Trustworthy Accounting for Wireless LAN Sharing Communities Elias C. Efstathiou and George C. Polyzos Mobile Multimedia Laboratory Department of Informatics Athens University of Economics and Business 1 st EuroPKI Workshop, Samos Island, Greece, 25-26/6/2004
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities2 of 20 Introduction Design Implementation and Conclusions
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities3 of 20 Motivation Our need for wireless Internet access using laptops, PDAs, and mobile phones, wherever we may be… The success of the Wireless LAN standards, which, when combined with broadband access, allow anyone to become a “wireless provider” The limitations of the various public WLAN models: Wireless ISPs cover only selected hotspots and have few roaming agreements with each other Community Wireless Networks rely on participant altruism and can achieve only limited coverage WLANs that are closed to outsiders already pervade many cities!
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities4 of 20 How to aggregate all WLANs? WLANs are short-range many WLANs are required for substantial coverage costly for any one provider need many providers Can we automate multilateral roaming agreements? … without TTPs (unlike the Boingo Inc. model) in a self-organized way? … and fuel the deployment of a single global WLAN roaming network? … and attract new providers and cover more and more areas?
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities5 of 20 The Peer-to-Peer Wireless Network Confederation WLAN view Team view AP : WLAN Access Point : Team member APAP APAP APAP APAP APAP APAP APAP APAP APAP White Team Red Team Blue Team Let’s make it a game! The P2PWNC game, played by many (small) teams of people Rules of the game: (1)Each team deploys and manages WLANs that cover public areas (2)Members of a team are allowed to roam in areas covered by other teams if they prove that their team also allows members from other teams to do the same
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities6 of 20 Cheating in the P2PWNC game The game rules work as an incentive mechanism for WLAN deployment and constitute a rather reasonable proposal: People wanting free ubiquitous roaming can form teams and must provide in order to consume elsewhere Cheaters would try to consume without contributing to the WLAN public good - selfish behavior is economically rational in this setting The game rules are worth nothing if they cannot be enforced How can roaming members from “good” teams convince other teams of their own team’s contribution in an open environment with no TTPs, where the game is “refereed” by the teams themselves?
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities7 of 20 Design requirements Requirement 1 Specify a practical game that gives correct participation incentives and is refereed only by the teams themselves Requirement 2 Tolerate strategic and malicious teams that may also tamper with the system’s software and hardware components Requirement 3 Assume no trust relationships among any pairs of teams – most teams can and will be unknown to each other Requirement 4 Allow any new team to join the game (and hopefully to follow the rules)
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities8 of 20 Design assumptions Assumption 1 The extra cost for a team to provide access to any roamer is zero Assuming the team has already deployed the necessary access points and is paying the (fixed) backbone fees, and that any local congestion has a negligible effect Assumption 2 Teams will exclude unknown roamers and roamers from teams that cannot prove their “good-standing” in the game Teams will do this in order to provide incentives to individuals and organizations to deploy new WLANs (or to share their existing ones) thereby benefiting the team’s own members Assumption 3 There is no anonymity within a team, so “bad” member behavior, if detected, can be punished using social means Assumption 4 Teams are symmetric
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities9 of 20 Introduction Design Implementation and Conclusions
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities10 of 20 Game certificates Team cert.Member cert. IOU (“I owe you”) cert. Team PKMember PKProviding Team cert Team Server IP addrTeam PKConsuming Member cert self-signedExpiry dateConsuming Team cert signed usingTimestamp team private key signed using member private key Team Server APAP WLAN service IOU certificate All APs broadcast their team certificate periodically so roamers can detect them After routing the first KBs, APs expect an IOU otherwise they terminate the WLAN session AFTER AUTHENTICATION : IOUs are stored in the team server and are used as evidence of good-standing APAP APAP
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities11 of 20 A naïve authentication algorithm Team Server APAP Team certificate & Member certificate Team Server any IOUs? Sure! The ‘A B’ notation : A member from team A gave an IOU to team B (A and B are team PKs) X Y Z All such IOUs could be fake or the result of team collusion…
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities12 of 20 Less naïve authentication algorithms Team Server APAP Team Server any IOUs? X Z R … a bit restrictive, can we do better? Team Server APAP Team Server any IOUs? X Z Y W Y R … collusion and fabricated IDs still possible, however the R W Z B path indicates that SOME TEAM in the {B, Z, W} coalition did provide service to R B B R can provide to B and can then consider all IOUs in the R W Z B path “paid back” B will also give a fresh IOU to R Yes! any IOUs?
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities13 of 20 Incentives X Z Y W Y R B R gains a useful subtree by providing WLAN to B X Z Y W Y RB For example, R can use this subtree when visiting W again in the future Why should Z or W help with the tree search? Because, for all they know, one of their members may be trying to access R. Why risk it?
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities14 of 20 Storage and Bootstrapping (1/2) IOUs can be “forgotten” after a Time-To-Live (TTL) incentive for continuous participation no incentive to give to teams with expired first-level IOUs, their subtrees are worthless how does “forgetting” affect the connectedness of the IOU graph? simulations show that beyond a TTL value the rate of failures to reward contributors falls near zero
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities15 of 20 Storage and Bootstrapping (2/2) A providing team need only store the latest incoming IOU from every different consuming team, the authentication algorithm only requires the latest one To remember paths that are “paid back” only hashes of the “used” IOUs are required, and then only until they too can be completely forgotten according to the TTL To bootstrap the system: new teams, or teams that have been out of the game for a long time, would need to remain altruistic (i.e. provide WLAN without running the authentication algorithm) for a period - at most a TTL - in order to collect IOUs their tendency to remain altruistic is balanced by their need to give to other teams the correct incentives for participation and contribution
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities16 of 20 Efficiency enhancements Whose responsibility is it to search the IOU tree? can this cost be split in a fair and incentive-compatible way? Team servers, starting from their own incoming stored IOUs, periodically query the consuming servers encoded in the IOUs (incentives to answer the query are the same as before) this way, they can build a pre-computed tree with a specific number of distinct nodes, and send a summary of the latest tree to their roaming members whenever the opportunity arises (over a WLAN or cellular connection) If servers also maintain their (unpaid-back) outgoing IOUs, the authentication problem is reduced to merging these structures and searching for connecting paths locally Since the tree is only a summary, a provider would still need to check the servers on a locally established path in order to confirm the signatures, but the average path length will normally be quite short for teams operating close to each other Team Server X Z Y W B The probability of success increases rapidly with the number of a provider’s outgoing IOUs to distinct teams, and the number of (distinct) nodes in the pre- computed tree W R V
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities17 of 20 Introduction Design Implementation and Conclusions
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities18 of 20 Implementation IOU store Tree search Cert. mgmt. DHCP NAT/router/firewall Authenticator Game beaconing Member & team certificates Pre-computed trees IOU generation. Member-AP interface Member-Home interface Home-AP interface Standard PC Linksys WRT54G AP (16MB RAM, 4MB Flash) Pocket PC client Home-Home interface
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities19 of 20 Conclusions We demonstrated a practical incentive mechanism for WLAN resource sharing We assumed an extremely limited-trust model (in hardware, software, people) By avoiding TTPs and by going for an open and simple protocol spec we could make adoption by WLAN device vendors a natural and low-risk investment No hard service guarantees… but then it’s only a game!
26/6/2004Trustworthy Accounting for Wireless LAN Sharing Communities20 of 20 Thanks! Elias C. Efstathiou Mobile Multimedia Laboratory Department of Informatics Athens University of Economics and Business mm.aueb.gr/~efstath/