Title: Securing Wireless Ad Hoc Networks: An ID-Based Cryptographic Approach
1Securing Wireless Ad Hoc NetworksAn ID-Based
Cryptographic Approach
Yuguang Michael Fang, Professor JSPS Visiting
Invitation Fellow University of Florida Research
Foundation Professor Department of Electrical
Computer Engineering University of
Florida Changjiang Scholar Chair Professor
Xidian University, China In Collaboration
with Xiaoyan Zhu and Yanchao Zhang http//winet.
ece.ufl.edu/
2Outline
- Introduction
- Resource-constrained wireless ad hoc networks
- Security requirements
- Security issues to tackle
- Our ID-based public key approach
- Conclusion future work
3Future CyberspaceIntegrated Wired-Wireless
Internet
Cellular Networks
Wi-Fi Networks
WiMAX Networks
Current Internet
Mobile Ad-Hoc Networks
Wireless Mesh Networks
NSF GENI Vision
www.geni.net
4Wireless Movement
- There are many interesting applications
- Cellular phones
- PDAs or iPods
- Bluetooth earphones
- Wi-Fi (hot-spot technologies)
- Tactical radios (missions for war or peace
keeping)) - Smart phones (healthcare monitoring)
- iPhone
- Wireless sensors (tagging the environments)
- Digital cameras or camcorder (wireless
connections)
You are being watched!!!
5Wireless Advantage
- There are many good things wireless can offer
- Frees us from physical attachment
- Provides freedom of movement while engaging in
communications - Can be self-configured with rapid setup
- Could be made high speed (broadband)
- Could be made small and be embedded in everything
(everything goes wireless)
6Wireless Disadvantage
- There are many design challenges
- Poor channel conditions (e.g., fading)
- Time-varying links
- Failure due to mobility/power depletion
- Susceptible to interference
- Limited bandwidth
- Limited power
- Limited computing resources (memory and CPU)
- Open access (subject to interception or
eavesdropping) - Lack of trusted infrastructure (sometimes)!
7Design Challenges
- Resource constraints pose many secure design
challenges - Security schemes for wired networks may NOT be
feasible for wireless networks - Computationally intensive scheme will not work
well - Power hungry operations should be avoided (due to
either computation or communications) - Trust model should be re-evaluated
- Non-conventional attacks should be investigated
and appropriate strategy should be designed
8Design Challenges
- PKI or not PKI? This is the question!
- Public (asymmetric) key approach PKI
- Pros scalable, easier key establishment, better
authentication and embedded digital signature - Cons computationally intensive, larger key size,
demand trusted infrastructure (certificate
management) and more overhead due to certificate
management, and subject to DoS attacks - Secret (symmetric) key approach not PKI
- Pros low computational overhead, no certificate
is necessary - Cons not scalable, more communication overhead,
no support of digital signature - dilemma indeed!!!
9ID-based Public Key Cryptography (PKC)
- ID-based Signature (Shamir 1984)
- ID-based PKC (Non-interactive PKC)
- Joux (2000) pairing does some magicthree-party
key agreement - Boneh and Franklin (2001) alternative PKI
(encryption) - Any string (or ID) such as email, telephone
number, or any string can be used as the public
key - No certificate is necessary does not need to
maintain (ID,PublicKey) binding because the
public key is directly derivable from the ID - Elliptic curve cryptography can be easily
incorporated
10Why ID-based PKC
- Advantages
- Non-interactive key establishment shared secret
without exchanging informationconserving energy!
- No certificate saving memory space! No need of
trusted infrastructure! - The fact that any string can be a part of public
key offers the flexibility of adding specialized
property to a user instead of Michael, we can
use Michael _at_UF - Scalable as long as private key is given from
the same master secret, secure communication can
be enabled
11Why ID-based PKC
- Disadvantages
- The master secret holder (Trusted Authority or
TA) knows everything somebody is watching! - Computational complexity of pairing more complex
than exponentiation! - Fitting Wireless Ad Hoc Networks (WANETs)
- WANETs is designed for a single mission, hence
collaborative in nature and TA is the network
owner! - Pairing computational efficiency is progressing
- Hardware implementation Tate pairing needs 6ms
to compute - Platform implementation sub-second
implementation on sensor platform has been
proposed lately (Wisec2009)
12Notation
13Pairing Technique
Similar to the exponentiation function in RSA
Modified Weil pairing or Tate pairing can be
used
14Key Generation and Establishment
- Key Generation
- Given (ID, K), it is infeasible to derive s, as
the Discrete Logarithm Problem is computationally
hard in G1. - Key establishment node A (IDA,KA) and node B
(IDB,KB)
A shared key is established without exchanging
any information!!!
