Download presentation
Presentation is loading. Please wait.
1
1 Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux
2
2 Outline Introduction URSA: Providing Ubiquitous and Robust Security Support for MANET (UCLA proposal) PGP-inspired solution: keys generated by the nodes (EPFL proposal) Mobility helps security (in the Part 2 of 2)
3
3 Research areas in security for ad hoc networks Key establishment: how to distribute and manage keys in the absence of an on-line authority Secure routing: how to make routing protocols robust against potential attacks Intrusion detection: how to discover that an intruder is attempting to penetrate the network Preventing denial of service: how to avoid that some nodes rationally or maliciously misbehave, e.g. pretend forwarding packets while dropping them Securing sensor networks: how to make the protocols used by sensor networks robust against potential attacks, while coping with the anemic nature of the devices
4
4 Design Challenges Security breaches Vulnerable wireless links Occasional break-ins may be inevitable over long time Service ubiquity in presence of mobility Anywhere, anytime availability Network dynamics Wireless channel errors Node failures Node join/leave Network scale
5
5 Key establishment techniques in ad hoc networks Presence of an authority, at least in the initialization phase Usually based on threshold cryptography No authority: Keys are generated by the nodes Specialized nodes (servers) Centralized secret share dealer PGP-inspired Trust; certificate graph Mobility helps security Exploit node encounters
6
6 Secret sharing based on threshold cryptography No trusted authority, no central server Threshold crypto makes it possible to distribute specific tasks (e.g., signature and therefore certificate issuing) among several users Definition:
7
7 Shamir threshold scheme
8
8 URSA : Providing Ubiquitous and Robust Security Support for MANET Courtesy of: Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang University of California, Los Angeles {jkong,pzerfos,hluo,slu,lixia}@cs.ucla.edu
9
9 URSA Approach Ubiquitous and robust service provision in the presence of random mobility Localized algorithms and protocols One-hop wireless communication
10
10 Why this model? No single point of compromise Hackers must break into K nodes simultaneously to compromise the system No single point of DoS attack & node failure K offers tradeoff between intrusion tolerance and service availability K=1, single point of compromise, maximal availability K=N, single point of DoS attack, maximal intrusion tolerance
11
11 System Overview Each node carries a verifiable, unforgeable personal certificate Certificate is signed by network system key SK Certificate may be issued, renewed, or revoked Every mobile node periodically renews its certificate Ubiquitous services enabled by secret sharing
12
12 System Components Certification services Localized certificate issuing, renewal, revocation Self-initialization service To provide a secret share to an entity To provide scalable proactive secret share update service Proactive secret share update service To resist long-term adversaries without changing the shared secret
13
13 Network Protocol 1.Service request 2.Return partial certificates (K=5) 1.Initialization request 2.Unicast shuffling package 3.Routing shuffling package 4.Unicast partial secret share Certificate issuing, renewal, or explicit revocation Self-initialization
14
14 Cryptographic Algorithms: Threshold Secret Sharing Polynomial-based threshold secret sharing Given a secret d and a random polynomial of degree K-1 f(x) = d + f 1 x + f 2 x 2 + …… + f K-1 x K-1 mod n Each entity v i obtains its secret share “f(v i ) mod n ” d can be recovered by Lagrange interpolation In RSA cryptosystem, the d in the signing key SK=(d,n) is shared and distributed
15
15 Lagrange Interpolation
16
16 Multi-signature Threshold secret sharing reveals d to a coalition d is not revealed if partial certificates are used The cornerstone is the equation X d1 X d2 … X dK = X (d1 + d2 + … + dK) Each coalition member contributes a signed partial certificate X SKi = (X di mod n ) which corresponds to an RSA SK-signing in computation The certification service requester combines K partial- certificates and obtains a correctly-signed certificate X SK = (X d mod n )
17
17 Simulation: Proactive Update Updated Node Percentage vs. Delay “Explosion” effect: as more and more entities obtain the new version of secret shares, the task is getting easier and faster
18
18 Conclusion on URSA Certification-based approach Secret sharing Multi-signature Localized and distributed protocols Faster and more robust than other approaches Service ubiquity Scalable Flexible trade-off between intrusion tolerance & service availability
19
19 Full Self-Organization of Public Key Management (EPFL proposal) Security: we use public-key cryptography scheme to support security services in mobile ad hoc networks Problem: How can a user u obtain the authentic public key of another user v in the presence of an active attacker ? Principles: - users generate their own keys and issue certificates (no preinstalled keys) - no central certification authority - no certificate directories - no specific role assigned to a subset of nodes
20
20 Public-Key Infrastructure Reminder: Certification Authorities (CAs) (e.g., ISO X.509, used notably in S/MIME): CA z CA W CA X CA Y CA z CA U CA V Bob Alice A self-organized mobile ad hoc network has no infrastructure and therefore: - no server - no certification authority Is it possible to build up a scalable public-key infrastructure for such an infrastructure-less network?
