Presentation is loading. Please wait.

Presentation is loading. Please wait.

URSA: Providing Ubiquitous and Robust Security Support for MANET

Published byEdwin Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "URSA: Providing Ubiquitous and Robust Security Support for MANET"— Presentation transcript:

1 URSA: Providing Ubiquitous and Robust Security Support for MANET
ICNP2001 Lapse: 30 seconds Good morning. I am Jiejun Kong from Computer Science Department, UCLA. The topic of my presentation is Ubiquitous and Robust Security Architecture, providing security support for Mobile Ad-hoc NETworks. It is my pleasure to describe our security algorithms and protocols in this talk, to provide ubiquitous and robust security services to Mobile Ad-hoc NETworks, where the communication is vulnerable to various security attacks and network dynamics, including those cryptanalysis and service-denial attacks already well-known in wired Internet, and those features idiosyncratic to wireless networks, such as mobility and wireless interference. Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang University of California, Los Angeles

2 Outline Mobile Ad-hoc Network (MANET) Design goals & challenges
Problems of conventional approaches Our approach Network protocols Cryptographic algorithms Implementation & simulations Conclusions Lapse: 30 seconds First, briefly describe the target system, which is ….. Then the design goals and challenges in providing security supports in such an environment Next is the problems of applying conventional approaches to achieve the goals and reply the challenges To overcome ……, we show our approach by explaining both _________and ____________. We have implemented all cryptographic algorithms and have simulated all network protocols. Next we show that our approach prevails over other approaches by evaluating empirical results obtained from our implementation and simulation Finally the presentation is concluded with future work

3 MANET: Overview Nodes freely roam
Lapse: 45 seconds Mostly infrastructureless Two distant nodes, such as the client and the server in the client-server model, must establish a multi-hop connections over shared and error-prone wireless medium Multi-hop connections are very unreliable. Either they are likely to be broken, or incur unpredictable delay if with advanced technologies like link layer ARQ The server is vulnerable Congestion at the server site due to shared medium DoS attack simply by wireless interference Ref. Yongguang Zhang and Wenke Lee. Intrusion detection in wireless ad-hoc networks. In MOBICOM, 2000. Nodes freely roam Multi-hop communication towards remote nodes Shared wireless medium is error-prone

4 Security Supports for MANET
Authentication Service availability Message privacy Message integrity Non-repudiation More difficult than the wired scenarios Mobility State constantly changes Security threats over vulnerable wireless links Lapse: 45 seconds The first 3 aspects are normally achieved by symmetric & asymmetric key cryptosystems installed on each network entity. Once communicating parties are authenticated, existing security solutions (SSL/TLS/WTLS) can readily provide those services by key exchange and digital signature. Note that the assumption of those solutions is that appropriate authentication is done. State, including topological positions and security status, is constantly changing in MANET. Wireless links facilitate both passive eavesdroppers and active DoS attackers. No easy means to protect a network entity by firewall, and so on. Passive security attacks (upon eavesdropping): Ciphertext only: the attacker has only the encoded message from which to determine the plaintext, with no knowledge whatsoever of the latter. Known plaintext: the attacker has the plaintext and corresponding ciphertext of an arbitrary message not of his choosing. The particular message of the sender's is said to be `compromised'. Under the following attacks, the attacker has the far less likely or plausible ability to `trick' the sender into encrypting or decrypting arbitrary plaintexts or ciphertexts. Codes that resist these attacks are considered to have the utmost security. Chosen plaintext: the attacker has the capability to find the ciphertext corresponding to an arbitrary plaintext message of his choosing. Chosen ciphertext: the attacker can choose arbitrary ciphertext and find the corresponding decrypted plaintext. This attack can show in public key systems, where it may reveal the private key. Adaptive chosen plaintext: the attacker can determine the ciphertext of chosen plaintexts in an interactive or iterative process based on previous results. This is the general name for a method of attacking product ciphers called `differential cryptanalysis'. Active security attacks (upon active interference) Denial-of-service: In MANET, local monitoring is a practical means to identify and isolate a DoS attacker, as his/her packets need to be forwarded by well-behaving neighbors