15Wireless Sensor Networks
- A wireless sensor network (WSN) is composed of a
large number of low-cost sensor nodes randomly
deployed to sense/monitor the field of interest,
collect and process information, and make
intelligent decision (actuation) - Sensor nodes
- Limited in energy, computation, and storage
- Sense/monitor their local environment
- Perform limited data processing
- Communicate over short distances
- Actuate/control (decision making)
- E.g., sink model
- Gather data from sensor nodes and connect the WSN
to the outside world
16Wireless Sensor Networks
sink
17Security Requirements
Message confidentiality
Message authenticity integrity
An attacker at (20,18)
An attacker at (20,18)
A
B
U
Node mutual authentication
More
sink
18Security Issues
- Authentication
- Key agreement
- Mitigating specific serious attacks
- Secure location discovery
- Broadcast authentication
- Secure data aggregation
- Secure clock synchronization
- Secure routing and MAC protocols
- Intrusion detection
191 Pair-wise Authentication
- Two neighboring nodes verify that the other party
is who it claims to be - Chan et al. (IEEE SP03)
- Otherwise, attackers can
- Inject false data reports via good nodes
- Distribute wrong routing information
- Impersonate good nodes to misbehave
202 Key Agreement
- Two neighboring nodes establish a shared secret
key known only to themselves - Eschenauer and Gligor (CCS03), Chan et al.
(SP03), Liu and Ning (IEEE CCS03), - The shared key is a prerequisite for
- Message encryption/decryption
- Message authentication
213 Sybil Attack
- Sybil (1976) staring Sally Field a girl with at
least 13 personalities - A malicious node claims multiple identities
- Severely interrupt routing, fair resource
allocation, distributed storage, misbehavior
detection - Douceur (IPTPS02), Newsome et al. (IPSN04)
E
F
I am V
I am U
Correct path
A
D
I am F
I am W
wrong path
C
B
224 Node Duplication Attack
- The attacker put clones of a captured node at
random or strategic locations in the network - Parno et al. (IEEE SP05)
A
sink
235 Random Walk Attack
- The attacker uses secret information of a
captured node to roam in the network
A
sink
246 Wormhole Attack
- Attackers tunnel packets received at one location
to another distant network location - Hu et al. (INFOCOM03), Karlof et al. (SNPA03)
- Allowing the attacker to
- Disrupt routing, selectively drop packets,
A
B
secret Wormhole link
25Previous Research
- Many separate solutions exist, but
- Difficult to combine due to different or even
conflicting underlying assumptions - Even if possible, far too complex a solution
stack - Most prior solutions do not work when a small
number of nodes are captured by attackers - Many schemes address one problem but create other
problems - Most schemes apply the symmetric key approach.
Many do reduce the computational cost however,
they tend to dramatically increase the
communications cost (often ignored by many)
26Observation
- Almost all WSN applications are
location-dependent and require a sensor node to
know its own location - E.g., military sensing and tracking
- Most sensor nodes are stationary once deployed
- Can be identified by their IDs plus locations
- Most sensor nodes have a limited comm. range
- Can only directly communicate with others inside
their communication range
27Location-based Security Solution
- Location-based authentication
- Neighbor-to-neighbor authentication
- Key agreement
- Sybil attack
- Node duplication attack
- Random walk attack
- Wormhole attack
28Location-based Keys
- Conventional way ID-based keys
- Name a node merely with its ID
- Bind sensor nodes keys only to their IDs
- Vulnerable to many attacks, e.g., node
duplication - Our method location-based keys (LBKs)
- Name a node with both its ID and location
- Michael_at_UF is more specific than Michael!
