Peer-to-Peer Security in Wireless Ad Hoc Networks + CommonSenseNet

Peer-to-Peer Security in Wireless Ad Hoc Networks+ CommonSenseNet Jean-Pierre Hubaux EPFL, Switzerland

Outline • Brief presentation of the MICS/Terminodes project • Mobility helps peer-to-peer security • Cooperation between nodes in multi-hop wireless networks • Three more projects : • Cooperation without incentives • Power-efficient broadcast in all-wireless networks • Water management by means of sensor networks

National Competence Centers in Research • Initiative of the Swiss National Science Foundation • Call for proposals in late 1998, for several scientific areas (including Medicine and Physics) • Proposals have to be substantial (yearly budget around 3 Mio Euros/year) and long term (from 2001 to 2010) • 200+ proposals have been submitted in the first round • 14 proposals finally selected (in 2000) • The Mobile Infomation and Communication Systems or Terminodes proposal is the only selected in the area of communications; official start : November 2001

Terminal + Node = Terminode Destination Source • All network functions (packet forwarding, flow control, error control,…) and terminal functions (coding/decoding, A/D and D/A, storage, ciphering,…) are embedded in the terminode • A communication must be relayed by intermediate terminodes • The network is self-organized: it is operated by its users • All terminodes are potentially mobile Terminodes are the extreme (or academic) case of several concreteincarnations: multi-hop cellular networks, networks of vehicles,sensor networks, self-operated networks, distributed robots,…

National Center for Competence in Research: Mobile Information and Communication Systems www.terminodes.org Academic consortium (in CH): ETHZ • Industrial partners: • IBM • Microsoft • Samsung • Siemens • Swisscom • Whitestein Technologies Deputy director of NCCRProf. Th. Gross Uni St Gallen CSEM Uni Zurich Uni Bern EPFL Fribourg: CCTC Director of NCCRProf. M. Vetterli Uni Lausanne Around 25 faculty members and 80 PhD students + many academic partners worldwide

Main challenge and benefit of the research program : working accross layers Selected application: environmental monitoring (sensor networks)Other possible applications: crisis networks, networks of cars, networks for rural areas

Mobility Helps Peer-to-Peer Security Peer-to-peer Authentication and Key Establishment in Mobile Networks Joint work with Levente Buttyan+ and Srdjan Capkun + Now with Laboratory of Cryptography and Systems Security (CrySyS) Department of Telecommunications, Budapest University of Technology and Economics

Secure communication with cryptography(reminder) Mallory (or Oscar) Attacker or opponentor intruder Key K Key K’ x y x Alice EK(x) DK’(y) Bob Sender Encrypter Decrypter Receiver x: plain text y: cipher text Symmetric cryptography: if K’ = K Asymmetric cryptography (or public key cryptography): if K’ K DK’(EK(x)) = x

Digital Signature (reminder) Alice Bob Message m m = ? Signature: sig or σ Verification: ver A certificate is an identity or a public key signed by another entity

Does mobility increase or reduce security ? • Very often, people move to increase security: • Face to face meetings • Transport of assets and physical documents • Authentication by physical presence • In spite of the popularity of PDAs and cellular phones, this mobility has not been exploited so far to provide digital security • Mobility is usually perceived as a major security challenge: • Wireless channel • Unpredictable location of the user • Sporadic availability of the user • Higher vulnerability of the device • Smaller computing capability of the device • So far, client-server security has been considered as the priority (e-business, cellular telephony,…) • Peer-to-peer security is still in its infancy

Security of cellular networksExample: GSM Shared, symmetric key Base station AuthenticationCenter Mobile station (key stored in The SIM card) Challenge Response Setting up of the encryption key • The key stored in the SIM card incarnates the contract between the subscriber and the operator • It is established manually when the contract is signed • Only symmetric cryptography is used

Example of security for wireless LANs: standard IEEE 802.1x (*) Encapsulated EAP, Typically on RADIUS EAPOL(over IEEE 802.11) Authenticator (Access Point) Authentication Server Supplicant (Mobile Station) • EAP: Extensible Authentication Protocol (RFC 2284, 1998) • EAPOL: EAP over LAN • RADIUS: Remote authentication dial in user service (RFC 2138, 1997) • Features of IEEE 802.1x: • - Supports a wide range of authentication schemes, thanks to the usage of EAP • One-way authentication • Optional encryption and data integrity • (*) Notes: • IEEE 802.1x is not specific to wireless LANs and was not designed specifically for them • New standard: IEEE 802.11i (2003)

