Motion-MIX Mobile Traffic Sensor Network vs. Motion-MIX : Tracing & Protecting Mobile Wireless Nodes # Jiejun Kong, # # Jiejun Kong, * Dapeng Wu, + Xiaoyan Hong, # Mario Gerla # Dept of Computer Science *Dept of Computer Science + Dept of EE UCLA University of Florida University of Alabama November 7, SASN ’ 05

Problem: Mobile Anonymity Fixed Anonymity: Identity (net addr) Mobile Anonymity: Identity  Location –Identity (net addr/identity) –Location (positioned by the adversary) –Motion pattern –Motion pattern (deduced by the adversary) Significance of anonymous wireless communication General Dzhokhar Dudayev –1996 A.D.: Chechnya rebel leader, General Dzhokhar Dudayev, always on the move, but killed during a traceable wireless call

Mobile Traffic Sensor Network Mobile traffic analyst –Unmanned aerial vehicle (UAV) –Coordinated positioning (tri-lateration / tri-angulation) can reduce location uncertainty If moving faster than the transmitter, can always trace the victim

Outline Background Proposed solution –In theory: Asymptotic network security model –In practice: Motion-MIX Security analysis –Motion-MIX satisfies the asymptotic network security model Summary

Notion: Security as a “landslide” game Played by the guard and the adversary –Proposal can be found as early as Shannon ’ s 1949 paper –Not a 50%-50% chance game, which is too good for the adversary The notion has been used in modern crypto since 1970s –Based on NP-complexity –The guard wins the game with 1 - negligible probability –The adversary wins the game with negligible probability –The asymptotic notion of “ negligible ” applies to one-way function (encryption, one-way hash), pseudorandom generator, zero-knowledge proof, …… AND this time ……

Our Asymptotic Network Security Model Concept: the probability of security breach decreases exponentially toward 0 when network metric increases linearly / polynomially Consistent with computational cryptography ’ s asymptotic notion of “ negligible / sub-polynomial ” is negligible by definition x is key length in computational crypto x is network metric (e.g., # of nodes) in network security Definition Definition: A function  : N  R is negligible, if for every positive integer c and all sufficiently large x’ s (i.e., there exists N c >0, for all x>N c ),

The Asymptotic Cryptography Model Security can be achieved by a polynomial-bounded guard against a polynomial-bounded adversary 1 2 # of key bits (key length) 128 Probability of security breach negligible sub-polynomial The “negligible” line (sub-polynomial line) Insecure Secure (Ambiguous area) See Lenstra’s analysis for proper key length (given adversary’s brute-force computational power) There are approximately atoms in the entire universe

Our Asymptotic Network Security Model Conforming to the classic notion of security used in modern cryptography ! We ’ ve used the same security notion Network metric (e.g., # of nodes -- network scale) Probability of network security breach negligible sub-polynomial The “negligible” line (sub-polynomial line) exponential memory-less The “exponential” line (memory-less line) Insecure Secure (Ambiguous area)

Design Assumptions Adversary model –Passive –Few insiders (captured & compromised nodes), –Global (or equivalently, mobile and capable of scanning the entire network area in short time) –Honest-but-curious (protocol-compliant) –External: polynomially-bounded by key length –Internal: fraction  of N (which is # of network nodes) Network model –Loquor ergo sum (I speak, so I exist) : nodes must transmit upon application demand, cannot shut up –Pairwise key sharing (via Diffie-Hellman, KPS, or “ mobility helps security ” )

Venue  The VIP node being traced “ Venue ” is the smallest area that the adversary can “ pinpoint ” a wireless transmitter via its wireless transmission

Assumption: Imperfect Wireless Positioning D. Niculescu, B. Nath, “VOR Base Stations for Indoor Positioning,” ACM MOBICOM’04, pp.58—69.