- Bind sensor nodes keys to both IDs and locations
29Location-based Keys
- Assume a secure way to decide node locations
- Zhang et al., IEEE JSAC06
- Node As LBKs
- Given (IDA_at_LA, KA), it is infeasible to derive s,
as the Discrete Logarithm Problem is hard in G1. - Each node only knows its unique LBK pair, and has
no knowledge of s - Use a key pre-distribution model
30Neighbor-to-Neighbor Authentication
- Purpose
- Discover and perform mutual authentication with
neighboring sensor nodes - Idea
- Check if the candidate is within the comm. range
and has the correct location-based private key
31Neighbor-to-Neighbor Authentication
32Neighbor-to-Neighbor Authentication
33Resilience to Sybil Attack
- The captured node does not have the correct
location-based private keys of the nodes it
claims to be - Comparison to Newsome et al. (IPSN04)
- Our solution has much higher network scalability
(Random key pre-distribution with limited network
size)
34Resilience to Node Duplication Attack
B
A
R
- A duplicate will be detected if talking to good
nodes outside the communication range of node A - The impact range of a captured node is reduced
from the whole network to a small circle of
radius lt R - Comparison to Parno et al. (IEEE SP05)
- Our solution is much more efficient in both
communication and computation (periodic report on
location and witness nodes help)
35Resilience to Random Walk Attack
R
A
sink
- The impact range of a capture node is reduced
from the whole network to a small circle of
radius lt R
36Resilience to Wormhole Attack
A
B
R
R
Wormhole link
- The wormhole attack is completely defeated
- Comparison to Hu et al. (INFOCOM03)
- Our solution has no stringent requirement on
sensor hardware and time synchronization
(restrict the maximum transmission distance of
any packet)
37Comparison to Prior Solutions
Our scheme Eschenauer02, Chan03, Du03, Liu03
Key agreement Deterministic Probabilistic
Neighborhood authentication Yes No or very limited
Support for digital signatures Yes No
Storage cost Low High
Network scalability High Poor
Attack resilience High Poor
Communication overhead Low High
Computation overhead High Low
Comm.Computation overhead Low High
38ID-based Certificateless Key Management
- Propose a novel construction method of ID-based
public/private keys, in which each public or
private key consists of a node-specific element
and a network-wide common element - Design an efficient protocol to update public
private keys of all non-compromised nodes with
one broadcast message threshold cryptography
Y. Zhang, W. Liu, W. Lou and Yuguang Fang,
Securing mobile ad hoc networks with
certificateless public keys, IEEE Transactions
on Dependable and Secure Computing, 3(4)
386-399, 2006.
39Anonymity in MANETs
- ID-based approach can be used to generate
multiple pseudonyms, which then generate dynamic
link identifiers to hide real IDs - Anonymous MAC
- Use pseudonyms instead of MAC addresses
- Anonymous routing
- Dynamic pseudo link ID management (dynamic link
identifiers) to hide both source and destination
Y. Zhang, W. Liu, W. Lou and Yuguang Fang, MASK
anonymous on-demand routing in mobile ad hoc
networks, IEEE Transactions on Wireless
Communications, 5(9) 2376-2385, 2006
40Security Billing in Wireless Mesh Networks
- ID-based authentication schemes among mesh
routers and mobile clients - Authentication for mesh router-mesh router, mesh
router-mesh client, and client-client - Countermeasure against DoS attacks
- Micro-payment schemes
Y. Zhang and Y. Fang, A secure authentication
and billing architecture for wireless mesh
networks,'' Accepted for publication in ACM
Wireless Networks Y. Zhang and Y. Fang, ARSA
an attack-resilient security architecture for
multi-hop wireless mesh networks, IEEE Journal
on Selected Areas in Communications, 24(10)
1916-1928, 2006.
41Conclusions
- Discuss challenges for information insurance
- Demonstrate the innovative applications of
ID-based cryptography - Minimize communication overhead (no certificate,
establishing session keys without exchanging
keying materials) - Exemplary application a location-based unified
solution for wireless sensor networks to address - Neighbor-to-neighbor authentication, key
agreement, Sybil attack, node duplication attack,
random walk attack, wormhole attack, data
injection attack
42Future Research Directions
- There are many research challenges ahead
- How to reduce the pairing computational
complexity (hardware?) - How to deal with heterogeneous ad hoc networks
(more powerful nodes can be better used to our
advantage) - How to take advantage of mobile nodes
- Mission-dependent, light-weight and adaptive
security schemes - How to harness the cooperative nature, if any.
- How to proactively detect intrusion
- How to secure distributed storage
- How to secure routing protocol in the
light-weight fashion - How to carry out secure target tracking
- How to integrate the security schemes over
resource-constrained networks with those over
fixed infrastructure -