Presentation is loading. Please wait.

Presentation is loading. Please wait.

From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security Ross Anderson Cambridge.

Similar presentations


Presentation on theme: "From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security Ross Anderson Cambridge."— Presentation transcript:

1 From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security Ross Anderson Cambridge

2 Overview Eternity Service The Resurrecting Duckling Cocaine Auctions Smart Dust Eternity II – Economics, and Topology Applying it – HomePlug Lessons Learned

3 Early Days Penet.fi r er operated by Julf Helsingius from 93 to 96 Scientologists got an order in Feb 95 for access to logs to identify a critic Same again twice in 96; then Julf shut Penet What is the scope of legal threats to the information society?

4 Censorship and Technology Wycliff translated the Bible into English in 1382 Fallout contained in most countries… William Tyndale did it again in the 16th century But now there was printing! What happens to society if books that the rich and powerful don’t like can be unpublished? Next question: can we design a system to withstand compulsion?

5 The Eternity Service (1996) Idea: a peer-to-peer file store You donate some of your own storage You can then publish documents Documents protected by encryption, fragmentation, redundancy, scattering You don’t know which parts of which documents are on your machine Selective service denial isn’t possible

6 Peer-to-Peer Security After Napster was closed down, the ideas in Eternity were adopted by Freenet, Gnutella Music industry starts trying hard to find real attacks! Spam it with poisoned content Download stuff, identify uploaders, and sue them In other words, in a network that anyone can join, it’s not the initial authentication that matters so much as subsequent conduct

7 The Resurrecting Duckling (1999) Initial problem: what does it mean for a medical sensor to be ‘secure’? The doctor picks up a thermometer from a nursing station and mates it to her PDA First requirement: bond to the first device you see (like a baby duckling) Second requirement: the mother should be able to break the bond (kill and resurrect her duckling)

8 Resurrecting Duckling (2)

9 Cocaine Auctions (1999) If we have the opposite of authenticated principals – anonymous broadcast – can we design systems to do real work? Surprising answer: yes! Suppose a dozen Mafiosi are in a room conducting a cocaine auction Mistrustful principals, no arbitrator, no PKI – just anonymous broadcast devices

10 Cocaine Auctions (2) At each successive price, each bidder broadcasts a new Diffie-Hellman key g ri The final bidder claims the coke by setting up a key with the seller who broadcasts g w and the delivery details encrypted under g wri If the seller cheats the buyer, or vice versa, this can be decrypted and broadcast to support an accusation of cheating Lesson: you can do standalone transaction crypto. You don’t need long-term security associations

11 Smart Dust (2002–4) Battery-powered devices Wireless comms Not tamper-proof Limited CPU, memory Communicate peer-to-peer Deployed randomly Can then be subverted

12 Smart Dust (2) How can we load keys? –Public key – need too big a CPU –Combinatorial symmetric keys – messy, fiddly –Single master key – will be compromised after deployment But – does this really matter? Same effect as devices broadcasting keys locally in clear on landing, and eavesdropping starts after that

13 Smart Dust (3) Mote i, when it comes to rest, transmits key ki When mote j hears it, it responds with just enough power for the link: j  i: {j, k ji } ki i j The key is compromised if a hostile mote lies in the intersection i E.g, 1 black mote for 100 white % of links secure

14 Smart Dust (4) You can improve this will various extra resilience mechanisms – multiple path keys, privacy amplification etc Economic question: how much do you invest in bootstrapping and how much in later resilience? Answer: it depends on the initial and marginal costs of both attack and defence! Smart dust owner will often favour the resilience mechanisms over the bootstrapping mechanisms in order to cause the defender to give up

15 Eternity Again – Economics If you have a peer-to-peer system, should you put everything into one pot, or not? Eternity, freenet, mojonation, chord, oceanstore: everyone shares everything The systems that prevailed had people share only their own stuff: Gnutella, Kazaa,… We modelled solidarity versus clubs in defence and explained this (WEIS 2005): people fight harder to defend what they care about Past a certain point, solidarity will fail

16 – and Topology (2005) Real-world physical systems tend not to have every node talking to every other, or even to a random collection of nodes Instead, there’s often a power-law structure with some ‘popular’ nodes Knocking these nodes out can disable the network: Ukrainian kulaks, Senegal hookers What sort of defences are possible?

17 Naïve Defenses Don’t Work! Basic vertex- order attack – network dead after 2 rounds Random replenishment – 3 rounds Scale-free replenishment – 4 rounds

18 Evolving Defense Strategies Black – scalefree replenishment Green – replace high-order nodes with rings Cyan - replace high- order nodes with cliques Cliques work very well against the vertex-order attack

19 Suicide Bombing (2007) Revocation is a big problem in real life, and even worse in many ad-hoc network models Another possibility: node A on seeing node B misbehaving simply declares them both to be dead This is cheap; it scales well; it’s not much affected by mobility; and it works across interesting parameter ranges Suicide and high-risk attacks common in nature – bees, helper T-cells, … Ad-hoc network models help us understand them

20 HomePlug HomePlug AV is a 2006 standard for power-line communications at 150Mbps How do you set up keys between TVs, PVRs, DSL modems, wifi, hifi, PCs, … ? Somewhat similar to the problems faced by bluetooth, wifi designers Great variety of devices, some with no decent input and / or output interfaces Great variety of CPUs, from peanut to Pentium

21 HomePlug (2) Most users just want dependability – they want their speakers to mate with their hifi, not their neighbours’ A handful want security too Usability is critical Too many returned devices would be fatal Big question: do we include a public key mode?

22 Homeplug (3) Suppose you have a PK protocol where the user confirms the right key is set up Attack on high-value home user attorney… Man in grey van does microwave DoS on set top box, attaches similar to mains User has no TV, sees on PC “found Philips set-top box with cert ID 4F3D241E… admit/deny?” Moral: not enough to say Y/N, user must copy text So might as well just print the key on the label!

23 HomePlug (4) That’s why HomePlug has only two modes, Secure and Simple Connect Simple Connect mode: device on power-up, like duckling, looks for a mummy Bootstrap key sent in clear, protocols to confirm it’s the right device / network bond Secure mode: copy the AES key from the device label into your network management station (I.e. your PC) Is this not optimal?

24 Lessons Learned Ad-hoc networks, whether peer-to-peer or wireless, have new needs Crypto geeks used to focus on authentication. But bootstrapping is only a tiny part of the lifecycle Most of the work usually goes into managing associations once they’re established But then that’s how the real world has always worked … can you remember when you first decided to trust your mother?

25


Download ppt "From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network Security Ross Anderson Cambridge."

Similar presentations


Ads by Google