L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen Centre for Wireless Communications University of Oulu, Finland
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 1.Introduction 2.Security Goals and Challenges 3.Scope and Roadmap 4.Secure Routing 5.Key Management Service 6.The System Model 7.Threshold Cryptography 8.Proactive Security and Adaptability 9.Conclusions Outline
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 1. Introduction Ad hoc networks do not rely in any fixed infstractructure, unlike trational mobile wireless networks To keep the network connecting, hosts rely on each other Mobile nodes comminicate directly via wireless links or rely on other nodes to relay messages as routers Frequent changes of network topology caused by node mobility Main applications are military and other secure-sensitive operations Ad hoc networks has unique properties -> commercial use, e.g. virtual classrooms and sensor networks Main challenges: vulnerability to security attacks Article studies the threats and security goals –New challenges and opportunities –How to defend against denial-of-service attacks towards routing protocols
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 2. Security Goals 1/3 Security is a very important issue for ad hoc networks Availability: ensures the survivability of network services despite denial-of-service attacks –A denial-of-service attack could be launched at any layer Confidentiality: ensures that certain information is never disclosed for unauthorized entities Integrity: guarantees that a message being transferred is never corrupted Authentication: enables a node to ensure the identity of the peer node with which it is communicating Nonrepudiation: ensures that the origin of a message cannot deny having sent the message
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 2. Challenges 2/3 To achieving security goals, in ad hoc networks are both challenges and opportunities 1.Wireless links are sensitive to link attacks –eavesdropping is violating confidentiality –active impersonation and active attacks - even message distortion - are violating availability, integrity, authentication and nonredudiation 2.Nodes in a hostile environment with comparatively poor physical protection are endangered –E.g. nodes in the battlefield –Attacks can be launched from within the network Distributed architecture with no central entries to achieve high survivability
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 2. Challenges 3/3 3.Because of frequent changes, ad hoc network is dynamic –Changes in topology and in its membership –Among nodes trust relationships also change Security mechanism should to adapt to the changes 4.Ad hoc networks may consist of hundreds or even thousands of nodes Security mechanism should be capable to handle such a big group of nodes
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 3. Scope and Roadmap Traditional security mechanisms still have important role in ad hoc networks –... but these are not sufficient enough We rely on the two principles : 1.To achieve availability, we take adavantage of redundancies in the network topology 2.Distribution of trust to an aggregation of nodes –No single node is trustworthy –Assume: any t+1 nodes are improbable to all be compromised, consensus of at least t+1 nodes is trustworthy
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 4. Secure Routing 1/4 All key-beeping based cryptographic schemes demand a key management service –Responsible for keeping track of bindings between keys and nodes and assisting the establishment of mutual trust and secure communication between nodes Routing protocols should to be robust against dynamically changing topology and hostile attacks Proposed routing protocols do cope well with the changing topology... but not against hostile attacks
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 4. Secure Routing 2/4 In most routing protocols, routers exchange information about the network topology in order to establish routes between nodes –A target for hostile objector who want to bring the network down n n n n There is two kinds of threats to routing protocols : 1.From external attackers –Injecting erroneous routing information, replaying old routing information, distorting routing information –Countermeasure: nodes can protect routing information as they protect data traffic Cryptographic schemes, e.g. digital signature –Ineffective against attacks from compromised servers
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 4. Secure Routing 3/4 2.From compromised nodes –More severe kind of threats ! –Compromised noise might advertise incorrect routing information to other nodes –Compromised nodes are still able to generate valid signatures using their private keys NOTE : there is always a possibility that the node is compromised ! –Because of dynamical nature of ad hoc networks, detection of compromised node is difficult : is a piece of routing information invalid because of compromised node OR because of topology changes ?
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 4. Secure Routing 4/4 Some properties of ad hoc networks can exploit to achieve seecure routing False routing information by compromised nodes could be considered as an outdated information (to some extent) If there is enough correct nodes, the routing protocol should be able to find routes that go around compromised nodes That capability usually relies on the inherent redundancies in ad hoc networks –Multiple routes between nodes, possibly disjoint Nodes can switch the primary, failed route to an alternative route if routing protocol can discover multiple routes Diversity codes takes advantage of multiple paths without message retransformation –Redundance information is transmitted through additional routes for error detection and correction E.g. n disjoint routes, n-r channels for transmitting the data and r channels to transmit redundant information
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 5. Key Management Service 1/2 Use of cryptograpnic schemes requires key management service A public key infrastructure is adopted –Superiority in distributing keys and achieving integrity and nonrepudiatation –Secret key schemes are used to secure communication after nodes authentication each other and establish a shared secret session key Each node has public and private key (key pair) in a public key system Public key is really public, so it can be distributed to other nodes Private key is absolutely confidential There is a trusted entity for key management –The certification authority (CA) which has a key pair
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 5. Key Management Service 2/2 The CA has to stay online to reflect the current bindings because the bindings can change The CA is vulnerable point of network –Unavailability of the CA means that nodes cannot get the current public keys of other nodes or nodes cannot establish secure communication It is problematic to have only one CA especially if the network is huge But a replication ot the CA makes the service even more vulnerable The article distributes trust to a set of nodes by letting these nodes share the key management responsibility
