Key Establishment in Ad Hoc Networks Part 1 of 2 - PowerPoint PPT Presentation

Loading...

PPT – Key Establishment in Ad Hoc Networks Part 1 of 2 PowerPoint presentation | free to download - id: 81f13e-YmM4N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Key Establishment in Ad Hoc Networks Part 1 of 2

Description:

Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 52
Provided by: epf48
Learn more at: http://icawww.epfl.ch
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Key Establishment in Ad Hoc Networks Part 1 of 2


1
Key Establishment in Ad Hoc NetworksPart 1 of 2
  • S. Capkun, JP Hubaux

2
Outline
  • Introduction
  • URSA Providing Ubiquitous and Robust Security
    Support for MANET (UCLA proposal)
  • PGP-inspired solution keys generated by the
    nodes (EPFL proposal)
  • Mobility helps security (in the Part 2 of 2)

3
Research areas in security for ad hoc networks
  • Key establishment how to distribute and manage
    keys in the absence of an on-line authority
  • Secure routing how to make routing protocols
    robust against potential attacks
  • Intrusion detection how to discover that an
    intruder is attempting to penetrate the network
  • Preventing denial of service how to avoid that
    some nodes rationally or maliciously misbehave,
    e.g. pretend forwarding packets while dropping
    them
  • Securing sensor networks how to make the
    protocols used by sensor networks robust against
    potential attacks, while coping with the anemic
    nature of the devices

4
Design Challenges
  • Security breaches
  • Vulnerable wireless links
  • Occasional break-ins may be inevitable over long
    time
  • Service ubiquity in presence of mobility
  • Anywhere, anytime availability
  • Network dynamics
  • Wireless channel errors
  • Node failures
  • Node join/leave
  • Network scale

5
Key establishment techniques in ad hoc networks
Presence of an authority, at leastin the
initialization phase Usually based on threshold
cryptography
No authority Keys are generatedby the nodes
Specializednodes (servers)
Centralized secretshare dealer
PGP-inspired Trust certificate graph
Mobility helpssecurity Exploit nodeencounters
6
Secret sharing based on threshold cryptography
  • No trusted authority, no central server
  • Threshold crypto makes it possible to distribute
    specific tasks (e.g., signature and therefore
    certificate issuing) among several users
  • Definition

7
Shamir threshold scheme
8
URSA Providing Ubiquitous and Robust Security
Support for MANET
  • Courtesy of
  • Jiejun Kong, Petros Zerfos, Haiyun Luo,
  • Songwu Lu, Lixia Zhang
  • University of California, Los Angeles
  • jkong,pzerfos,hluo,slu,lixia_at_cs.ucla.edu

9
URSA Approach
  • Ubiquitous and robust service provision in the
    presence of random mobility
  • Localized algorithms and protocols
  • One-hop wireless communication

10
Why this model?
  • No single point of compromise
  • Hackers must break into K nodes simultaneously to
    compromise the system
  • No single point of DoS attack node failure
  • K offers tradeoff between intrusion tolerance and
    service availability
  • K1, single point of compromise, maximal
    availability
  • KN, single point of DoS attack, maximal
    intrusion tolerance

11
System Overview
  • Each node carries a verifiable, unforgeable
    personal certificate
  • Certificate is signed by network system key SK
  • Certificate may be issued, renewed, or revoked
  • Every mobile node periodically renews its
    certificate
  • Ubiquitous services enabled by secret sharing

12
System Components
  • Certification services
  • Localized certificate issuing, renewal,
    revocation
  • Self-initialization service
  • To provide a secret share to an entity
  • To provide scalable proactive secret share update
    service
  • Proactive secret share update service
  • To resist long-term adversaries without changing
    the shared secret

13
Network Protocol
Certificate issuing, renewal, or explicit
revocation
Self-initialization
  1. Initialization request
  2. Unicast shuffling package
  3. Routing shuffling package
  4. Unicast partial secret share
  1. Service request
  2. Return partial certificates (K5)

14
Cryptographic Algorithms Threshold Secret Sharing
  • Polynomial-based threshold secret sharing
  • Given a secret d and a random polynomial of
    degreeK-1 f(x) d f1x f2 x2
    fK-1 xK-1 mod n
  • Each entity vi obtains its secret share f(vi)
    mod n
  • d can be recovered by Lagrange interpolation
  • In RSA cryptosystem, the d in the signing key
    SK(d,n) is shared and distributed

