Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Provable Secure Neighbor Discovery in Wireless Networks Marcin Poturalski Panos Papadimitratos Jean-Pierre Hubaux.

Published byJewel Powers Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards Provable Secure Neighbor Discovery in Wireless Networks Marcin Poturalski Panos Papadimitratos Jean-Pierre Hubaux."— Presentation transcript:

1 Towards Provable Secure Neighbor Discovery in Wireless Networks Marcin Poturalski Panos Papadimitratos Jean-Pierre Hubaux

2 Proliferation of Wireless Networks 2 Wireless Sensor Networks WiFi and Bluetooth enabled devices RFID

3 Proliferation of Wireless Networks Strength of wireless networks: – Any devices in range can communicate without additional infrastructure Enables ad-hoc and mobile networking – Devices do not know in advance with whom they can communicate Neighbor Discovery becomes essential: – Can wireless device A communicate directly with wireless device B? 3

4 Neighbor Discovery How to achieve Neighbor Discovery? 4

5 Neighbor Discovery How to achieve Neighbor Discovery? Simple, widely used solution, but not secure 5 A B “Hello, I’m A” B: “A is my neighbor”

6 Attacking Neighbor Discovery “Relay” or “Wormhole” Attack The adversary simply relays the message A “Hello, I’m A” B: “A is my neighbor” M 6

7 Attacking ND: Routing in Sensor Networks 7 [1] Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defense against wormhole attacks in wireless networks. INFOCOM 2003

8 Attacking ND: Routing in Sensor Networks 8 The adversary sets up a wormhole, convincing remote nodes they are neighbors [1] Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defense against wormhole attacks in wireless networks. INFOCOM 2003

9 Attacking ND: Routing in Sensor Networks 9 This “shortcut” attracts many routes The adversary can eavesdrop, modify, or drop (DoS) Local attack with global impact!

10 Attacking ND: RFID Access Control 10 [2] Z. Kfir and A. Wool. Picking virtual pockets using relay attacks on contact-less smartcard. SECURECOMM 2005

11 Attacking Neighbor Discovery “Relay” or “Wormhole” Attack The adversary does not modify any messages Cryptography alone cannot help A “Hello, I’m A” B: “A is my neighbor” M 11

12 Securing Neighbor Discovery Use message time-of-flight to measure distance Reject “neighbors” who are too far away – Distance Bounding [3] – Temporal Packet Leashes [1] – SECTOR [4] Use node location to measure distance – Geographical Packet Leashes [1] 12 [1] Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defense against wormhole attacks in wireless networks. INFOCOM 2003 [3] S. Brands and D. Chaum. Distance-bounding protocols. EUROCRYPT '93 [4] S. Capkun, L. Buttyan, and J.-P. Hubaux. SECTOR: secure tracking of node encounters in multi-hop wireless networks. SASN '03

13 Our Contribution: “provable” Model taking into account physical aspects of the wireless environment Previously [5]: Impossibility result for time-based protocols 13 [5] M. Poturalski, P. Papadimitratos, and J.-P. Hubaux. Secure Neighbor Discovery in Wireless Networks: Formal Investigation of Possibility. ASIACCS '08 obstacle A B M A B No time-based protocol can distinguish these two situations

14 Our Contribution: “provable” Model taking into account physical aspects of the wireless environment This work: Proving the correctness of ND protocols – Model extended and modified Closer representation of the wireless environment – Stronger availability properties – Composability 14

15 Outline The model ND properties Example ND protocol Skip proof Limitations and possible extensions 15

16 Messages Any of the following is a message: An authenticator is a message: A concatenation is a message: Message are essentially terms – Subterm relation 16

17 Messages: Temporal Structure Message m has a duration | m | – message transmission time (bit-rate dependant) Duration is preserved by concatenation m1m1 m2m2 m3m3 mkmk 17

18 Events 18 t – start time Events temporal structure: inherited from m

19 Events m1m1 t 19 t – start time Events temporal structure: inherited from m Useful notation:

20 Traces A trace model a system execution A trace  in  is a set of events 20 A B C

21 Traces A trace model a system execution A trace  in  is a set of events 21 A B C A receives m 2 before B sends it…

22 Traces A trace model a system execution A trace  in  is a set of events 22 A B C We need to constrain traces to make them meaningful

23 Setting A setting models an instance of the environment Formally: S = (nodes, loc, type, link, nlos) 23

24 Setting S = (nodes, loc, type, link, nlos) 24 { A, B, C, D, E, F, G, H } The nodes in the setting Notation: V

25 Setting S = (nodes, loc, type, link, nlos) H A C B D G F E 25 Location of every node Notation: dist

26 Setting S = (nodes, loc, type, link, nlos) H A C B D G F E 26 Type of every node: correct/adversarial Notation: V cor / V adv