Motion Pattern Tracing (1 node) 1 transmitting node in the network No way to protect it –Just like a cryptographic case using 1-bit key

Motion Pattern Tracing (2 nodes) 2 transmitting nodes in the network; Better security protection What ’ s the network-based analytic model behind this phenomenon? What happens if there are many nodes in a scalable network? We need Motion-MIX

  Motion-MIX: Design Goal k incoming mobile nodes or wireless packet flows get fully mixed in the Motion-MIX  k -anonymity: the adversary cannot differentiate these k nodes

Motion-MIX vs. Chaumian MIX Effectiveness determined by the adversary ’ s capability & the guard ’ s capability 1.Privacy model: like Chaumian MIX processor, the internal state of Motion-MIX is private  The adversarial side cannot position any transmitting node inside the area quantified by  2.Temporal-spatial model: like Chaumian MIX (e.g., pool mix), the guarding side can delay and gather the protected items in a Motion-MIX  Motion-MIX ’ s size is determined bi-laterally (the adversary & the guard) in terms of time and space

Size of Motion-MIX Adversary determines inner circle Guard determines outer ring –  t is the minimum delay between any 2 transmissions from a single node –v avg is the average/expected node mobility speed Motion-MIX ’ s size is a bilaterally-determined quantity  ’ = (  + v avg *  t) Adversary’s capability  ’’

Wireless Traffic Mixing Per Venue Algorithm D -- Wireless traffic mixing: (Each venue transmits approximately k packets per  t in a fully distributed manner) Prerequisite: Pre-defined system parameter k and unit time  t. 1 Divide current unit time  t into k slices. 2 FOR ( each time slice i ) DO 3 IF ( I have only heard x<i transmissions so far during the current unit time interval ) 4 In the next time slice, transmit a decoy packet with probability (i-x)/i. 5 END IF 6 END FOR Ensures: Greater-than-zero effect 1. If at least a “good” node is in a venue, the adversary can only estimate there are averagely E(k  ’ ) nodes inside. Actually # of nodes inside the venue can be from minimally 1 to maximally (N - #_of_non-empty_venues). 2. Otherwise, the venue is empty. Motion-MIX is not functional.

Necessary Conditions of Motion-MIX MIX-Zone Protocol-stack-wise concerns, not limited to application/middleware layer (unlike MIX-Zone) Building blocks 1.Identity-free routing  ANODR (MOBIHOC ’ 03) Anonymous even against any insider 2.One-time packet contents  XOR-tree (TISS ’ 00) 1 sender to 1 recipient & 100 different senders to 100 different recipientsE.g., for 100 packets, the 2 extreme cases (1 sender to 1 recipient & 100 different senders to 100 different recipients) and all cases in-between are equally probable  looks truly random / independent 3.Radio interface calibration to remove RF signatures  “ Shake them up ” (MOBISYS ’ 05)

Identity-free Routing: ANODR (MOBIHOC’03)  ANODR : destination E receives  RREQ, global_trap, onion  where Route-REQuest Route-REPly A E K A (hello) K B ( K A (hello)) K C ( K B ( K A (hello))) onion = K D ( K C ( K B ( K A (hello))))   RREP, global_proof, onion  B C D #E #D#D #C#C #B#B K C ( K B ( K A (hello))) K B ( K A (hello)) K A (hello)   RREP, global_proof, onion, # X  # X is a random packet stamp selected by X and shared on the hop K X (m) K X (m) denotes using symmetric key K (only known by X) to encrypt a message m global_trap global_trap denotes an encryption of a well- known tag (“You are the destination”) using a key only known by destination E

Identity-free Data Forwarding Table driven virtual circuit: stores mapping of a pair of packet stamps Packet marked with # –Matched incoming # is replaced by corresponding outgoing # –IP address, MAC address not used in ANODR #1#1 #2#2 #2#2 #3#3 #3#3 #4#4 A B C #1#1 payload #2#2 #3#3 #4#4

One-time Packet Contents (cont’d) “ Unpredictable ” pseudorandom packet contents –In secular term, looks truly random to the adversary –Key management & distribution needed 1 Key 56a35d537fe 3 e fa f8d5b...