5 Design Challenges Security breach
Vulnerable wireless links Occasional break-ins may be inevitable over long time Service ubiquity in presence of mobility Anywhere, anytime availability Network dynamics Wireless channel errors Node failures Node join/leave Network scale Lapse: 45 seconds Mobility and service ubiquity: Mobility incurs dynamic topological changes. A remote node may fail to contact a specific server due to multi-hop volatile connections. For example, routing protocols may fail to establish robust communication if hop count is too big. In the case of DSR, normally 10-hop is the recommended upper limit. [8] [8] D.B. Johnson and D.A.Maltz. Dynamic Source Routing in Ad Hoc Wireless Networks. In Imielinski and Korth, editors, Mobile Computing, volume Kluwer Academic Publishers, 1996. Network dynamics Link layer ARQ causes unpredictable delay when wireless connection is interfered by the nature or adversaries. Here is the real data collected by Yong Kyun Kwon (CS118 undergraduate student during June.2001 before Metricom shut off its network). It shows unpredictable delay even in 1-hop wireless connections if link layer ARQ is applied. (in the extreme case, 30 times difference)

6 Conventional Approaches
Server Server Server Server Lapse: 30 seconds Centralized & Hierarchical schemes Applying existing Internet solutions to MANET. A single centralized server provides authentication services for the entire network. Single point of failure (system faults) Single point of DoS attack Single point of compromise No scalability [Ref] Lidong Zhou and Zygmunt J. Haas. Securing Ad Hoc Networks. IEEE Networks, 13(6):24–30, The entire network is logically partitioned into domains where a server infrastructure is deployed Complicated management. Still not suitable for high mobility entities Still multi-hop, though the connection may be viable due to limited hop count, the requests are not served in a timely manner Every local server is exposed to single point of failure/DoS attack. Threshold secret sharing among local servers solve the problem of single point of compromise, but incur large communication overhead and requires infrastructure support Server replication Threshold secret sharing inside the server infrastructure Centralized & Hierarchical scheme Single server Multi-server infrastructure

7 Problems of Conventional Approaches (Centralized & Hierarchical)
Lapse: 30 seconds Both approaches are inferior to our approach (which will be addressed later) in terms of both service availability (service request success ratio) and performance (average delay) Service performance comparison Low success ratio: 80% Large average delay

8 Our Approach Lapse: 45 seconds We deliver security supports in each neighborhood by localized algorithms and protocols, Network entities enjoy ubiquitous services anywhere anytime in MANET The service provision is more robust than other approaches, due to localization One-hop wireless communication only We expect more reliable connection and predictable communication delay (fast and reliable) Suppose one-hop Bit-error-rate (BER) is (1-P), then P is the probability a bit can get through one-hop, P^k over a k-hop connection. Or in other words, failure probability of one-hop communication is the k-th root of k-hop connection where k is the average hop count to contact a centralized server Ubiquitous and robust service provision in the presence of random mobility Localized algorithms and protocols One-hop wireless communication

9 Why this model? No single point of compromise
Hackers must break into K nodes simultaneously to compromise the system No single point of DoS attack & node failure K offers tradeoff between intrusion tolerance and service availability K=1, single point of compromise, maximal availability K=N, single point of DoS attack, maximal intrusion tolerance

10 System Overview Each node carries a verifiable, unforgeable personal certificate Certificate is signed by network system key SK Certificate may be issued, renewed, or revoked Every mobile node periodically renews its certificate Ubiquitous services enabled by secret sharing

