1
Laboratory for Computer Communications and Application (LCA)Swiss Federal Institute of Technology (EPFL)
Srdjan Čapkun
joint work with Jean-Pierre Hubaux and Levente Buttyàn+
{srdan.capkun, jean-pierre.hubaux}@epfl.ch, [email protected]
Mobility Helps Security in Ad Hoc Networks
+ Now with Laboratory of Cryptography and Systems Security (CrySyS) Department of Telecommunications Budapest University of Technology and Economics
2
Does mobility increase or reduce security ?
Mobility is usually perceived as a major security challenge
• Wireless communications
• Unpredictable location of the user/node
• Sporadic availability of the user/node
• Higher vulnerability of the device
• Reduced computing capability of the devices
However, very often, people gather and move to increase security
• Face to face meetings
• Transport of assets and documents
• Authentication by physical presence
- In spite of the popularity of PDAs and mobile phones, this mobility has not been exploited to provide digital security - So far, client-server security has been considered as a priority (e-business) - Peer-to-peer security is still in its infancy
3
Two scenarios
- Mobile ad hoc networks with a central authority- off-line or on-line authority - nodes or authorities generate keys- authorities certify keys and node ids- authorities control network security settings and membership
- Fully self-organized mobile ad hoc networks - no central authority (not even in the initialization phase !)- each user/node generates its own keys and negotiates keys with other users- membership and security controlled by users themselves
trust trust
trusttrust
CA
trust
trusttrust
trust
trust
Fully self organized Authority-based
4
Secure routing requirements and assumptions
- A network controlled by the central authority
- All security associations established between all nodes prior to protocol execution
- The most stringent assumption: Routes are established between nodes with which a
source and the destination have security associations
Secure routing proposals
- Securing Ad Hoc Routing Protocols, Zappata, Asokan, WiSe, 2002
- Ariande, Hu, Perrig, Johnson, MobiCom 2002
- Secure Routing for Ad Hoc Networks, Papadimitratos, Haas CNDS, 2002 - A Secure Routing Protocol for Ad Hoc Networks, Sanzgiri et al. ICNP, 2002
- SEAD, Hu, Perrig, Johnson, WMCSA 2002
ij
m
5
Key management in Ad Hoc networks
Solutions proposed so far (not exhaustive)
• Providing. Robust and Ubiquitous Security Support for MANETs (threshold cryptography, cooperation) UCLA: Kong et al., ICNP 2001
• Key Agreement in Ad Hoc Networks (shared password) Asokan and Ginzboorg, Computer Communications 2000
• Securing Ad Hoc Networks (1999) (threshold cryptography, servers) Cornell: Zhou and Haas, IEEE Network 1999
• Ariadne (Key distribution with on-line servers) Hu et al., Mobicom 2002
• Self-organized Public-Key Management for Mobile Ad Hoc Networks (certificate chains) EPFL: Capkun et al., TMC 2003
• SUCV (Montenegro and Castelluccia) NDSS 2002
• CAM (O'Shea and Roe) ACM Computer Communications Review 2001
6
Routing – security interdependence
Routing can not work until security associations are set up.
Security associations can not be set up via
multi-hop routes because routing does not work
Existing solutions: - Preloading all pairs of keys into nodes (it makes it difficult to introduce new keys and to perform rekeying)- On-line authentication servers (problematic availability and in some cases routing-security inter-dependence, rekeying)- CAM, SUCV
ij
7
Mobility helps security of routing
{ A, PuKA }
Wireless channel - Typically long distance- No integrity- No confidentiality
PuKCA
A B
Certificate that binds B’s Public key with his id, issued and signed by the central authority
- Each node holds a certificate that bind its id with its public key, signed by the CA
{ B, PuKB }PuKCA
8
Establishment of security associations
The establishment of security associations within the power range breaks the routing-security interdependence cycle
9
Discussion: advantages of the mobility approach (1)
- Mobile ad hoc networks with authority based security systems- breaks the routing-security dependence circle - automatic establishment of security associations- no user involvement- associations can be established in power range - only off-line authorities are needed - straightforward rekeying
10
Fully self-organized scenario
Infrared link
(Alice, PuKAlice, XYZ)
(Bob, PuKBob , UVW)
Visual recognition, conscious establishment of
a two-way security association
Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required
Alice Bob
11
Two binding techniques
Binding of the face or person name with his/her public key
: by the Secure Side Channel, the Friend mechanism and the appropriate protocols
Binding of the public key with the NodeId
XYZ: by CAM or SUCV Assumption: static allocation of the NodeId: NodeId = h(PuK)