27 Setting S = (nodes, loc, type, link, nlos) H A C B D G F E 27 The link/neighbor function Notation: communication possible not link A to B is up at time t links A to B and B to A are up at time t

28 Setting S = (nodes, loc, type, link, nlos) 28 H A C B D G F E Non-line-of-sight “delay” nlos(A,B)  0 The additional distance the signal needs to traverse

29 Feasible Traces A feasible trace  in  S,P,A satisfies constraints imposed by: – a setting S Communication follows the laws of physics – a protocol P Correct nodes follow protocol P – adversary model A Adversarial nodes abide with adversary model 29

30 Setting-feasible Traces A B 30 v – wireless channel propagation speed

31 Setting-feasible Traces A B 31 v – wireless channel propagation speed

32 Setting-feasible Traces A B 32 v – wireless channel propagation speed

33 Setting-feasible Traces A B 33 v – wireless channel propagation speed propagation delay

34 Setting-feasible Traces Full form of this rule includes the Dcast event Dual rules: – If there is a Bcast/Dcast event and a link is up, there will be an Receive event 34

35 Adversary-feasible Traces Adversarial nodes can behave arbitrarily, except respecting: – unforgability of authenticators – freshness of nonces 35 Authenticators and nonces need to be relayed

36 Adversary-feasible Traces 36 A

37 Adversary-feasible Traces 37 auth B ( m 0 ) A

38 Adversary-feasible Traces 38 auth B ( m 0 ) A

39 Adversary-feasible Traces 39 auth B ( m 0 ) A

40 Adversary-feasible Traces 40 auth B ( m 0 ) A  relay – the minimum processing delay when relaying

41 Adversary-feasible Traces Adversarial nodes can communicate over an adversarial channel with information propagation speed v adv  v 41 auth B ( m 0 ) A

42 Protocol-feasible Traces Rules are protocol-specific One general rule that requires correct nodes to respect the freshness of nonces 42

43 Protocol-feasible Traces 43 n n B

44 Protocol-feasible Traces 44 n n B

45 ND Properties Correctness: “declared neighbors are actual neighbors” 45

46 ND Properties Correctness: “declared neighbors are actual neighbors” 46

47 ND Properties Correctness: “declared neighbors are actual neighbors” 47

48 ND Properties Correctness: “declared neighbors are actual neighbors” 48

49 ND Properties Correctness: “declared neighbors are actual neighbors” 49

50 ND Properties Correctness: “declared neighbors are actual neighbors” Availability: “actual neighbor are declared neighbors” T P – protocol specific duration 50

51 ND Properties Correctness: “declared neighbors are actual neighbors” Availability: “actual neighbor are declared neighbors” T P – protocol specific duration 51

52 ND Properties Correctness: “declared neighbors are actual neighbors” Availability: “actual neighbor are declared neighbors” T P – protocol specific duration 52

53 ND Properties Correctness: “declared neighbors are actual neighbors” Availability: “actual neighbor are declared neighbors” T P – protocol specific duration 53

54 ND Properties Correctness: “declared neighbors are actual neighbors” Availability: “actual neighbor are declared neighbors” T P – protocol specific duration 54

55 ND Properties Correctness: “declared neighbors are actual neighbors” Availability: “actual neighbor are declared neighbors” T P – protocol specific duration 55

56 Protocol P CR/TL : Challenge-Response/Time-and-Location 56 challenge message response message authentication message

57 Protocol P CR/TL : Challenge-Response/Time-and-Location 57 challenge message response message authentication message Comment: “Hard to see the connection between this informal presentation and formal protocol definition” Solution: Intermediate form: informal “implementation” is pseudo-code

58 Protocol P CR/TL : pseudo-code 58 block A block states what events a node executes when an event of interest occurs

59 59 Protocol P CR/TL : pseudo-code

60 60 Protocol P CR/TL : pseudo-code

61 61 Protocol P CR/TL : pseudo-code

62 62 Protocol P CR/TL : rules

63 63 Protocol P CR/TL : rules

64 64 Protocol P CR/TL : rules

65 65 Protocol P CR/TL : behavior restriction With these rules we can prove availability To prove correctness, we need to restrict nodes’ behavior wrt. Bcast and Neighbor events

66 66 Protocol P CR/TL : Bcast restriction First attempt: Every Bcast is one these three events

67 67 Protocol P CR/TL : Bcast restriction First attempt: Every Bcast is one these three events Too restrictive! No other protocol can be executed by the nodes

68 68 Protocol P CR/TL : composability Better solution: Bcast of particular authenticators has to be the authentication message

69 69 Protocol P CR/TL : Neighbor restriction Every Neighbor event has to be one of these two events

