Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bootstrapping Security Associations in Wireless (Sensor) Networks Mario Čagalj University of Split, FESB ACROSS, 2013.

Published byByron French Modified over 9 years ago

Similar presentations

Presentation on theme: "Bootstrapping Security Associations in Wireless (Sensor) Networks Mario Čagalj University of Split, FESB ACROSS, 2013."— Presentation transcript:

1 Bootstrapping Security Associations in Wireless (Sensor) Networks Mario Čagalj University of Split, FESB ACROSS, 2013

2 Briefly about the speaker Mario Čagalj, Associate Professor Department of Electronics, University of Split, FESB Ph.D. degree in Communication Systems from EPFL (École Polytechnique Fédérale de Lausanne) Scientific work and research interests Information security, applied cryptography, game theory, energy-efficient communication, HCI, etc. For more information http://www.fesb.hr/~mcagalj or mcagalj@fesb.hr 2

3 Motivation Billions of devices will be interconnected in near future Ericsson forecasts 50 billion M2M connections by 2020 IoT, M2M, wearable sensor networks, smart metering, etc. Many technologies/systems Include low cost and highly constrained devices Use wireless channels (highly vulnerable) Operate independently of any authority (are user-centric) Prerequisites for adoption of such technologies Data trustworthiness, authenticity and privacy 3

4 Motivation Key element towards secure communication Some cryptographic (keying) material (pwds, keys, certs) has to be preloaded into communicating devices However, users are bad when it comes to security Complicated setup procedures render the security features useless (e.g., home WiFi networks) What can we then expect from 2020? 4 201320142020 attacker user’s devices

5 Our goal Develop mechanisms for secure initialization of wireless devices/for bootstrapping initial security associations User-friendly – easily administered by non-specialists Scalable – support a reasonably large number of devices Compatibile with resource constrained devices – lacking usual wired interfaces, displays, keypads, etc. 5 201320142020 attacker user’s devices

6 Talk outline Basic security problem Optimal message transfer authenticator Group message authentication protocol Authentication through presence Integrity codes 6

7 A B Basic security problem Assumptions high bandwidth public/insecure channel (e.g. radio) low bandwidth authenticated channel (not secret) E.g., sound, voice, visible light, etc. Devices A and B share neither secrets nor certificates Protect message integrity over the public channel Minimize user’s involvement and hardware requirements 7 attacker message user

8 Attacker model People usually have a wrong mental model E.g., attacks on Bluetooth (designed for 10m range) Eavesdropping from more than 1.5 km (BlueSniper rifle) Thanks to high gain/sensitivity antennas and receivers 8 = attacker AB nominal TX range AB

9 Straightforward solution Based on a weak-collision resistant hash function h(·) Given message m 0 easy to calculate a hash value h(m 0 ) Hard to find different m 1 such that h(m 0 )= h(m 1 ) 9 A B m Calculates s A =h(m) Receives m Calculates s B =h(m) If s A ==s B “Accept m” sAsA sAsA high bandwidth insecure channel low bandwidth authenticated channel ok

10 Straightforward solution suboptimal Today, weak-collision implies at least 80-bit hash value The minimum load over low bandwidth (human) channel Hash function output sizes tend to increase over time Vulnerabilities (e.g., SHA-1), processing power increses E.g., MD5, SHA-1, SHA-2 (128, 160, 256... bit outputs) More bits over low bandwidth (human) channel implies increased user’s involvement Big issue when user interacts with constrained devices 10

11 Optimal message transfer authenticator Based on a non-malleable commitment scheme Functionallity similar to that of an ideal hash function Transforms message m into commitment/openning pair To commit to m do: (c,d)=commit(m) and hand out c To open c do: hand out d and m=open(c,d) Properties Once commited to m, cannot change to another m Message m remins secret until opened using d 11

12 Optimal message transfer authenticator 12 A B c high bandwidth insecure channel low bandwidth authenticated channel NBNB d sAsA sAsA Pick k random bits N B m, N A =open(c,d) s B =N A N B If s A ==s B “Accept m” Given message m Pick k random bits N A (c,d)=commit(m,N A ) s A =N A N B Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006) ok

13 Optimal message transfer authenticator 13 A B c high bandwidth insecure channel low bandwidth authenticated channel NBNB d sAsA sBsB Pick k random bits N B m, N A =open(c,d) s B =N A N B Accept m Given message m Pick k random bits N A (c,d)=commit(m,N A ) s A =N A N B Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006) ok If s A ==s B “Success”