Wireless Transport Layer Security protocol (WTLS) SSL WTLS (Secure Socket Layer) Webserver WAP Gateway Authentication classes of WTLS: Class 1: no authentication Class 2: authentication of the server only (similar to traditional SSL / HTTPS used with Web servers); the server certificate is usually signed by a Trusted Third Party (Verisign, Entrust, Smartrust,…) Class 3: authentication of both server and client; requires aPublic Key Infrastructure and a Wireless Identity Module (WIM); very few implementations so far

Security in ad hoc networks • Constraints • Mobile devices  limited computing capabilities • Sporadic connectivity  prevents from relying on an on-line server • Solutions proposed so far • Some nodes have a special role; they are entitled to perform threshold cryptography operations (Cornell, 1999) • Generalization: any node can take this responsibility (UCLA, 2001) • Users are all in the same location; they agree on a common password, type it into their device; the protocol creates a strong shared key (Nokia, 2001) • Issue mutual certificates and build up a distributed certificate graph à la PGP (EPFL, 2001)

Problem : how to bootstrap security in a mobile network without a central authority ? Mobility helps security Visual recognition, conscious establishment of a two-way security association   (Alice, PuKAlice, XYZ) Bob Alice Infrared link (Bob, PuKBob , UVW) • Secure side channel • Typically short distance (a few meters) • Line of sight required • - Ensures integrity • - Confidentiality not required

Colin Friends mechanism (Alice, PuKAlice, XYZ) Alice (Alice, PuKAlice, XYZ) Bob (Colin’s friend) IR • Colin and Bob are friends: • They have established a Security Association at initialisation • They faithfully share with each other the Security Associations • they have set up with other users

i i i i i i f f f f j j j j j j Mechanisms to establish Security Associations a) Encounter and activation of the Secure Side Channel b) Mutual friend c) Friend + encounter Exchange of triplets over the secure side channel Two-way SA resulting from a physical encounter Friendship : nodes know each others’ triplets i knows the triplet of j ;the triplet has been obtained from a friend of i j i Note: there is no transitivity of trust (beyond your friends)

Protocols

Depends on several factors: • Area size • Number of communication partners: s • Number of nodes: n • Number of friends • Mobility model and its parameters (speed, pause times, …) Pace of establishment of the security associations (1/2) Established security associations : Desired security associations : Convergence :

Pace of establishment of the security associations (2/2)

Conclusion on Mobility Helps Security • Mobility can help security in mobile ad hoc networks, from the networking layer up to the applications • The proposed solution also supports re-keying • The proposed solution can easily be implemented with both symmetric and asymmetric cryptography S. Capkun, J. P. Hubaux, and L. Buttyan Mobility Helps Security in Ad Hoc Networks Fourth ACM Symposium on Mobile Networking and Computing (MobiHoc), Annapolis, June 2003 S. Capkun, L. Buttyan, and J.-P. Hubaux Self-Organized Public-Key Management for Mobile Ad Hoc Networks IEEE Transactions on Mobile Computing, Vol. 2, Nr. 1, 2003

Cooperation between Nodes in Hybrid Ad Hoc Networks Jean-Pierre Hubaux1 Joint work with Naouel Ben Salem1, Levente Buttyan2,and Markus Jakobsson3 1 EPFL/School of Information and Communication 2 Budapest University of Technology and Economics 3 RSA Labs

Hybrid ad hoc networks (1/2) D S • Set of base stations connected to a backbone (like in cellular) • Potentially, multi-hop communication between the mobile station and the base station (unlike in cellular) • Principle usable for both “classical”, voice centric cellular networks and wireless LANs (e.g., IEEE 802.11)

Hybrid ad hoc networks (2/2) • Expected benefits: • Energy consumption of the mobile stations can be reduced • Immediate side effect: Reduced interference • Number of base stations (fixed antennas) can be reduced • Coverage of the network can be increased • Closely located mobile stations can communicate independently from the infrastructure (ad hoc networking) • Problem: How to encourage the nodes to relay packets for the benefit of other nodes?

Possible solution : systematicmicro-payments Initiator Correspondent BSB BSA j B A 1 i 1 • Principle: for every packet, the initiator is charged and all relay nodes are rewarded • Strength : all cheating attempts will be detected • Weakness : overhead (increase of the communication cost around 3 to 12%) • N. Ben Salem, L. Buttyan, J. P. Hubaux, and M. Jakobsson,"A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks"Fourth ACM Symposium on Mobile Networking and Computing (MobiHoc), Annapolis, June 2003

Alternative solution : probabilisticmicro-payments • Proposals for probabilistic payments: • D. Wheeler(1996) • Jarecki and Odlyzko (1997) • S. Micali and R. Rivest (2002) • … Model for the network: • Multi-hop up-link • Single-hop down-link D S

The solution in three easy steps – Step 1 • Assume that all packet sending/receiving events can be observed by an observer • The observer could tell • who originated a packet (whom to charge) • who forwarded a packet (whom to remunerate) • who dropped a packet (whom to punish?)