11 System Components Certification services Self-initialization service
Localized certificate issuing, renewal, revocation Self-initialization service To provide a secret share to an entity To provide scalable proactive secret share update service Proactive secret share update service To resist long-term adversaries without changing the shared secret Lapse: 1 minutes Localized algorithms and protocols to provide common PKI services. From the network perspectives, the services are robust and scalable. To enable ubiquitous PKI services, self-initialization service is provided to propagate secret shares in the way defined as “K-out-of-N secure”, the essence of secret sharing. The self-initialization service ensures that the secret sharing scheme is scalable To ensure the security of secret sharing, proactive secret share update service is employed to periodically refresh all secret shares without changing the shared secret. The more frequent proactive update is, the more secure the secret sharing scheme is. (Tradeoff: Overhead, is controlled by defining system parameter Tupdate)

12 Network Protocol Return partial certificates (K=5) Service request
1. Broadcast request 3. Routing shuffling package 2. Unicast shuffling package 4. Unicast partial secret share Lapse: 1 minute and 15 seconds Certificate (re-)issuing, renewal, explicit revocation are implemented by the first protocol The requester broadcasts a “certification-service-request” message in its one-hop neighborhood (An asynchronous algorithm allows a dynamic coalition formation) The requester collects k unicast responses from its neighbors, and computes a valid new certificate based on the k partial certificates Self initialization (to be addressed later) is implemented by the second protocol The uninitialized requester broadcasts a “initialization-request” message in its one-hop neighborhood, along with local coalition information Each coalition member selects a random nonce for other (lower-id) members in the coalition. Each nonce is encrypted with the personal pk of the intended receiver. The requester acts as the router and receives the shuffling packages from K-1 members. The requester routes encrypted nonces to intended receivers Each member decrypt all nonces, computes a shuffled partial secret share, and then sends it back to the requester Both schemes are K-out-of-N secure. For self-initialization, at least two uncompromised entities in the coalition. Return partial certificates (K=5) Service request Broadcast service request Compute partial certificates Combine K partial certificates

13 Cryptographic Algorithms: Threshold Secret Sharing
Polynomial-based threshold secret sharing Given a secret d and a random polynomial of degree K f(x) = d + f1•x + f2 • x2 + …… + fK-1 • xK-1 mod n Each entity vi obtains its secret share “f(vi) mod n” d can be recovered by Lagrange interpolation In RSA cryptosystem, the d in the signing key SK=(d,n) is shared and distributed Lapse: 45 seconds A number of secret sharing schemes exist. Additive secret sharing: Fixed set of share holders can recover the secret Threshold secret sharing: Any K members can recover the secret Any secret can be shared, including the signing key of the network certificates Our scheme is currently based on the prevalent public key cryptosystem: RSA Our contribution from the cryptographic perspective: All of the following reference do NOT focus on SCALABILITY. Adi Shamir. How to Share a Secret. Communications of the ACM, 22(11):612–613, Yvo Desmedt and Yair Frankel. Shared Generation of Authenticators and Signatures (Extended Abstract). In CRYPTO, pages 457–469, 1991. Yair Frankel and Yvo G. Desmedt. Parallel Reliable Threshold Multi-signature. Technical Report TR , Dept. of EECS, University of Wisconsin-Milwaukee, 1992. Ran Canetti, Shai Halevi, and Amir Herzberg. Main-taining Alfredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung. How to Share a Function Securely (Ex-tended Summary). In STOC, pages 522–533, 1994. Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Robust and Efficient Sharing of RSA Functions. In CRYPTO, pages 157–172, 1996. Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Robust Threshold DSS Signatures. In ENROCRYPT, pages 354–371, 1996. Tal Rabin. A Simplified Approach to Threshold and Proactive RSA. In CRYPTO, pages 89–104, 1998. Victor Shoup. Practical Threshold Signatures. In EU-ROCRYPT, pages 207–220, 2000.

14 Lagrange Interpolation
Lapse: 30 seconds Also mention that a newly joined node Vx’s secret share can be computed via Lagrange interpolation in the same way the secret is computed.