21
21 Key management in PGP: Web of trust AliceBob Irene PrK Irene PrK Alice PuK Alice PuK Irene PrK Bob PuK Bob Generate a certificate Trust relationship Alice and Bob trust each other and have exchanged each other’s public key in a secure way (e.g., off-line) Bob Irene PuK Irene PrK Bob (PuK Irene ) How can Alice get a trustworthy version of the public key of Irene PuK Irene ? (She does not know who signed it) Bob is an introducer for Irene
22
22 PGP: server of certificates AliceBob Irene Example of server: www.pgpi.orgwww.pgpi.org The servers of certificate are the only centralized components of PGP. Request for a signed public key of Irene Is it possible to get rid of the certificate server(s), without jeopardizing scalability? Server of certificates Bob Irene PuK Irene PrK Bob (PuK Irene ) PrK Alice PuK Alice PrK Irene PuK Irene PrK Bob PuK Bob
23
23 Model We assume that if a user i believes that a given public key belongs to a given user j, then i can issue a public-key certificate to j Certificate graph G(V,E) V is a set of keys E is the set of edges, where a directed edge (i,j) is added if i signed a public key certificate to user j KiKi KjKj
24
24 Certificate graph authentication via a chain of certificates K1K1 K2K2 K3K3 K4K4 K6K6 K7K7 K8K8 K9K9 K 10 K 11 K 12 K 10 K5K5 K5K5
25
25 No authority: Self Organized Public Key Management Each node generates its own private / public key pair (as in PGP) and issues a certificates for the nodes it trusts The system works in two phases: 1.Initialization: each user stores a set of certificates 2.When a user wants to verify the public key of another user, they merge their local repositories and try to find a path of certificates between them 1. i 2. i j
26
26 Initialization (1) i j k
27
27 Initialization (2) Each user builds up a local repository of public-key certificates (a subgraph) stores the certificates that it issued (outgoing edges) stores the list of certificates that others issued for it (incoming edges) stores an additional set of certificates chosen according to some algorithm A 2 possible scenarios Centralized Certificate Server 1 2 request sub-graph Distributed
28
28 Verifying the key: merging the local repositories and finding a path of certificates i j
29
29 Example of an algorithm: Maximum Degree Node K builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.
30
30 Example: Shortcut Hunter Each node builds its incoming and outgoing path(s) choosing the node that has a highest number of shortcuts connected to it k Small world graphs shortcut
31
31 Algorithm performance
32
32 Performance of Maximum Degree Node builds its incoming and outgoing path(s) choosing the nodes with the highest degrees.