14 Optimal message transfer authenticator Theorem Computationally bounded attacker can succeed with probability at most approx 2 -k (in a single session), where k is the size of authentication strings s A and s B. For example, with k=15 bits Attacker successful with probability 2 -15 (i.e., 5-digit PIN) User’s involvement only 15 bits (i.e., 2 hex digits) We can optimally trade security and the user’s load Time-invariant (independent of the employed hash function) Not the case with the standard solution (min. load at least 80 bits) 14 Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)

15 Optimal message transfer authenticator Optimality and time-invariance 15

16 Securing Diffie-Hellman key agreement 16 A B cAcA cBcB dAdA sAsA sBsB Given g X A Pick k random bits N A m A =ID A, g X A,N A (c A,d A )=commit(m A ) m B =open(c B,d B ) s A =N A N B Secret key K AB = g X A X B dBdB Given g X B Pick k random bits N B m B =ID B, g X B,N B (c B,d B )=commit(m B ) m A =open(c A,d A ) s B =N A N B Secret key K AB = g X A X B ok If s A ==s B “Success” Čagalj, et. al. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. (February, 2006) Bluetooth Special Interest Group. Simple Pairing Whitepaper. // (October, 2006)

17 Example: Initializing home WiFi network Camera-equipped device and wireless access point (AP) Single LED at the AP blinks short authentication string s B Ephemeral tokens for your guests (AP pwd not disclosed!) 17 MT-auth DH s A =N A N B If s A ==s B “Success” K AB = g X A X B sBsB ok s B =N A N B K AB = g X A X B Contrast this with insecure WPS: Push-Button-Method by WiFi Alliance (2006)

18 Example: Initializing a pair of sensors No cameras (only LEDs and a pushbutton) User just checks that the devices blink the same states 18 MT-auth DH s A =N A N B K AB = g X A X B s B =N A N B K AB = g X A X B sBsB sAsA If s A ==s B “Success” ok 100110 TsTs TsTs =

19 How about securely initializing a larger group of resource-constrained device? Group message Authentication Protocol (GAP) Generalization of our optimal two-party protocol 19 Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D. Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)

20 GAP overview Phase 1: insecure radio channel Devices exchange messages they want to authenticate and establish Group Authentication String (GAS) 20 Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D. Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)... D1D1 D2D2 DnDn Phase 2: visible light channel User compares the GAS... D1D1 D2D2 DnDn User

21 GAP-Phase 1: insecure radio channel Goal: M devices exchange and authenticate public keys 21 ID i c i-1 ID j cici c i+1 didi Step I: Step II: Step III: G i ={ID 1 <ID 2 <…<ID M } (c i, d i ) commit(h Gi, ID i, PK i, N i ) h Gi =hash(ID 1,…,ID i,…,ID M ) (h Gj, ID j, PK j, N j ) open(c j, d j ) GAS i N i... Verify h Gi, ID j If OK, GAS i GAS i N j DiDi d i-1 d i+1... D i-1 D i+1 GAS i =N 1 N 2... N i... N M

22 GAP-Phase 2: authenticated light channel User enters group size M into one device/coordinator Push-button can be used for this task If group size OK, the coordinator initiates synchronized transmission of GAS (blinking LEDs) on all the devices User verifies simultenously if GAS i =GAS j, for all devices 22 D1D1 D2D2 DnDn... D1D1 D2D2 DnDn ok GAS 1 GAS n GAS 2 If GAS 1 =GAS 2 =... =GAS n “Success”

23 GAP security Theorem Computationally bounded attacker can succeed with probability at most approx 2 -k (in a single session), where k is the size of the group authentication string (GAS). User’s involvement only 15-20 bits Recall, we can set k as low as 15-20 bits 23 Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D. Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012) 100110 TsTs TsTs 111100100 startend

24 GAP usability evaluation 27 participants (age 18-25) GAS verification (GAS match and mismatch tests) and entering group sizes via a push-button (25 sensors) Average System Usability Score (SUS) 80,8 (max. 100) 24 Very easyEasyMedium difficult DifficultVery difficult Number of testers 0 4 8 12 16 20 3 6 2 00 2 11 GAS verification Entering group size 19

25 Improving usability and scalability of GAP User records the GAS procedure with a smartphone In turn, reviews the GAS procedure offline No special services or software on the smartphone (zero-configuration auxiliary device) 25

26 Talk outline Basic security problem Optimal message transfer authenticator Group message authentication protocol Authentication through presence Integrity codes 26

27 Integrity codes (I-codes) The presence or absence of energy in a given time slot of duration T s conveys information 27 Čagalj, M.; Čapkun, S.; Rengaswamy, R.; Tsigkogiannis, I.; Srivastava, M.; Hubaux, J.-P. Integrity codes: Message Integrity Protection and Authentication over Insecure Channels // IEEE S&P (2006) 100110 TsTs TsTs 101 message m balanced code c on-off keying

