SecurityofWirelessNetworks
SrdjanČapkunDepartmentofComputerScience
ETHZurich2016
BroadcastAuthen?ca?on TeslaandICodes
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?on
BroadcastMessageAuthen?ca?on• Onesender,anumberofreceivers(possiblymaliciousand
unknowntothesender).• AllreceiversneedtoverifytheauthenHcityofthesender’s
messages.
(x,y,z) time
value
"M
"M
"M
"M
"M
"M
"
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?on
BroadcastMessageAuthen?ca?on• Onesender,anumberofreceivers(possiblymaliciousand
unknowntothesender).• AllreceiversneedtoverifytheauthenHcityofthesender’s
messages.
(x,y,z) time
value
"M
"M
"M
"M
"M
"M
"
Anyideashowtosolvethisproblem?
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?on
BroadcastMessageAuthen?ca?on• Onesender,anumberofreceivers(possiblymaliciousand
unknowntothesender).• AllreceiversneedtoverifytheauthenHcityofthesender’s
messages.
(x,y,z) time
value
"M
"M
"M
"M
"M
"M
"
Anyideashowtosolvethisproblem? Efficiently?
SecurityofWirelessNetworks,AS2010
UsingPublic-KeyCryptography forBroadcastAuthen?ca?on
UsingPKcryptoindistributednetworksis:• simple• effec?ve• enablesbroadcastauthen?ca?on• distribu?onofnewkeysandinser?on
ofnewnodesisstraighQorward• ...• expensive
"
"M
m ,sig8(m)
PK8
S
1
2
3 4
5
6
7 8
PK8
m’
PKS
PKS
PKS
PKS PKS
PKS
PKS
PKS
SecurityofWirelessNetworks,AS2010
Resource-constrainedDevices
MoteivTmotesky8MHzTexasInstrumentsMSP430microcontroller(10kRAM,48kFlash)250kbps2.4GHzIEEE802.15.4ChipconWirelessTransceiverHardwarelink-layerencryp?onandauthen?ca?on
Tinynode8MHzTexasInstrumentsMSP430microcontroller868MHzXemicsXE1205mul?channelwirelesstransceiverRAM10Kbytes,ProgramSpace48Kbytes,ExternalFlash512Kbytes,Configura?onFlash256bytes
Mica2,MicaZ,…
SecurityofWirelessNetworks,AS2010
ExampleCostsofCryptoOpera?ons (indica?ve)
Diffie-Hellmanwith1,024-bitkeys(Mica2)• 54.1144secforkeygenera?on• 1,250BofSRAM• 11,350BofROM• 1.185Joules(3.9897х108cycles)
ECCwith163-bitkeys(Mica2)byBBN(D.Malan)• 34.390secforkeygenera?on• 1,140BofSRAM• 34,342BofROM• 0.82149J(2.5289x108cycles)
MoreECC• TinyECCtakes12to16secondstoverifyasignatureonMicaZ• SizzlefromSun,severalsecondsonAtmelchip
Symmetric-keycomputa?ons:SKIPJACKblockcipherwith80-bitkeysonMica2• 2,190µsecforencrypt()• 3,049µsecforcomputeMac()
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?onwithoutPKCrypto?
Canweenablebroadcastauthen?ca?onwithoutPKcryptoprimi?ves?
Twoapproaches:• DelayedKeyDisclosure(Cheung,Tesla)• PresenceAwareness(I-Codes)
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?onbasedon DelayedKeyDisclosure
Maincharacteris?cs:• Usespurelysymmetricprimi?ves(MACs)• Asymmetryfromdelayedkeydisclosure• Self-authen?ca?ngkeys(one-wayhashchains)• Requiresloose?mesynchroniza?on
FirstproposalbyCheungin97,follow-upproposalbyPerrigin2001(namedTesla)
Tesla:hXp://sparrow.ece.cmu.edu/group/broadcast-authenHcaHon.html
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?onbasedon DelayedKeyDisclosure(TESLA)
One-waychains:
• slisrandomlychosen• F(.)isaone-way(hash)func?on
• Ifanamackerknowssi,itcaneasilygeneratesi-1,(byapplyingF(.),butcannotgeneratesi+1
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?onbasedon DelayedKeyDisclosure(TESLA)
• slisrandomlychosen
• SendergeneratesakeyKlandkeepsitconfiden?al• GeneratesK0anddistributesittoallreceivers
K0
distributed (authentically) to all receiverslike a public key of the sender
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?onbasedon DelayedKeyDisclosure(TESLA)
• slisrandomlychosen
• TotransmitamessageMj,thesenderMAC’sMjwiththekeyofthecurrent?meinterval(Ki’)
• ThekeyisusedONLYWITHINITSINTERVAL• Eachkeyisexplicitlydisclosedincleartextabertheinterval
K0
distributed (authentically) to all receiverslike a public key of the sender
(d=1)
SecurityofWirelessNetworks,AS2010
BroadcastAuthen?ca?onbasedon DelayedKeyDisclosure(TESLA)
MessageVerifica?on:• ReceiveMj• ReceiveKi• ComputeKi’=F’(Ki)• VerifyMAC• VerifythatFn(Ki)=K0• Verifythatthemessage
wasreceivedwithinthekeyvalidityinterval(beforethekeywasdisclosed)
• Thekeysareauthen?catedusingone-wayhashchains• Themessagesareauthen?catedusingthekeys• Ifthekeyisusedarertheinterval,themessageisignored
K0
distributed (authentically) to all receiverslike a public key of the sender
WirelessDevicePairing
SecurityofWirelessNetworks,AS2010
DevicePairing:Problem
Givenapairofwirelessdevices,howdotheyestablishasecretkeyinthepresenceofanadversary(passiveorac?ve–MITMamack)?