Identity-free Packet Flow (ANODR)

Mobile network model Divides the network into large number n of very small tiles (i.e., possible “ positions ” ) –A node ’ s presence probability p at each tile is small  Follows a spatial binomial distribution B(n,p) –When n is large and p is small, B(n,p) is approximately a spatial Poisson distribution with rate  1 –If there are N mobile nodes roaming i.i.d.  N = N·  1 –The probability of exactly k nodes in an area A’

Venue ’’

Average Venue Publicity assumption (Kerckhoff’s Desiderata) : the adversary knows the entire identity set and the network area, it can estimate that expectation of # of nodes in each venue is –Thus, nodes in each venue transmit k = E(k  ' ) real/decoy packets in a fully distributed manner A motion-MIX is min(k, E(k  ' ))– anonymous where  '=(  +v avg *  t) is the bi-lateral Motion-MIX size –In each non-empty venue, min(k, E(k  ' )) - anonymous –In the entire network, ubiquitously min(k, E(k  ' )) - anonymous due to identity-free routing, one-time packet contents and RF signature hiding

Untraceable Mobile Nodes (or Packet Flows) The VIP node being traced non-empty All motion patterns equally likely if contiguous venues are non-empty (in the previous time slot  t )  Untraceable (per Shannon’s information theoretic notion )

Security Analysis: Impact of N ( # of nodes ) Probability of having less than k good nodes is negligible with respect to network scale N Probability of tracing a mobile node is negligible with respect to N and motion time | T| Probability of tracing a packet flow is negligible with respect to N and # of traveled venues | X|

Summary Anonymous communication in mobile networks has its own idiosyncrasy –Motion pattern of mobile nodes can be traced  Motion-MIX needed We propose a novel asymptotic network security model that is consistent with classic security notions –Identity-free routing, one-time packet contents, and radio signature hiding are necessary conditions to implement Motion-MIX –Motion-MIX + ANODR is practical Work-in-progress: Currently, doing real-world experiments on Motion-MIX and ANODR –Related to MANET localization/positioning, QualNet simulation, ANODR Linux implementation, UAV experiment –More rigorous formalization & proofs

UCLA contacts: Jiejun Kong: Mario Gerla:

Notion: Perfect Secrecy (C.E.Shannon) m  k = e XOR m  k = e A triangluar relation: plaintext M, ciphertext E, key K Given ciphertext E, adversary gains no information H(M|E) = H(M) a posteriori = a priori Not scalable

Notion: Perfect Anonymity (IACR ePrint TR ) Route-driven connection 1 s 2 s 3 s 4 s anonymity set 4 r 3 r 2 r 1 r anonymity set Route-driven connection 1 s 2 s 3 s 4 s anonymity set 4 r 3 r 2 r 1 r anonymity set synchronized flooding indistinguishable Sender Anonymity Recipient Anonymity Not Scalable

Message Secrecy & Anonymity (information theoretic notion) Security degradation can be defined as the ratio between H(X AS |C) and H(X AS ), as demonstrated in 2 PET ’ 02 papers [Serjantov&Danezis,PET ’ 02] and [Diaz et al., PET ’ 02] This non-scalable solution is not our answer ! Perfect Secrecy H(M|E) = H(M) Perfect Anonymity H(X AS |C) = H(X AS )

11 Inspired by Bettstetter et al. ’ s work –For any mobility model (random walk, random way point), Bettstetter et al. have shown that  1 is computable following –For example, in random way point model in a square network area of size a £ a defined by -a/2 · x · a/2 and -a/2 · y · a/2 –  1 is “ location independent ”, yet computable in NS2 & QualNet given any area A’ (using finite element method)

 1 in Random Way Point model [Bettstetter et al.] a=1000

WASP Micro-Aerial Vehicle (MAV) Wingspan: 13 inches Combined wing structure (Lithium-Ion battery pack): 4.25 ounces (120 gm) Total weight of the vehicle: 6 ounces (170 gm) Power: 9 Watts during the flight. Flying time: 1 hour and 47 min Good enough to trace a mobile soldier or a few soliders per MAV