The solution in three easy steps – Step 2 • Assume that every node honestly reports its own sending/receiving events to the operator • The operator could tell • who originated a packet (whom to charge) • who forwarded a packet (whom to remunerate) • who dropped a packet (whom to punish?) • Problems: • nodes may not be motivated to send reports • nodes may lie (send false reports) • reporting all events may be a huge overhead

The solution in three easy steps – Step 3 • Nodes get paid for their reports • nodes are motivated to send reports • Events to be reported are selected probabilistically • this drastically reduces the overhead • Neighbors are remunerated as well • this further increases the motivation to cooperate • Based on the received reports, the operator performs statistical analysis (auditing) • this allows detection of cheating behavior

Assumptions • Hybrid ad hoc network with multi-hop up-link and single-hop down-link • Symmetric-key crypto, each node shares a long-term symmetric key with the operator (base stations) • The operator manages numerous base stations and one accounting center • The operator is trusted by every node for • not revealing secret keys • correctly transmitting packets • correctly performing billing and auditing • Users are not trusted to act according to the protocol • users behave rationally • they can tamper with their devices • they can collude

Protocol • Setup • users register with the operator • each registered user u gets an id and a symmetric key Ku • Ku is shared by the user and the operator (base stations) • Maintaining connectivity information • each user u keeps a list of triplets (ui, di, Li), where • ui is a neighbor • with distance (in hops) di from the base station and • with reward level Li • the list is sorted in terms of increasing values of di and Li • Reward levels • packets have reward levels too • a higher reward level means higher charge for the originator and higher reward for the forwarders • ui is willing to forward packets with a reward level higher than Li

Packet origination • Originator o wants tosend payload p • o selects a reward level L • computes a MAC: m = MACKo( L | p ) • transmits [ o | L | p | m ] according to the Packet Transmission Protocol MAC : Message Authentication Code

Packet transmission (u=x, d=3, L=70) x (u=y, d=2, L=53) • User u – originator or forwarder – wants to transmit packet P = [ o | L | p | m ] 1. u selects his first as yet unselected entry (ui, di, Li) where Li < L 2. sends a forward request to ui (contains L and possibly more info) 3. waits for an ack from ui • if received, then u sends P to ui • if not received, then u increases i by one and goes to step 2 in any case: if u is not the originator, then u performs the Reward Recording Protocol y u (u=z, d=3, L=82) z

Packet processing by the base station D 2 6 1 S 3 4 5 Accounting Center The base station receives a packet P = [ o | L | p | m ] • it looks up the secret key Ko of the originator o • verifies the MAC m • if not correct, then drops the packet • if correct, then transmits the packet to the destination • keeps a count of the number of packets transmitted for o • records a fraction of all triplets (m, L, u), where u is the id of the user from which it received the packet [ o | L | p | m ] • periodically sends the recorded information to an accounting center Verify m Retrieve Ko P

Reward recording • User u has forwarded a packet P = [ o | L | p | m ] • u interprets m as a lottery ticket • the ticket is winning for u iff f(m, Ku) = 1 for some function f • if m is winning, then u records (u1, u2, m, L), where • u1 is the user from which he received P • u2is the user (or base station) to which he forwarded P f(m, Ku) =1 ? u1 u u2 (or base station) • Example for f : f(m, Ku) = 1 iff dHamming(m, Ku) £ h • Note: If f is not one-way, then all claims should be encrypted during transmission

Reward claim Accounting Center • User u has a list M of reward records • when u is adjacent to a base station, he transmits a claim [ u | M | MACKu(M) ] to the base station • the base station verifies the MAC • if incorrect, then ignores the claim • if correct then records the claim and sends an ack • when u receives the ack, he deletes M from memory • the base station sends the recorded reward claims to the accounting center [ u | M | MACKu(M) ] u

Accounting • The accounting center receives • reward claims of the form: “u claims (u1, u2, m, L)” • traffic info recorded by the base stations of the form:“(m, L, u) from o” • All originators whose identity has been recorded by a base station are charged • All users whose identity figures as a claimant in an accepted reward claim are credited • All users whose identity appears as sending or receiving neighbor in an accepted reward claim are also credited

