Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 May 5, 2005 1 On the Evolution of Adversary Models for Security Protocols* Virgil D. Gligor Electrical and Computer Engineering University.

Published byJane Short Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2005 May 5, 2005 1 On the Evolution of Adversary Models for Security Protocols* Virgil D. Gligor Electrical and Computer Engineering University."— Presentation transcript:

1 Copyright © 2005 May 5, 2005 1 On the Evolution of Adversary Models for Security Protocols* Virgil D. Gligor Electrical and Computer Engineering University of Maryland College Park, MD. 20742 gligor@umd.edu Florida State University Tallahassee, FL. 32306 May 5, 2005 *based on joint work with H. Chan, B. Parno and A. Perrig

2 Copyright © 2005 May 5, 2005 2 Overview 1.A Security Perspective with some Old Examples New Technologies ~> New Vulnerabilities ~> New Adversary Models … New Security Protocol Analysis Methods and Tools “~>” = almost always implies) 2. A New Example New Technology: sensor networks New Vulnerabilities: (variable number of) nodes captured and replicated New Application: distributed Sensing New Adversary: different from both Dolev-Yao and Byzantine adversaries New Tools: emergent properties, protocols 3. Conclusions

3 Copyright © 2005 May 5, 2005 3 Technology ~> Vulnerability ~> Adversary Methods & Tools A Security Perspective and some Old Examples - sharing programs confidentiality anduntrusted user sys. vs. user mode (’62 ->) & data; integrity breaches;programs (TH)rings, sec. kernel (’65, ‘67) - computing utility system penetration; FHM (’75) theory/tool (’91)* (early – mid ’60s) DoS instances DoS instances ex. (’67-’75) acc. policy models (’71 ->) - shared services; denial of service untrusted user DoS general def. (’83-’85)* e.g., DBMS, net. prot. os, net. protocols processes; formal spec. & verif. (’88)* (early - mid ’70s) concurrent, coord. models (’92 -> ) attacks - PCs, LANs; read, modify, block, man-in-the-middle, informal: NS, DS (’78–81) public-domain Crypto replay, forge untrusted user semi-formal: DY (‘81) (early – mid ’70s) messages processes; Byzantine (‘82 –>) active, adaptive, crypto models (‘84->)*, mobile adv. auth. prot. analysis (87->) - internetworking; large-scale effects: distributed, virus scans, tracebacks E2E argument worms, viruses, coordinated intrusion detection (mid – late ’80s) DDoS (e.g., flooding) attacks (mid ’90s ->) - etc.

4 Copyright © 2005 May 5, 2005 4 A Security Perspective … New Technology ~> New Vulnerability ~> New Adversary Model New Analysis Method & Tools +/- O(months) +O(years) Reuse of Old (Secure) Protocols New Technology ~> New Vulnerability Old Adversary Model Long delays … … cause problems mismatch

5 Copyright © 2005 May 5, 2005 5 New Technology: Sensor Networks 1. Ease of Scalable Deployment and Extension - simply drop sensors at desired locations - net. connectivity => neither administrative intervention nor base-station interaction - key sharing => simple neighbor discovery protocols, path keys - comm.: radio broadcast => Adv. cannot block-modify-retransmit 2. Nodes: Low-Cost, Commodity Hardware - low cost => physical node shielding is impractical => ease of access to internal node state (Q: how good should physical node shielding be to prevent access to a sensor’s internal state ? A: most likely, impractically good) 3. Unattended Node Operation in Hostile Areas => adversary can capture & replicate nodes, insert replicas at chosen locations within a network

6 Copyright © 2005 May 5, 2005 6 NEIGHBORHOOD i 1 3 i 2 Captured Node 3 A New Attack: Node Capture and Replication shared key outside neighborhood shared key outside neighborhood NEIGHBORHOOD j NEIGHBORHOOD k

7 Copyright © 2005 May 5, 2005 7 NEIGHBORHOOD j NEIGHBORHOOD i 1 3 i 2 Captured Node 3 NEIGHBORHOOD k 3 Node Replica 1 3 Node Replica 2 Note: Replica IDs are cryptographically bound to pre-distributed keys and cannot be changed A New Attack: Node Capture and Replication (ctnd.)

8 Copyright © 2005 May 5, 2005 8 New (Replication) vs. Old (Dolev-Yao) Adversary New (Replication) Adversary =/= Old (Dolev-Yao) Adversary - can block/modify/insert messages only at specific node (replica) locations - replicated nodes can adaptively modify network and trust topology Old (Dolev-Yao) Adversary can - control network operation - man-in-the-middle: read, replay, forge, block, modify, insert messages anywhere in the network - send/receive any message to/from any legitimate principal (e.g., node) - act as a legitimate principal of the network Old (Dolev-Yao) Adversary cannot - perform unbounded computations - perform cryptanalysis; e.g., discover a legitimate principal’s secrets - capture and coerce the behavior of legitimate principals’ nodes - replicate nodes adaptively, modify network and trust topology