Note:thedeviceshavenopreloadedkeys/creden?als(e.g.,twomobilephones,aphoneandaprinter,...)
A B
M
Hereismy(SecretorPublic)key
Thanks
SecurityofWirelessNetworks,AS2010
DevicePairing:Diffie-HellmanProtocol
DHprotocolenablessecretkeyestablishmentbypubliccommunicaHon.
Givenaprimep,ageneratorgofZp*andelementsgamodpandgbmodpitiscomputaHonallydifficulttofindgabmodp. GivengxmodpitiscomputaHonallydifficulytofindx.
A B
gamodp
gbmodp
generatea
computek=(gbmodp)a
generateb
computek=(gamodp)b
SecurityofWirelessNetworks,AS2010
DevicePairing:Diffie-HellmanProtocol
DHprotocolenablessecretkeyestablishmentbypubliccommunicaHon.
DHfullyresistspassiveamackers(eavesdroppingonly).DHisnotsecureagainstacHveaXackers(MITMaXacks).
A B
gamodp
gbmodp
generatea
computek=(gbmodp)a
generateb
computek=(gamodp)b
M
SecurityofWirelessNetworks,AS2010
DevicePairing:Diffie-HellmanProtocol
DHisnotsecureagainstacHveaXackers(MITMaXacks).
A B
gamodp
gbmodp
SecurityofWirelessNetworks,AS2010
DevicePairing:Diffie-HellmanProtocol
DHisnotsecureagainstacHveaXackers(MITMaXacks).
A B
gamodp
gbmodp
SecurityofWirelessNetworks,AS2010
DevicePairing:Diffie-HellmanProtocol
DHisnotsecureagainstacHveaXackers(MITMaXacks).
A B
gamodp
gbmodp
Mgamodp
gmmodpgbmodp
SecurityofWirelessNetworks,AS2010
DevicePairing:Diffie-HellmanProtocol
DHisnotsecureagainstacHveaXackers(MITMaXacks).
A B
gamodp
gbmodp
generatea
computekMA=(gmmodp)a
generateb
computekMB=(gmmodp)b
Mgamodp
gmmodpgbmodp
SecurityofWirelessNetworks,AS2010
DevicePairing:Diffie-HellmanProtocol
DHisnotsecureagainstacHveaXackers(MITMaXacks).
A B
gamodp
gbmodp
generatea
computekMA=(gmmodp)a
generateb
computekMB=(gmmodp)b
Mgamodp
gmmodpgbmodp
DHkeys/contribu?ons(gamodpandgbmodp)thereforeneed tobeauthenHcatedortherehastobeaproceduretoverifywithwhomthekeywasestablished.
SecurityofWirelessNetworks,AS2010
DevicePairing
DevicePairingcanbebuiltusing• Diffie-Hellman(i.e.,usingpublic-keycrypto)• Usingsymmetrickeytechniques(undersomespecial
assumpHons)
Pairingiseasyifthedevicescanverifyeach-other’scer?ficates(theycanthenauthen?catetheirDHkeys/contribu?onsbysignatures).
SecurityofWirelessNetworks,AS2010
DevicePairing:ALargeNumberofProposals
• Resurrec?ngduckling(Stajano,Anderson),physicalcontact• Balfanzetal.loca?on-limitedchannel(e.g.,infraredlink)• Asokan,Ginzboorg,sharedpassword• Jakobsson,Larsson,solu?onstoderiveastrongkeyfroma
sharedweakkey• Castellucia,Mutaf,devicesignalindisHnguishability• ...bumonpresses,accelerometers,sound,PINentry(BT)...