Auditing The probability for a ticket to win is independent of the identity of the user who evaluates it  each user should appear as a claimant with approximately the same frequency as he figures as either sending or receiving neighbor of a claimant

Examples of abuses and their detection d c a b • Packet dropping Description: the user agrees to forward, but he doesn’t forward Detection: receiving neighbor freq. > sending neighbor freq. • Ticket sniffing Description: the user claims credit for overheard packets Detection: • claimant freq. > receiving neighbor or sending neighbor freq. • conflicting claims d claims (b, c, m, L) b claims (a, c, m, L)

Conclusion on the probabilistic encouragement for collaboration • Cooperation between nodes can be fostered by micro-payments • Probabilistic micro-payments can drastically reduce the overhead • The operator can fine tune the detection mechanisms according to the level of observed cheating • Future work • Study attacks by malicious users • Pricing issues (e.g., computation of the reward levels) M. Jakobsson, J. P. Hubaux, and L. Buttyan A Micro-Payment Scheme Encouraging Collaboration in Multi-hop Cellular NetworksProceedings of Financial Crypto 2003

Cooperation without incentivesin pure ad hoc networks yi Ai Examples of strategies: Initial cooperation level σi Function Strategy 0 AllD (always defect) 1 AllC (always cooperate) xi 1 TFT (Tit-For-Tat) Conclusion: In a static network, the conditions for spontaneous cooperation are extremely unlikely to be met; but mobility improves things. M. Felegyhazi, Levente Buttyan, and J. P. Hubaux"Equilibrium Analysis of Packet Forwarding Strategies in Wireless Ad Hoc Networks – the Static Case"Proceedings of Personal Wireless Communications (PWC `03), Venice, Italy, September 2003

Power-efficient Broadcast in all-wireless networks • Calculate gains 5 5 • Calculate new transmission power • Try to remove node d: h f 8 4 pb=8 b 1 a pa=2 5 2 d pe=4 pd=4 e 4 c pc=5 4 i j g M. Cagalj, J. P. Hubaux, and C. Enz,“Minimum-Energy Broadcast in All-Wireless Networks : NP-completeness and Distribution Issues”, Mobicom 2002

COMMON-Sense Net:Agriculture and water management with the use of wireless sensor networksJoint work with IISc

The need for water Sanitation, distribution of unserved populations Water supply, distribution of unserved populations • Consequence: Growing humanitarian crises and political instability

Water and agriculture Agriculture consumes 70% of the fresh water used worldwide by human activity Around 40% of the fresh-water used for agriculture is lost (evaporation, spills, undue absorption) Agriculture is largely responsible for ground water’s depletion and salinisation.

Assumptions • An optimized water management in agriculture is needed • Optimised water management means better information gathering on the soil’s and plants’ condition • Sensors and sensors networks can provide this enhanced information

A concrete test case (1)

A concrete test case (2) • 25 villages over a radius of 25km • Marginal farmers (< 1 ha) and small farmers (< 2 ha) • No powered irrigation • Cultures:groundnut (for oil), cereals millets (finger millet -locally known as Ragi-, sorghum)rice in some irrigated patches

User requirements A better access to critical data and information to help farmers in their decision making process • Soil: humidity, salinity • Ground-water: level, quality (nitrates,phosphates) • Local meteorological data: temperature, radiance, wind velocity and direction... • Global meteorological data: weather forecast, seasonal estimates... • Cultural and social issues are critical

Peer-to-Peer Security in Wireless Ad Hoc Networks + CommonSenseNet

Peer-to-Peer Security in Wireless Ad Hoc Networks + CommonSenseNet

Presentation Transcript

Lookup Service for Peer-to-Peer Systems in Mobile Ad-hoc Networks

Peer-To-Peer Networks

Peer to Peer Networks and Security

Security in Wireless Ad Hoc Networks

Peer-to-Peer Networks

Peer to peer ad-hoc networks CSI 5148 Wireless Ad Hoc Networking

Peer-to-peer networks

Security of wireless ad-hoc networks

Security in Ad Hoc Wireless Networks

Routing Security in Wireless Ad Hoc Networks

Peer-to-Peer Networks

Peer to Peer Applications in Ad hoc Networks

Peer-to-peer networks

Ad-hoc Limited Scale-Free Models for Unstructured Peer-to-Peer Networks

Peer-to-Peer Networks

Peer-to-Peer Networks

Peer-to-peer networks

Peer to Peer Networks and Security

Peer-to-Peer Networks 14 Security