenticity integrity
An attacker at (20,18)
An attacker at (20,18)
A
B
U
Node mutual authentication
More
sink
18
Security Issues

• Authentication
• Key agreement
• Mitigating specific serious attacks
• Secure location discovery
• Broadcast authentication
• Secure data aggregation
• Secure clock synchronization
• Secure routing and MAC protocols
• Intrusion detection

19
1 Pair-wise Authentication

• Two neighboring nodes verify that the other party
  is who it claims to be
• Chan et al. (IEEE SP03)
• Otherwise, attackers can
• Inject false data reports via good nodes
• Distribute wrong routing information
• Impersonate good nodes to misbehave

20
2 Key Agreement

• Two neighboring nodes establish a shared secret
  key known only to themselves
• Eschenauer and Gligor (CCS03), Chan et al.
  (SP03), Liu and Ning (IEEE CCS03),
• The shared key is a prerequisite for
• Message encryption/decryption
• Message authentication

21
3 Sybil Attack

• Sybil (1976) staring Sally Field a girl with at
  least 13 personalities
• A malicious node claims multiple identities
• Severely interrupt routing, fair resource
  allocation, distributed storage, misbehavior
  detection
• Douceur (IPTPS02), Newsome et al. (IPSN04)

E
F
I am V
I am U
Correct path
A
D
I am F
I am W
wrong path
C
B
22
4 Node Duplication Attack

• The attacker put clones of a captured node at
  random or strategic locations in the network
• Parno et al. (IEEE SP05)

A
sink
23
5 Random Walk Attack

• The attacker uses secret information of a
  captured node to roam in the network

A
sink
24
6 Wormhole Attack

• Attackers tunnel packets received at one location
  to another distant network location
• Hu et al. (INFOCOM03), Karlof et al. (SNPA03)
• Allowing the attacker to
• Disrupt routing, selectively drop packets,

A
B
secret Wormhole link
25
Previous Research

• Many separate solutions exist, but
• Difficult to combine due to different or even
  conflicting underlying assumptions
• Even if possible, far too complex a solution
  stack
• Most prior solutions do not work when a small
  number of nodes are captured by attackers
• Many schemes address one problem but create other
  problems
• Most schemes apply the symmetric key approach.
  Many do reduce the computational cost however,
  they tend to dramatically increase the
  communications cost (often ignored by many)

26
Observation

• Almost all WSN applications are
  location-dependent and require a sensor node to
  know its own location
• E.g., military sensing and tracking
• Most sensor nodes are stationary once deployed
• Can be identified by their IDs plus locations
• Most sensor nodes have a limited comm. range
• Can only directly communicate with others inside
  their communication range

27
Location-based Security Solution

• Location-based authentication
• Neighbor-to-neighbor authentication
• Key agreement
• Sybil attack
• Node duplication attack
• Random walk attack
• Wormhole attack

28
Location-based Keys

• Conventional way ID-based keys
• Name a node merely with its ID
• Bind sensor nodes keys only to their IDs
• Vulnerable to many attacks, e.g., node
  duplication
• Our method location-based keys (LBKs)
• Name a node with both its ID and location
• Michael_at_UF is more specific than Michael!
• Bind sensor nodes keys to both IDs and locations

29
Location-based Keys

• Assume a secure way to decide node locations
• Zhang et al., IEEE JSAC06
• Node As LBKs
• Given (IDA_at_LA, KA), it is infeasible to derive s,
  as the Discrete Logarithm Problem is hard in G1.
• Each node only knows its unique LBK pair, and has
  no knowledge of s
• Use a key pre-distribution model

30
Neighbor-to-Neighbor Authentication

• Purpose
• Discover and perform mutual authentication with
  neighboring sensor nodes
• Idea
• Check if the candidate is within the comm. range
  and has the correct location-based private key

31
Neighbor-to-Neighbor Authentication
32
Neighbor-to-Neighbor Authentication
33
Resilience to Sybil Attack

• The captured node does not have the correct
  location-based private keys of the nodes it
  claims to be
• Comparison to Newsome et al. (IPSN04)
• Our solution has much higher network scalability
  (Random key pre-distribution with limited network
  size)