9 Copyright © 2005 May 5, 2005 9 Distributed Sensing: A New Application and its Adversary Application: a set of m sensors observe and signal a global event - each sensor broadcasts “1” whenever it senses the global event; else, it does nothing - if t broadcasts are “1,” all m sensors signal the event; else they do nothing Operational Constraints - absence of the global event cannot be sensed (e.g., no periodic “0” broadcasts) - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than m - broadcasts are reliable and synchronous (i.e., counted in sessions) Adversary Goals: violate integrity (i.e., any set of t < m false broadcasts ) deny service (i.e., suppress m-t+1 broadcasts) New (Distributed-Sensing) Adversary - captures insiders (i.e., any of m) nodes forge, replay or suppress broadcasts (within same or across different sessions) - increases broadcast membership: increases m with outsider nodes

10 Copyright © 2005 May 5, 2005 10 An Example of Distributed Sensing: distributed revocation decision Distributed Revocation Decision: - d local neighbors sense the misbehavior of target node with which they share a pairwise private key - each local neighbor broadcasts “revoke” whenever it senses target misbehavior; else, it does nothing - if t (<= d) broadcasts are “revoke,” all d sensors revoke their key shared with the target (and propagate “revoke” decision to non-neighbor nodes that share a pairwise private key with target); else they do nothing. Operational Constraints - absence of target misbehavior cannot be sensed - no PKI => no authenticated broadcast (Note: no PKI =/= no PK encryption) - threshold t is a constant not greater than d - broadcasts (and “revoke” propagations) are reliable and synchronous Distributed Node-Revocation Decision => Distributed Sensing

11 Copyright © 2005 May 5, 2005 11 New (Distributed Sensing) vs. Old (Byzantine) Adversary Q: Byzantine Agreement Problem (with similar operational constraints) ? - reactive: both global event and its absence are (“1/0”) broadcast by each node - no PKI => no authenticated broadcast => t > 2/3m honest (not captured) nodes - broadcasts are reliable and synchronous (i.e., counted in sessions) A: No. Byzantine Agreement Problem => => Constrained Distributed Sensing (i.e., with “1/0” broadcasts, t > 2/3m) (=> Constrained Distributed-Revocation Decision) => Distributed Sensing New (Distributed-Sensing) Adv. =/= Old (Byzantine) Adv. - new adversary need not forge, initiate, or replay “0 broadcasts - t new integrity adversary is stronger; otherwise, same or weaker - new adversary may attempt to modify membership Note: Replication Adversary must also be countered - Replication Adversary => membership violation (not possible with Byzantine Adversaries)

12 Copyright © 2005 May 5, 2005 12 New Vulnerabilities 1. Collusion to Subvert Applications - Ex. 1: subvert aggregation of sensor data; blocks legitimate transmissions, modifies and injects false data - Ex. 2: can subvert “distributed sensing” e.g., sense false events, deny sensing of real events 3. Circumvent Intrusion Detection (and net’s “immune” system) - Ex: spread abnormal behavior over multiple replicas to avoid detection 2. Collusion to Subvert Network Operation - Ex. 1: replicated nodes cooperate to block traffic & partition the network - Ex. 2: revokes legitimate nodes and disconnects network using legitimate, distributed-revocation protocol

13 Copyright © 2005 May 5, 2005 13 Conclusions 1. New Technologies ~> New Vulnerabilities ~> New Adversary Models … ~> New Protocol Analysis Methods and Tools 2. Time Gap between New Technologies and New Protocol Analysis Methods and Tools is Substantial and Must be Decreased => must anticipate New Vulnerabilities and define Adversary Models => adversary models must be realistic 4. Re-examination of Formal Methods and Analyzed Protocols is also Required if (Old) Protocols are Reused 5. Some adversaries are best countered by “emergent detection protocols” - distributed node replication - distributed sensing adversary (that captures over t nodes) (viz., examples given in papers co-authored with H. Chen, B. Parno and A. Perrig)

Download ppt "Copyright © 2005 May 5, 2005 1 On the Evolution of Adversary Models for Security Protocols* Virgil D. Gligor Electrical and Computer Engineering University."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,
Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.

Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.

Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.
Distributed Detection of Node Replication Attacks in Sensor Networks Bryan Parno, Adrian Perrig Virgil Gligor Carnegie Mellon UniversityUniversity of Maryland.

Distributed Detection of Node Replication Attacks in Sensor Networks Bryan Parno, Adrian Perrig Virgil Gligor Carnegie Mellon UniversityUniversity of Maryland.
Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.

Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Containing DoS Attacks in Broadcast Authentication in Sensor Networks (Ronghua Wang, Wenliang Du, Peng Ning) Containing DoS Attacks in Broadcast Authentication.

Containing DoS Attacks in Broadcast Authentication in Sensor Networks (Ronghua Wang, Wenliang Du, Peng Ning) Containing DoS Attacks in Broadcast Authentication.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.

Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.
Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.

Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.
1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.

1 Security in Wireless Sensor Networks Group Meeting Fall 2004 Presented by Edith Ngai.
1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.
A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.

A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.
G22.3250-001 Robert Grimm New York University Using Encryption for Authentication in Computer Networks.

G Robert Grimm New York University Using Encryption for Authentication in Computer Networks.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.

Similar presentations

Ads by Google