15 Multi-signature Threshold secret sharing reveals d to a coalition
d is not revealed if partial certificates are used The cornerstone is the equation Xd1 • Xd2 • … • XdK = X(d1 + d2 + … + dK) Each coalition member contributes a signed partial certificate XSKi = (Xdi mod n) which corresponds to an RSA SK-signing in computation The certification service requester combines K partial-certificates and obtains a correctly-signed certificate XSK = (Xd mod n) Lapse: 45 seconds The shared secret is revealed to a K-coalition in Shamir’s scheme In multi-signature scheme, the shared secret is not revealed to any entity if the protocol is followed Instead of revealing the personal secret share to anybody else, a member uses the share to sign a certificate, as if the share is an RSA secret key The result is a signed partial certificate, without revealing the personal secret share The requester obtains the product of the K partial certificates, which is supposed to be the valid new certificate signed by the shared secret SK (if the arithmetic is applied on field Z)

16 Implementation & Simulation
Implementation in C Minimized extension: RSA-compatible operations Optimized for wireless low-end devices Code size Instruction set Coded as value-added plug-in to existing security systems Simulation in ns-2 Communication efficiency dimensions: network size (scalability), node mobility, wireless channel errors Performance metrics: success ratio, average delay, average # of attempts Lapse: 1 minutes Implementation -> computation overhead Simulation -> communication overhead Like the other online cryptographic implementations, the implementation is operating system independent, can be integrated in any network layer, and operates on arbitrary bitstream (network friendly) Simulation on hundreds of entities, reached the upper limit of NS-2 simulator Random waypoint mobility model Pick a random location inside the area, use a speed uniformly distributed between 0 and MAXSPEED to get there, then pause for a PAUSETIME Area of simulation as a function of node density, transmission range and parameter K NS2 application layer/optimizations IEEE MAC Layer (w. DSR routing protocol for replies)

17 Implementation: RSA and Certification Performance
Lapse: 1 minute and 30 seconds Computation overhead of cryptographic algorithms is non-trivial, a centralized server could be overloaded. Notes. The definition of the CRT coefficients here and the formulas that use them in the primitives in Section 5 generally follows Garner’s algorithm [21] (see also Algorithm in [31]). However, for compatibility with the representations of RSA private keys in PKCS #1 v2.0 and previous versions, the roles of p and q are reversed compared to the rest of the primes. Thus, the first CRT coefficient, q-1, is defined as the inverse of q mod p, rather than as the inverse of R1 mod r2, i.e., of p mod q. Quisquater and Couvreur [34] observed the benefit of applying the Chinese Remainder Theorem to RSA operations. [21]  H. Garner. The Residue Number System. IRE Transactions on Electronic Computers, EC-8 (6), pp , June [31]  A. Menezes, P. van Oorschot and S. Vanstone. Handbook of Applied Cryptography. CRC Press, [34]  J.-J. Quisquater and C. Couvreur. Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters, 18(21), pp. 905–907, October 14, 1982. Comparable performance with standard RSA signing Little impact of K on computation overhead

18 Implementation: Self Initialization (K=5, time unit: milli-second)
Key SPEC =20.5 =12.1 =1.37 (bit) Partial Sum 512 0.413 0.288 1.145 0.378 3.861 1.196 768 0.459 0.382 2.588 0.443 5.163 1.497 1024 0.490 0.319 3.321 0.781 7.024 1.847 1280 0.561 0.411 4.926 0.840 8.215 1.996 1536 0.798 0.460 3.480 0.630 10.251 2.006 2048 1.420 0.473 5.245 0.754 24.414 2.528 Lapse: 30 seconds Self initialization only uses inexpensive operations like multiplicative inverse and Lagrange interpolation. No expensive operations, like exponentiation on huge numbers, are applied, thus it incurs little computation overhead Same argument holds for proactive secret share update Self initialization and proactive secret share update only use inexpensive operations (+,-, *, multiplicative inversing, and less than K degree exponentiation), thus incur little computation overhead