70 Result Theorem: Protocol P CR/TL satisfies the Neighbor Discovery Specification: Correctness ( ND 1) Availability ( ND 2 CR/TL ) Under the assumptions: Relaying processing delay  relay > 0 Equality of maximum information propagation speed and wireless channel propagation speed v adv = v 70

71 Future Work: ND with adversarial nodes P CR/TL needs all nodes to be correct Partial solution: Distance-Bounding protocols [3] Cannot express DB in our model, as it uses: – xor – commitments – rapid bit exchange: protocol sends single fresh bits Not compatible with our definition of freshness 71 [3] S. Brands and D. Chaum. Distance-bounding protocols. EUROCRYPT '93

72 Future Work: ND with adversarial nodes Can one do without the rapid bit exchange? No: Bit level attack [6]: Need to shift model to bit level to reason about ND with adversarial nodes 72 guess a few bits C R = f(C) [6] J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore. So near and yet so far: Distance-bounding attacks in wireless networks. ESAS 2006.

73 Conclusions Proving the correctness of Secure Neighbor Discover protocols A model or wireless networks Secure Neighbor Discovery specification Definition of a Secure Neighbor Discovery protocol Highlighted interesting future directions 73

74 In the paper Proofs Other Secure Neighbor Discovery protocols – P CR/T - challenge-response / time-based protocol – P B/T - beacon / time-based protocol – P B/TL - beacon / time-and-location-based protocol Our model captures the differences in their – functionality – assumptions / requirements 74

Download ppt "Towards Provable Secure Neighbor Discovery in Wireless Networks Marcin Poturalski Panos Papadimitratos Jean-Pierre Hubaux."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.
Denial of Service in Sensor Networks Szymon Olesiak.

Denial of Service in Sensor Networks Szymon Olesiak.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.

Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
A Distributed Security Framework for Heterogeneous Wireless Sensor Networks Presented by Drew Wichmann Paper by Himali Saxena, Chunyu Ai, Marco Valero,

A Distributed Security Framework for Heterogeneous Wireless Sensor Networks Presented by Drew Wichmann Paper by Himali Saxena, Chunyu Ai, Marco Valero,
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
Containing DoS Attacks in Broadcast Authentication in Sensor Networks (Ronghua Wang, Wenliang Du, Peng Ning) Containing DoS Attacks in Broadcast Authentication.

Containing DoS Attacks in Broadcast Authentication in Sensor Networks (Ronghua Wang, Wenliang Du, Peng Ning) Containing DoS Attacks in Broadcast Authentication.
Marcin Poturalski, Manuel Flury,

Marcin Poturalski, Manuel Flury,
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Computer Science 1 CSC 774 Advanced Network Security Enhancing Source-Location Privacy in Sensor Network Routing (ICDCS ’05) Brian Rogers Nov. 21, 2005.

Computer Science 1 CSC 774 Advanced Network Security Enhancing Source-Location Privacy in Sensor Network Routing (ICDCS ’05) Brian Rogers Nov. 21, 2005.
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL 6788 11.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
Transmission Time-based Mechanism to Detect Wormhole in Ad-hoc Networks Tran Van Phuong U-Security Group RTMM Lab, Kyung Hee Uni, Korea 2006.11.10.

Transmission Time-based Mechanism to Detect Wormhole in Ad-hoc Networks Tran Van Phuong U-Security Group RTMM Lab, Kyung Hee Uni, Korea
Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.

Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.
Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves.

Effectiveness of Distance Decreasing Attacks Against Impulse Radio Ranging Manuel Flury, Marcin Poturalski, Panos Papadimitratos, Jean-Pierre Hubaux, Jean-Yves.
Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 4.

Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 4.
Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu, David Evans Jason Buckingham CSCI 7143: Secure Sensor Networks November 2, 2004.

Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu, David Evans Jason Buckingham CSCI 7143: Secure Sensor Networks November 2, 2004.
Data Consistency in Sensor Networks: Secure Agreement Fatemeh Borran Supervised by: Panos Papadimitratos, Marcin Poturalski Prof. Jean-Pierre Hubaux IC-29.

Data Consistency in Sensor Networks: Secure Agreement Fatemeh Borran Supervised by: Panos Papadimitratos, Marcin Poturalski Prof. Jean-Pierre Hubaux IC-29.
A Low-Cost Method to Thwart Relay Attacks in Wireless Sensor Networks Reza Shokri Tutors: Panos Papadimitratos, Marcin Poturalski 29 January 2008.

A Low-Cost Method to Thwart Relay Attacks in Wireless Sensor Networks Reza Shokri Tutors: Panos Papadimitratos, Marcin Poturalski 29 January 2008.
Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Similar presentations

Ads by Google