33
33 Performance of the Star Shortcut Hunter on real PGP certificate graphs
34
34 Performance of the shortcut hunter on small world and random graphs Φ is the fraction of edges which are shortcuts, size of the local repositories = sqrt(n)
35
35 False certificates K D K i K j K' j K D j j a key controlled by a dishonest user a false key created by a dishonest user a certificate binding user F to a key K
36
36 Design goals performance – redefined by taking authentication metrics into account key usage – ideally, all vertices need to be used for authentication an equal number of times (to be on the path an equal number of times) scalability – minimize the size of the local repositories (subgraphs) and the communication cost invariance to certificate graph changes
37
37 Performance with authentication metrics Examples of authentication metrics include: number of disjoint paths of certificates, number of bounded and k-bounded disjoint paths...
38
38 Key usage The key usage is defined as the number of times that a key is used for authentication. Formally:
39
39 Fundamental design limit (1): size of the repositories Problem 1: Find a set of subgraphs that minimizes the size of local repositories such that p=1 Theorem 1:
40
40 Fundamental design limit (2): key usage Problem 2: Find a set of subgraphs that minimizes the size of local repositories such that p=1 and U(K v )=U(K u ) Theorem 2: |V| = 4, s = 2 |V| = 9, s = 4 Example of construction with :
41
41 Maximum degree simulation results 1 8.248.241 3 8.237.691.42 6 8.157.671.44 Mean length No. of paths PGP (5000 vertices): Artificial certificate graphs: Shortest path 1 17.6617.661 3 18.7712.552.39 6 1610.532.55 PGP (5000 vertices): 6.6 6.19 1.55 Artificial certificate graphs: 6.8 5.71 3.66 Maximum degree: the whole graph: repository no of paths Mean length No. of paths Shortest path
42
42 PGP certificate graph The PGP graph is the only known example of self-organized certificate graph creation. Largest connected component of the PGP certificate graph 2001 (8695 keys)
43
43 Key usage Certificate usage with Maximum Degree algorithm and the Shortest Paths on PGP graph and artificial certificate graph
44
44 Small-world graphs - a small characteristic length (the median of the means of the shortest paths between all pairs of users) - a large clustering coefficient (a very high likelihood that two friends of a friend are friends as well) - a logarithmic characteristic length scaling Small world graphs shortcut – an edge upon whose disconnection the shortest path between two vertices previously connected by this edge becomes strictly larger than 2. Small world graph characteristics:
45
45 Watts -model lattice = 0 random graphs = 1 Small world graphs is the fraction of shortcuts in the total number of edges of a graph. CONSTRUCTION PRINCIPLE: REWIRE A REGULAR 1-D LATTICE RANDOMLY (CREATING SHORTCUTS)
46
46 Characteristics of the PGP graph
47
47 Power law of the PGP graph
48
48 Construction of the artificial certificate graph Principle: REWIRE AN IRREGULAR 1-D LATTICE RANDOMLY 1.Create an irregular lattice, according to the degree distribution provided by the power law 2.Rewire the lattice (adding or removing the shortcuts) to achieve the desired -coefficient
49
49 Comparison of artificial and PGP graphs PGP certificate graph artificial certificate graph PGP certificate graph artificial certificate graph
50
50 Conclusion on Part 1 of Security for mobile ad hoc networks Very difficult problem, because of the nature of the network Crucial issue: ad hoc networks cannot be used in practice if they are not secure The kind of considered scenario (civilian / military, personal devices / sensors, …) can radically influence the solution to be chosen The presence or absence of an authority (e.g., in charge of distributing the keys) can lead to very different solutions in terms of key agreement
51
51 References M. Reiter and S. Stubblebine Authentication metric analysis and design ACM trans. on Information and System Security, 1999 D. Watts: Small Worlds Princeton University Press, 1999 Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang Providing Robust and Ubiquitous Security Support for Mobile Ad Hc Networks. ICNP 2001 S. Capkun, L. Buttyan, JP Hubaux Trust Relationships in Mobile Ad Hoc networks, LCA technical report, 2001 JP Hubaux, L. Buttyan, S. Capkun The Quest for security of mobile ad hoc networks MobiHoc 2001 For security in sensor networks, check: A. Perrig et al. SPINS: Security Protocols for Sensor Networks Mobicom 2001
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.