Security for Ubiquitous and Adhoc Networks

Mobile Adhoc Networks  Collection of nodes that do not rely on a predefined infrastructure  Adhoc networks can be formed merged together partitioned to separate networks  Not necessarily but often mobile  There may exist static and wired nodes

Examples  Computer science classroom adhoc network between student PDAs and workstation of the instructor  Large IT campus Employees of a company moving within a large campus with PDAs, laptops, and cellphones  Moving soldiers with wearable computers Eavesdropping, denial-of-service and impersonation attacks can be launched  Shopping mall, restaurant, coffee shops Customers spend part of the day in a networked mall of specialty shops, coffee shops, and restaurants

Examples Group A Group B Group C A trust relationship among 3 different adhoc groups

Networking Infrastructure Networking topologies  Flat infrastructure (zero-tier) All nodes have equivalent routing roles No hierarchy  Hierarchical infrastructure (N-tier) Cluster nodes have different routing roles Control the traffic between cluster and other clusters

Routing Protocols  Proactive: table-driven and distance vector protocols Nodes periodically refresh the existing routing info, every node can operate with consistent and up-to-date tables  Reactive (on-demand): updates the routing information only when necessary Most routing protocols are reactive  Hybrid: uses both reactive and proactive protocols For example, proactive protocol between networks, reactive protocol inside of networks

Networking Constraints  Mobility Due to mobility, topology of network can change frequently Nodes can be temporarily off-line or unreachable  Resource constraints Energy constraints Memory and CPU constraints Bandwidth constraints  Prior trust relationship Availability of Internet connection Central trust authority, base station Pre-distributed symmetric keys Pre-defined certificates and certificate revocation lists

Trust Management  Trust model Node-to-node trust Node-to-central authority trust  Cryptosystems Public-key cryptosystem  More convenience  Digital signature possibility Secret-key cryptosystem  Less functionality  Key distribution problem

Trust Models Web of Trust Model Hierarchical Model

Key Management  Key creation Central key creation Distributed key creation  Key storage Centralized Replicated storage for fault tolerance Distributed, on each node  Partial key storage (shared secrets)  Full key storage  Key distribution Symmetric and private keys: Confidentiality, authenticity and integrity should not be violated Public keys: Integrity and authenticity should be preserved

Availability  Network services should operate properly  Network services should tolerate failures even when DoS attack threats  Several availability attacks: Network layer: the attacker can modify the routing protocol (divert the traffic to invalid addresses) Network layer: adversary can shut down the network Session layer: adversary can remove encryption in the session-level secure channel Application layer: availability of essential services may be threatened

Physical Security  Nodes are assumed to have low physical security  Nodes can easily be stolen or compromised by an adversary  Fewer than 1/3 of the principals at the time of network formation are corrupted or malicious  Single or distributed point of failure

Identification and Authentication  Only authorized nodes (subjects) can have access to data (objects)  Only authorized nodes may form, destroy, join or leave groups  Identification can be satisfied by: User ID-Password based authentication systems Presented adequate credentials Delegate certificates

Network Operations  Link layer protections Protects confidentiality Protects authenticity  Network layer protections IPSec in case of IP-based routing  Confidentiality of routing info  Authenticity and integrity of routing info Against impersonation attacks Against destruction and manipulation of messages Against false traffic due to hardware or network failure

Network Operations  Non-repudiation of routing info Routing traffic must leave traces  Management of network Must be protected from disclosure Must be protected against tampering Must be protected against modified configuration tables by adversary (for reactive routing protocols)

Key Management Security  Environment-specific and efficient key management system  Nodes must have made a mutual agreement on a shared secret or exchanged public keys  In more dynamic environments Exchange of encryption keys may be addressed on-demand  In less dynamic environments Keys are mutually agreed proactively or configured manually

Key Management Security  Private keys have to be stored in the nodes confidentially Encrypted with the system key With proper hardware protection (smart cards) By distributing the key in parts to several nodes  Centralized approaches are vulnerable as single point of failures

Adhoc Keying Mechanisms  ID-based cryptography Master public key/secret key is generated by private-key generation service (PKG) Master keys known to everyone Arbitrary identities are public keys  Identity: “A1”  Public key: “MasterPublicKey | A1” Private keys should be delivered to nodes by PKG

Adhoc Keying Mechanisms  ID-based encryption schemes Setup: input a security parameter, return master public/secret keys Extract: input master secret key and identity, return the personal secret key corresponding to identity Encrypt: input master public key, the identity of the recipient and message, return ciphertext Decrypt: input master public key, ciphertext and a personal secret key, return plaintext

Adhoc Keying Mechanisms  Threshold cryptography Allows operations to be “split” among multiple users In t-out-of-n threshold scheme, any set of t users can compute function while any set of t-1 users cannot  If adversary compromises even t-1 users, he cannot perform crypto operation  Honest user who needs to perform crypto operation should contact t of users Secure against Byzantine adversaries exist for t < n/2, secure against passive adversaries can support t < n

Resurrecting Duckling Security Model Two state principle (duckling)  Imprintable  Imprinted Imprinting principle  Transition from imprintable to imprinted  Mother node sends imprinting key Imprintable Imprinted (alive) imprinting death

Resurrecting Duckling Security Policy  New node identifies and authenticates itself to the nearest active node (mother) in the group: imprinting  A shared secret key is established between mother and the new node: bootstrapping is generally accomplished by physical contact  This key provides privacy of computations between the node and the mother  A node may die, returning to its imprintable mode  A new imprinting by another mother is possible: reverse metempsychosis

Resurrecting Duckling Principles  Death principle Transition from imprinted to imprintable (death) Death by order of the mother Death by old age after predefined time interval Death on completion of a specific transaction/job  Assassination principle Assassination by attacker may be uneconomical Some suitable level of tamper resistance should be provided  Broken is different from death A node can be broken by an adversary, but it cannot be made imprintable (it can be smashed, but it will not die)

Resurrecting Duckling Principles  If the shared secret key is lost and beyond recovery, we may want/need to regain control of the node The manufacturer may order the device to commit suicide (escrowed seppuku) Shogun role by the manufacturer; however, this will cause centralization If the mother keeps a copy of the imprinting key, localization can be achieved  Multilevel souls The same node can serve to many mothers establishing different keys Each soul in the node will have imprinted and imprintable states, souls would be functioning in parallel

Research at Oregon State University  Information Security Laboratory at Oregon State University is working towards developing a distributed Kerberos system for mobile adhoc network of devices Devices with different computing power, memory (code & RAM) space, and power consumption properties Initial group formation (authentication) is accomplished by physical contact, touching (imprinting) Symmetric cryptography based hierarchical trust model Key list & Trust list data structures Nodes may join and may gracefully leave the group Ungraceful (abrupt) leaving requires new touching

Group Formation a bc d IdRelationMACKey cItself …… aParent … K ac dChild … K cd IdRelationMACKey dItself …… cParent … K cd KL c KL d KL a IdRelationMA C Key aItself …… bChild … K ab cChild … K ac KL b IdRelationMA C Key bItself …… aParent … K ab

Node-to-node Key Agreement a b e d i h g f c Ancestor Sets AS b ={a} AS h ={b, a} AS d ={a} AS i ={d, a}

Graceful Leave a b e d i h g f c j Node j wants to leave the group Node f generates new branch key and sends to b, b forwards new branch key to root node a, node a changes the group key and begins the group re-keying with refreshed branch keys

Abrupt Leave a b e d i h g f c j Node d leaves the group abruptly Node a generates new branch key for this branch, but since node i lost its mother, i should touch contact to any node in the group in order to re-join and re-authenticate