34
Resilience to Node Duplication Attack
B
A
R

• A duplicate will be detected if talking to good
  nodes outside the communication range of node A
• The impact range of a captured node is reduced
  from the whole network to a small circle of
  radius lt R
• Comparison to Parno et al. (IEEE SP05)
• Our solution is much more efficient in both
  communication and computation (periodic report on
  location and witness nodes help)

35
Resilience to Random Walk Attack
R
A
sink

• The impact range of a capture node is reduced
  from the whole network to a small circle of
  radius lt R

36
Resilience to Wormhole Attack
A
B
R
R
Wormhole link

• The wormhole attack is completely defeated
• Comparison to Hu et al. (INFOCOM03)
• Our solution has no stringent requirement on
  sensor hardware and time synchronization
  (restrict the maximum transmission distance of
  any packet)

37
Comparison to Prior Solutions
Our scheme Eschenauer02, Chan03, Du03, Liu03
Key agreement Deterministic Probabilistic
Neighborhood authentication Yes No or very limited
Support for digital signatures Yes No
Storage cost Low High
Network scalability High Poor
Attack resilience High Poor
Communication overhead Low High
Computation overhead High Low
Comm.Computation overhead Low High
38
ID-based Certificateless Key Management

• Propose a novel construction method of ID-based
  public/private keys, in which each public or
  private key consists of a node-specific element
  and a network-wide common element
• Design an efficient protocol to update public
  private keys of all non-compromised nodes with
  one broadcast message threshold cryptography

Y. Zhang, W. Liu, W. Lou and Yuguang Fang,
Securing mobile ad hoc networks with
certificateless public keys, IEEE Transactions
on Dependable and Secure Computing, 3(4)
386-399, 2006.
39
Anonymity in MANETs

• ID-based approach can be used to generate
  multiple pseudonyms, which then generate dynamic
  link identifiers to hide real IDs
• Anonymous MAC
• Use pseudonyms instead of MAC addresses
• Anonymous routing
• Dynamic pseudo link ID management (dynamic link
  identifiers) to hide both source and destination

Y. Zhang, W. Liu, W. Lou and Yuguang Fang, MASK
anonymous on-demand routing in mobile ad hoc
networks, IEEE Transactions on Wireless
Communications, 5(9) 2376-2385, 2006
40
Security Billing in Wireless Mesh Networks

• ID-based authentication schemes among mesh
  routers and mobile clients
• Authentication for mesh router-mesh router, mesh
  router-mesh client, and client-client
• Countermeasure against DoS attacks
• Micro-payment schemes

Y. Zhang and Y. Fang, A secure authentication
and billing architecture for wireless mesh
networks,'' Accepted for publication in ACM
Wireless Networks Y. Zhang and Y. Fang, ARSA
an attack-resilient security architecture for
multi-hop wireless mesh networks, IEEE Journal
on Selected Areas in Communications, 24(10)
1916-1928, 2006.
41
Conclusions

• Discuss challenges for information insurance
• Demonstrate the innovative applications of
  ID-based cryptography
• Minimize communication overhead (no certificate,
  establishing session keys without exchanging
  keying materials)
• Exemplary application a location-based unified
  solution for wireless sensor networks to address
• Neighbor-to-neighbor authentication, key
  agreement, Sybil attack, node duplication attack,
  random walk attack, wormhole attack, data
  injection attack

42
Future Research Directions

• There are many research challenges ahead
• How to reduce the pairing computational
  complexity (hardware?)
• How to deal with heterogeneous ad hoc networks
  (more powerful nodes can be better used to our
  advantage)
• How to take advantage of mobile nodes
• Mission-dependent, light-weight and adaptive
  security schemes
• How to harness the cooperative nature, if any.
• How to proactively detect intrusion
• How to secure distributed storage
• How to secure routing protocol in the
  light-weight fashion
• How to carry out secure target tracking
• How to integrate the security schemes over
  resource-constrained networks with those over
  fixed infrastructure