------• Cagalj,Capkun,Hubaux,distancebounding• PerrigandSong,Public-keyhashvisualizaHon• Gehrmannetal.,shortstringcomparison• Cagalj,Capkun,Hubaux,shortstringcomparison• DohrmannandEllison,shortwordcomparison• ...
SecurityofWirelessNetworks,AS2010
DevicePairing:ShortStringComparison
Maher,93,USpatent,Gehrmannetal01,03,04,(MANAI,II,III)
Steps:• EstablishkeykusingDH• Hashthekeyh(k)anddisplayonbothdevices• Comparethedisplayedvalues(160bits=20characters)
X12K
gamodp
gbmodp
generatea
computek=(gbmodp)a
generateb
computek=(gamodp)b
X12K
SecurityofWirelessNetworks,AS2010
DevicePairing:SeeingisBelieving
McCuneetal.05,Seeingisbelieving
Idea:• Sendthepublickeyoveranauthen?cchannel(visual).
SecurityofWirelessNetworks,AS2010
DevicePairing:LoudandClear
Goodrichetal.05
IdeaHuman-assistedstringcomparisonusingvoicecommunica?on
Steps:• AhashesitspublickeyPK• h(PK)mappedtoarecognizablesentence(publicmapping)• sentencetransmimedoverthevoicechannel• PKtransmimedoverthewirelesschannel• BcomparesthemapsthesentencetothehashofPK
Similar:on-lineauthen?ca?on(e.g.,forSecureVOIPapplica?ons)hmp://zfoneproject.com/
SecurityofWirelessNetworks,AS2010
DevicePairing:IntegrityRegions
Capkun,Cagalj06
Idea:• EstablishkeykusingDH• AuthenHcateDHkeysbyphysicalproximity
(distancebounding)• ‘iftheDHkeycomesfromacloseproximityitcomesfrom
afriend’
Nokia/Aalto,07.09.2011
DevicePairing:IntegrityRegionsProtocol
Nokia/Aalto,07.09.2011
DevicePairing:IntegrityRegionsProtocolM
essa
ge
Auth
entic
ator
Nokia/Aalto,07.09.2011
DevicePairing:IntegrityRegionsProtocolM
essa
ge
Auth
entic
ator
DH keys (long)
Nokia/Aalto,07.09.2011
DevicePairing:IntegrityRegionsProtocolM
essa
ge
Auth
entic
ator
DH keys (long)
Short Digests
Nokia/Aalto,07.09.2011
DevicePairing:IntegrityRegionsProtocolM
essa
ge
Auth
entic
ator
DH keys (long)
Short Digests Dis
tanc
e Bo
undi
ngM
essa
ge
Auth
entic
ator
SecurityofWirelessNetworks,AS2010
DevicePairing:ShakeThemUp!
Castelluccia,Mutaf05
Problem:• Resource-constraineddevicesneedtoestablishkeys• DH(PKcrypto)isnotanop?on(tooexpensive)
Idea:• Relyonthefactthattheamackerdoesnotknow
whichdevicetransmitsatwhich?me...
SecurityofWirelessNetworks,AS2010
DevicePairing:ShakeThemUp!
SecurityofWirelessNetworks,AS2010
DevicePairing:ShakeThemUp!
SecurityofWirelessNetworks,AS2010
DevicePairing:ShakeThemUp!
SecurityofWirelessNetworks,AS2010
DevicePairing:ShakeThemUp!
SecurityofWirelessNetworks,AS2010
DevicePairing:ShakeThemUp!
Idea:• Deviceindis?nguishability
Someissues• Synchroniza?on(donethroughshaking�)• Signalfingerprin?ng(power,frequency,...)needtobe
addressedbeforeusingthisapproach
SecurityofWirelessNetworks,AS2010
DevicePairing:Conclusion
DHcanbeprotectedagainstMITMamackswithoutpreviouslyestablishedkeys/cer?ficates• physicalcontact• deviceindis?nguishability(anonymity)• stringcomparison(voicecommunica?on)• imagecomparison(hashvisualiza?on)• distancebounding(physicalpresenceverifica?on)
Thestringlengthisasecurityparameterthatcanbemodifiedandadjustedforeachpar?cularapplica?on.
• WecandoitwithoutPK(Shake,Accelerometers,..)
SecurityofWirelessNetworks,AS2010
DevicePairing:Protocolissues
DHcanbeprotectedagainstMITMamackswithoutpreviouslyestablishedkeys/cer?ficates• physicalcontact• deviceindis?nguishability(anonymity)• stringcomparison(voicecommunica?on)• imagecomparison(hashvisualiza?on)• distancebounding(physicalpresenceverifica?on)
Thestringlengthisasecurityparameterthatcanbemodifiedandadjustedforeachpar?cularapplica?on.
• WecandoitwithoutPK(Shake,Accelerometers,..)