28 Integrity codes (I-codes) Balanced code Injective (one-to-one mapping) Equal number of ones and zeros E.g., Manchester code: 0 01 and 1 10 Imposible to convert a codeword c 0 into a different codeword c 1 without flipping at least one bit 1 to bit 0 message codeword 00 0101 01 0110 10 1001 11 1010 28

29 I-codes security Assumptions A applies I-codes to message m B within the TX range of A B synchronized to A wrt to the start and the end of c B verifies that the received codeword c is balanced Attacker cannot cancel (erase) a radio signal Theorem The attacker cannot trick device B into accepting a message that is different from the original m. 29 A B attacker I-code(m)

30 I-codes transmission Delimiter 111000 marks start and end of I-coded m Delimiter and Manchester codewords incongruous If attacker cannot cancel (erase) a radio signal: Any balanced codword c between delimiters is authentic 30 ATMEL AT86RF211 transceiver 433 MHz, FSK, T s = 5ms

31 I-codes reception Demodulation at the receiver If average power in the symbol interval high → output 1 If average power in the symbol interval low → output 0 Any balanced codword c between delimiters is authentic 31 bit 1 bit 0

32 Anti-blocking property of a radio channel Received signal at B r(t)=s(t) ⊗ h AB (t)+a(t) ⊗ h aB (t)+n(t) Attacker’s goal r(t)≈n(t) I.e., s(t) ⊗ h AB (t)+a(t) ⊗ h aB (t)< n(t) Attacker’s challenges s(t) can be made physically unpredictable for the attacker Accurate estimate of both h AB (t) and h aB (t) Many sources of uncertainty at high frequencies Inacuracies in the antennas positions 32 A B attacker s(t)s(t) a(t)a(t) Gaussian noisechannel between A/attacker and B (i.e., #paths, delay, phase, attenuation) <

33 Anti-blocking property of a radio channel 0 → 1 easy 1 → 0 very hard 33 A B attacker s(t)s(t) a(t)a(t) bit 1 bit 0

34 Authentication through presence User’s involvement minimal Ensures the devices close-by Turns the devices on 34 TX on RX on ok 111000011010…010101111000011010…010101111000… delimiterI-codes(m) If I-codes(m) balanced Accept m

35 Effect of noise on I-codes Implementation on Mica2 sensor motes 0s → no signal during T 0 =10ms 1s → 18 bytes randomized packet at 19.2kbps (T 1 =7.5ms) 35

36 Securing Diffie-Hellman with I-codes 36 A B cAcA cBcB dAdA Given g X A Pick k random bits N A m A =ID A, g X A,N A (c A,d A )=commit(m A ) m B =open(c B,d B ) s A =N A N B Secret key K AB = g X A X B dBdB Given g X B Pick k random bits N B m B =ID B, g X B,N B (c B,d B )=commit(m B ) m A =open(c A,d A ) s B =N A N B If s A ==s B “Success” Secret key K AB = g X A X B ok I-codes(s A )

37 Initializing a large sensor network Simple procedure Place the devices close-by Run Group message Authentication Protocol (GAP) Let one device I-codes short GAS (group auth. string) Ensure all the devices show “green” status 37 111000011010…010101111000011010…010101111000… delimiterI-codes(GAS)

38 Summary Presented mechanisms for bootstrapping initial security associations in wireless (sensor) networks User-friendly, scalable and compatibile with resource constrained devices Optimal message transfer authenticator Short authentication strings Optimal trade-off between security and user’s involvement Integrity codes Exploit physical properties of a radio channel Enable authentication through presence 38

Download ppt "Bootstrapping Security Associations in Wireless (Sensor) Networks Mario Čagalj University of Split, FESB ACROSS, 2013."

Similar presentations

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
BLUETOOTH TM :A new radio interface providing ubiquitous connectivity Jaap C.Haartsen Ericssion Radio System B.V. 2000 IEEE.

BLUETOOTH TM :A new radio interface providing ubiquitous connectivity Jaap C.Haartsen Ericssion Radio System B.V IEEE.
 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.

 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.

Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.

Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.
KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys07 2007.

KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.

Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.
1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.

1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.
G22.3250-001 Robert Grimm New York University Using Encryption for Authentication in Computer Networks.

G Robert Grimm New York University Using Encryption for Authentication in Computer Networks.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 5th Lecture 08.11.2006 Christian Schindelhauer.

1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 5th Lecture Christian Schindelhauer.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Similar presentations

Ads by Google