15
Lagrange Interpolation
16
Multi-signature
  • Threshold secret sharing reveals d to a coalition
  • d is not revealed if partial certificates are
    used
  • The cornerstone is the equation Xd1
    Xd2 XdK X(d1 d2 dK)
  • Each coalition member contributes a signed
    partial certificate XSKi (Xdi mod
    n)which corresponds to an RSA SK-signing in
    computation
  • The certification service requester combines K
    partial-certificates and obtains a
    correctly-signed certificate XSK (Xd
    mod n)

17
Simulation Proactive UpdateUpdated Node
Percentage vs. Delay
  • Explosion effect as more and more entities
    obtain the new version of secret shares, the task
    is getting easier and faster

18
Conclusion on URSA
  • Certification-based approach
  • Secret sharing
  • Multi-signature
  • Localized and distributed protocols
  • Faster and more robust than other approaches
  • Service ubiquity
  • Scalable
  • Flexible trade-off between intrusion tolerance
    service availability

19
Full Self-Organization of Public Key Management
(EPFL proposal)
  • Security we use public-key cryptography scheme
    to support security services in mobile ad hoc
    networks
  • Problem
  • How can a user u obtain the authentic public key
    of another user v in the presence of an active
    attacker ?
  • Principles
  • users generate their own keys and issue
    certificates (no preinstalled keys)
  • no central certification authority
  • no certificate directories
  • no specific role assigned to a subset of nodes

20
Public-Key Infrastructure
Reminder Certification Authorities (CAs) (e.g.,
ISO X.509, used notably in S/MIME)
CAz
CAX
CAY
CAW
CAU
CAV
Bob
CAz
Is it possible to build up a scalable public-key
infrastructure for such an infrastructure-less
network?
Alice
21
Key management in PGP Web of trust
Bob is an introducer for Irene
PrKIrene
Irene
How can Alice get a trustworthy version of the
public key of Irene PuKIrene? (She does not know
who signed it)
PuKIrene
PuKAlice
PuKBob
Alice
Bob
PrKBob
PrKAlice
Alice and Bob trust each other and have exchanged
each others public key in a secure way (e.g.,
off-line)
22
PGP server of certificates
PrKIrene
Irene
PuKIrene
PuKAlice
PuKBob
Alice
Bob
PrKBob
PrKAlice
  • Example of server www.pgpi.org
  • The servers of certificate are the only
    centralized components of PGP.

Is it possible to get rid of the certificate
server(s), without jeopardizing scalability?
23
Model
  • We assume that if a user i believes that a given
    public key belongs to a given user j, then i can
    issue a public-key certificate to j
  • Certificate graph G(V,E)
  • V is a set of keys
  • E is the set of edges, where a directed edge
    (i,j) is added if i signed a public key
    certificate to user j

Ki
Kj
24
Certificate graph
K12
K10
K10
K8
K11
K3
K7
K1
K9
K6
K4
K5
K5
K2
  • authentication via a chain of certificates

25
No authority Self Organized Public Key Management
  • Each node generates its own private / public key
    pair (as in PGP) and issues a certificates for
    the nodes it trusts
  • The system works in two phases
  • Initialization each user stores a set of
    certificates
  • When a user wants to verify the public key of
    another user, they merge their local repositories
    and try to find a path of certificates between
    them

1.
2.
i
j
i
26
Initialization (1)
j
k
i
27
Initialization (2)
  • Each user builds up a local repository of
    public-key certificates (a subgraph)
  • stores the certificates that it issued (outgoing
    edges)
  • stores the list of certificates that others
    issued for it (incoming edges)
  • stores an additional set of certificates chosen
    according to some algorithm A
  • 2 possible scenarios

Centralized
Distributed
sub-graph
1
CertificateServer
request
2
sub-graph
28
Verifying the key merging the local repositories
and finding a path of certificates
j
i
29
Example of an algorithm Maximum Degree
  • Node K builds its incoming and outgoing path(s)
    choosing the nodes with the highest degrees.

30
Example Shortcut Hunter
Each node builds its incoming and outgoing
path(s) choosing the node that has a highest
number of shortcuts connected to it
Small world graphs
k
shortcut
31
Algorithm performance
32
Performance of Maximum Degree
  • Node builds its incoming and outgoing path(s)
    choosing the nodes with the highest degrees.