19 Simulation: Certification Services Avg. # of Attempts vs. Node Speed
Lapse: 45 seconds Avg. # of Failure An service request may be issued several times before it is successfully served Our approach has fewer # of failures. It experiences less failures as the mobility helps the protocol Both centralized approach and hierarchical approach are nearly unpredictable and have much larger amount of attempt failures Our approach: Reliable and predictable behavior Centralized & hierarchical approaches: Unreliable and/or unpredictable behavior

20 Simulation: Self Initialization Avg. Delay vs. Node Speed
Lapse: 45 seconds Average latency that a un-initialized entity is initialized by its K share-holding neighbors Simulation assumption: 2*K nodes have been initialized with secret shares Explanation: Not sensitive to mobility Not sensitive to network scale Mobility does not affect the protocols very much Scale well to the network size

21 Simulation: Proactive Update Updated Node Percentage vs. Delay
Lapse: 45 seconds Initially only K entities obtain the new version of secret shares via Herzberg’s scheme, then the other entities obtain the new version via our self-initialization protocol. Percentage of nodes having obtained the new version First 20% needs almost 50 seconds to update. As soon as a sufficient number of nodes manages to acquire their new secret shares, then the convergence of the algorithm is getting faster Some wayward entities (roaming to remote areas with less neighbors) make the 100% hard to achieve. However, after 900 seconds the simulation shows all entities are initialized with new version of secret shares This diagram reminds me of the propagation ratio of the famous “Code Red” virus over the Internet computers. “Explosion” effect: as more and more entities obtain the new version of secret shares, the task is getting easier and faster

22 Conclusion Certification-based approach
Secret sharing Multi-signature Localized and distributed protocols Faster and more robust than other approaches Service ubiquity Scalable Flexible trade-off between intrusion tolerance & service availability Lapse: 1 minute and 15 seconds SMARTCARD technology currently poses major impact on wireless network security. E.g., in GSM, AMPS. Some WAP-enabled cellular phones are capable of RSA cryptosystem via the technology, e.g., Siemens S35i. In cluster-based network design, loading balancing and fault tolerance imply partial trust towards each server. We have written an INFOCOM paper to pursue this research direction. To apply this architectural work to cluster-based environments, redefine the term “best” from physical proximity to other concept.

23 Thank you

Download ppt "URSA: Providing Ubiquitous and Robust Security Support for MANET"

Similar presentations

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,
Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.

Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.

Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.

Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.

TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.
PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.

PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.
Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.

Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.
TTDD: A Two-tier Data Dissemination Model for Large- scale Wireless Sensor Networks Haiyun Luo Fan Ye, Jerry Cheng Songwu Lu, Lixia Zhang UCLA CS Dept.

TTDD: A Two-tier Data Dissemination Model for Large- scale Wireless Sensor Networks Haiyun Luo Fan Ye, Jerry Cheng Songwu Lu, Lixia Zhang UCLA CS Dept.
Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.

Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.
1 Intrusion Tolerance for NEST Bruno Dutertre, Steven Cheung SRI International NEST 2 Kickoff Meeting November 4, 2002.

1 Intrusion Tolerance for NEST Bruno Dutertre, Steven Cheung SRI International NEST 2 Kickoff Meeting November 4, 2002.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.

Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
1 Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux.

1 Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux.
Multicasting in Mobile Ad-Hoc Networks (MANET)

Multicasting in Mobile Ad-Hoc Networks (MANET)
Ad-Hoc Networking Course Instructor: Carlos Pomalaza-Ráez D. D. Perkins, H. D. Hughes, and C. B. Owen: ”Factors Affecting the Performance of Ad Hoc Networks”,

Ad-Hoc Networking Course Instructor: Carlos Pomalaza-Ráez D. D. Perkins, H. D. Hughes, and C. B. Owen: ”Factors Affecting the Performance of Ad Hoc Networks”,
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.
Security in Ad Hoc Networks Steluta Gheorghiu Universitat Politecnica de Catalunya Departament d’Arquitectura de Computadors.

Security in Ad Hoc Networks Steluta Gheorghiu Universitat Politecnica de Catalunya Departament d’Arquitectura de Computadors.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Similar presentations

Ads by Google