• G. O’Shea and and M. Roe: Child-proof authentication for IPv6 (CAM) ACM Computer Communications Review, April 2001• G. Montenegro and C. Castelluccia: Statistically unique and cryptographically verifiable (SUCV) identifiers and addresses. NDSS 2002
• G. O’Shea and and M. Roe: Child-proof authentication for IPv6 (CAM) ACM Computer Communications Review, April 2001• G. Montenegro and C. Castelluccia: Statistically unique and cryptographically verifiable (SUCV) identifiers and addresses. NDSS 2002
12
Friends mechanism
IR
Colin
Bob(Colin’s friend)
Alice
Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users
Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users
13
Mechanisms to establish Security Associations
Friendship : nodes know each others’ triplets
Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter
i j i knows the triplet of j ; the triplet has been obtained from a friend of i
i
f
j i
f
j
i
f
j i
f
j
i j i ja) Encounter and activation of the SSC
b) Mutual friend
c) Friend + encounter
Note: there is no transitivity of trust (beyond your friends)
14
Discussion: advantages of the mobility approach (2)
- Fully self-organized mobile ad hoc networks
- There are no central authorities
- Each user/node generates its own public/private key pairs
- (No) trust transitivity
- Intuitive for users
- Can be easily implemented (vCard)
- Useful for setting up security associations for secure routing in
smaller networks or peer-to-peer applications
- Requires some time until network is fully secure
- User/application oriented
15
Pace of establishment of the security associations
- Depends on several factors: - Area size- Number of communication partners: s- Number of nodes: n- Number of friends- Mobility model and its parameters (speed, pause times, …)
Established security associations :Desired security associations :
Convergence :
16
Mobility models
- Random walk- discrete time- simple, symmetric random walk- area: Bounded and toroid grids (33x33, 100x100, 333x333)- number of nodes: 100
- Random waypoint- most commonly used in mobile ad hoc networks- continuous time- area size: 1000m x1000m- max speed: 5m/s, 20m/s- pause time: 5s, 100s, 200s - security power range: 5m (SSC), 50m 100m (radio)
- Common simulation settings- simulations are run 20 times- confidence interval: 95%
p=1/5
p=1/5
p=1/5p=1/5
p=1/5
17
(Restricted) random waypoint
8
88
8
88
88
Any point on the plane
If=0 Regular random waypoint mobility model
Restricts the movement of nodes to a set of points with a predefined probability
- area size: 1000m x1000 m
- max speed: 5m/s, 20m/s
- pause time: 5s, 100s, 200s
- restriction probability: 0.1, 0.5, 1
- number of restriction points: 20
18
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
100 1000 10000 100000 1000000time (steps)
perc
enta
ge o
f se
curi
ty a
ssoc
iati
ons
s=99, N=100x100 rect., sim. s=99, N=33x33, anal.
tM tM
N=33x33
N=100x100
Size matters
tM=O(NlogN)
19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
100 1000 10000 100000 1000000
time (s)
per
cen
tage
of
secu
rity
ass
ocia
tion
s
s=99, f=0, pause=100 s, sr=5 m, v=5 m/s s=99, f=2, pause=100 s, sr=5 m, v=5 m/ss=99, f=0, pause=100 s, sr=5 m, v=20 m/s
5m/s, 2 friends5m/s, 0 friends
20m/s, 0 friends
Friends help (f+1)
20
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
10 100 1000 10000 100000 1000000time (s)
perc
enta
ge o
f se
curi
ty a
ssoc
iati
ons
f=0, pause=100 s, sr=100 m, f=1 f=0, pause=100 s, sr=5 m, f=1
sec. range 5m
sec. range 100m
Security range matters
21
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
10 100 1000 10000 100000 1000000time (s)
perc
enta
ge o
f se
curi
ty a
ssoc
iati
ons
f=0, pause=100 s, sr=5 m f=0, pause=100 s, sr=5 m
f=0, pause=100 s, sr=5 m
random waypoint
restricted random waypoint (0.5)
restricted random waypoint (1)
Meeting points help
22
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
100 1000 10000 100000 1000000
time (s)
perc
enta
ge o
f se
curi
ty a
ssoc
iati
ons
s=99, f=0, pause=100 s, sr=5 m, v=5 m/s s=99, f=0, pause=100 s, sr=100 m, v=5 m/s
s=99, f=0, pause=300 s, sr=100 m, v=5 m/s
power range 100mpause 300s
power range 100mpause 100s
power range 5mpause 100s
Pause time
23
Conclusion and future work
• Conclusion• Mobility can help security in mobile ad hoc networks, from the networking layer up to the
applications
• Mobility “breaks” the security-routing interdependence cycle • The pace of establishment of the security associations is strongly influenced by the
area size, the number of friends, and the speed of the nodes• The proposed solution also supports re-keying• The proposed solution can easily be implemented with both symmetric and
asymmetric crypto
• Current/future work• Closed-form expression for the pace of establishment of security associations with
random walk mobility• Application of our scheme to secure routing protocols• Key revocation• Improved scalability• Better mobility models http://www.terminodes.org
http://lcawww.epfl.ch/hubaux