33
Performance of the Star Shortcut Hunter on real
PGP certificate graphs
34
Performance of the shortcut hunter on small world
and random graphs
  • F is the fraction of edges which are shortcuts,
    size of the local repositories sqrt(n)

35
False certificates
K
K
i
j
K
D
K'
j
36
Design goals
  • performance redefined by taking authentication
    metrics
  • into account
  • key usage ideally, all vertices need to be used
    for authentication an equal number of times (to
    be on the path an equal number of times)
  • scalability minimize the size of the local
    repositories (subgraphs) and the communication
    cost
  • invariance to certificate graph changes

37
Performance with authentication metrics
  • Examples of authentication metrics include
    number of disjoint paths of certificates, number
    of bounded and k-bounded disjoint paths ...

38
Key usage
  • The key usage is defined as the number of times
    that a key is used for authentication.Formally

39
Fundamental design limit (1) size of the
repositories
  • Problem 1 Find a set of subgraphs that minimizes
    the size of local repositories such that p1
  • Theorem 1

40
Fundamental design limit (2) key usage
  • Problem 2 Find a set of subgraphs that minimizes
    the size of local repositories such that p1
    and U(Kv)U(Ku)
  • Theorem 2

V 9, s 4
V 4, s 2
Example of construction with
41
Maximum degree simulation results
repository no of paths
Mean length
No. of paths
Shortest path
Maximum degree
PGP (5000 vertices)
1 8.24 8.24 1 3 8.23 7.69 1.42 6
8.15 7.67 1.44
1 17.66 17.66 1 3 18.77 12.55 2.39
6 16 10.53 2.55
Artificial certificate graphs
Mean length
No. of paths
Shortest path
the whole graph
PGP (5000 vertices)
6.6 6.19
1.55
Artificial certificate graphs
6.8
5.71 3.66
42
PGP certificate graph
  • The PGP graph is the only known example of
    self-organized certificate graph creation.

Largest connected component of the PGP
certificate graph 2001 (8695 keys)
43
Key usage
Certificate usage with Maximum Degree algorithm
and the Shortest Paths on PGP graph and
artificial certificate graph
44
Small-world graphs
Small world graphs
Small world graph characteristics
  • a small characteristic length
  • (the median of the means of the shortest paths
  • between all pairs of users)
  • a large clustering coefficient
  • (a very high likelihood that two friends of a
    friend
  • are friends as well)
  • a logarithmic characteristic length scaling

shortcut an edge upon whose disconnection the
shortest path between two vertices previously
connected by this edge becomes strictly larger
than 2.
45
Watts f-model
lattice f 0
random graphs f 1
Small world graphs
f is the fraction of shortcuts in the total
number of edges of a graph. CONSTRUCTION
PRINCIPLE REWIRE A REGULAR 1-D LATTICE RANDOMLY
(CREATING SHORTCUTS)
46
Characteristics of the PGP graph
47
Power law of the PGP graph
48
Construction of the artificialcertificate graph
Principle REWIRE AN IRREGULAR 1-D LATTICE
RANDOMLY
  • Create an irregular lattice, according to the
    degree distribution provided by the power law
  • Rewire the lattice (adding or removing the
    shortcuts) to achieve
  • the desired f-coefficient

49
Comparison of artificial and PGP graphs
50
Conclusion on Part 1 of Security for mobile ad
hoc networks
  • Very difficult problem, because of the nature of
    the network
  • Crucial issue ad hoc networks cannot be used in
    practice if they are not secure
  • The kind of considered scenario (civilian /
    military, personal devices / sensors, ) can
    radically influence the solution to be chosen
  • The presence or absence of an authority (e.g., in
    charge of distributing the keys) can lead to very
    different solutions in terms of key agreement

51
References
  • M. Reiter and S. Stubblebine Authentication
    metric analysis and design ACM trans. on
    Information and System Security, 1999
  • D. Watts Small Worlds Princeton University
    Press, 1999
  • Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu
    Lu, Lixia ZhangProviding Robust and Ubiquitous
    Security Support for Mobile Ad Hc Networks. ICNP
    2001
  • S. Capkun, L. Buttyan, JP Hubaux Trust
    Relationships in Mobile Ad Hoc networks, LCA
    technical report, 2001
  • JP Hubaux, L. Buttyan, S. CapkunThe Quest for
    security of mobile ad hoc networksMobiHoc 2001
  • For security in sensor networks, checkA. Perrig
    et al. SPINS Security Protocols for Sensor
    NetworksMobicom 2001
About PowerShow.com