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 6. The System Model 1/2 Assumptions : A network without no bound on message delivery and processing times The underlying network layer provides reliable links (much weaker link assumption to a separate article in preparation) All nodes know the public key of the service and trust any certificates signed using the corresponding private key Nodes can submit query request to get other nodes public key Nodes can submit update request to change their own keys (n,t+1) configuration, n>=3t+1 –n special nodes, called servers –Each server has its own key pair and stores the public keys of all nodes in the network and each server knows the public keys of other servers –t is the number of servers that the adversary can compromise in any period of time of a certain duration
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 6. The System Model 2/2 The adversary has access to all the secret information stored on the server if a server is compromised The adversary lacks the computational power to break the cryptographic schemes we employ The service is correct if two concitions hold : 1.Robustness : the service is always able to process requests (query and update) from clients 2.Confidentiality : the private key of the service is never disclosed to an adversary
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 7. Threshold cryptography 1/4 Distribution of trust is accomplished using threshold cryptography (n,t+1) threshold cryptography scheme ( n servers, t compromised servers) The private key k of the service is divided into n shares s 1,..., s n, one share for each server Each server has also a key pair K i /k i (public and private key) The public key K is known to all nodes in the network Server 1 Server 2 Server n.. k s1s1 s2s2 snsn K 1 /k 1 K 2 /k 2 K n /k n Fig. 1: The configuration of a key management service
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 7. Threshold cryptography 2/4 For the service to sign a cerfiticate, each server generates a partial signature for the certificate using its private key share and submits the partial signature to a combiner Any server can be a combiner, to ensure that a compromised combiner cannot prevent a signature, it can be used t+1 servers as a combiners –To make sure that at least one combiner is correct –Compromised servers (at most t ) are not able to generate correctly signed certificates, because they can generate at most t partial signatures With t+1 correct partial signatures, the combiner can compute the signature for the certificate
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 7. Threshold cryptography 3/4 K/k is the key pair of the server (3,2) cryptographic scheme, e.g. n=3, t=1 ( 3 servers and 1 of these servers is compromised) Each server i gets a share of s i of the private key k Message m : server i can generate a partial signature PS(m,s i ) using its share s i. In this case, i=1 and 3. Correct servers (1 and 3) both generate partial signatures and forward the signatures to a combiner Combiner can generate the signature of m signed by server private key k Fig. 2: Threshold signature K/k Server 2 Server 1 Server 3 m s1s1 s2s2 s3s3 combiner PS(m,s 1 ) PS(m,s 3 ) Server 2
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 7. Threshold cryptography 2/4 Compromised servers can generate an incorrect partial signature –That can yield an invalid signature BUT a combiner can verify the validity of a computed signature using the service public key If vertification fails, the combiner tries another set of partial signatures... and continues until the correct signature is constructed
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 8. Proactive Security and Adaptability 1/6 Key management service also employs the share refreshing to tolerate ’mobile’ adversaries and adapt its configuration to changes in the network –Mobile adversary temporarily compromise a server and then move to the next victim Mobile adversary might be able to compromise all the servers over a long period of time (e.g. viruses) Compromised servers may be detected and excluded, but the adversary could still gather more than t shares of the private key from compromised servers over time That would allow the adversary to generate any valid certificates signed by the private key Countermeasure: proactive threshold cryptography scheme
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 8. Proactive Security and Adaptability 2/6 A proactive threshold cryptography schemeuses share refreshing That enables servers to compute new shares from old ones in collaboration without exposing the service private key to any server The new share compose a new (n, t+1) sharing of the service private key Refreshing is done periodically Servers remove the old shares after refreshing and starts to use new shares The adversary has to compromise t+1 servers every time after refreshing, again and again … Share refreshing is based on the property called homomorphic [see page 27 in the reference]
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 8. Proactive Security and Adaptability 3/6 Every server generates so called subshares When server gets subshares, it can compute a new share from these subshares and its old share Share refreshing must tolerate missing subshares and erroneous subshares from compromised servers –A compromised server may not send any subshares For servers to detect incorrect subshares, the verifiable secret sharing schemes can be used –That scheme generates extra public information for each (sub)share using a one-way function –The public information can testify to the correctness of the corresponding (sub)shares without disclosing the (sub)shares
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 8. Proactive Security and Adaptability 4/6 A variation of share refreshing also allows the key management service to change its configuration so it can adapt itself to changes in the network –The service should exclude the compromised server and refresh the exposed share –The service should change its configuration if it is no longer available or a new server is added The original set of servers generate and distribute subshares based on the new configuration of the service Share refreshing is transparent to all nodes because it does not change the service key pair –The same public key is still in use
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 8. Proactive Security and Adaptability 5/6 Existing threshold cryptography and proactive threshold cryptography scmemes assume a synchronous system Any synchronos assumption is a weak point in the system –The adversary can launch denial-of-service attacks to slow down a node or to disconnect a node for a long enough period of time to invalidate the synchrony assumption to attenuate the weak point: key management service presented works in an asynchronous setting –Problems ? yes, one of these is that we don’t know is the server compromised or is it just slow This assumption is not necessarily valid in ad hoc networks
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 8. Proactive Security and Adaptability 6/6 In the paper it is required that there are enough correct servers being up to date –NOT that all the correct servers are consistent after each operation Also it is required enough signatures –At least one correct server must have provided one signature, thus assuring the validity of the message Detailed description of the service is not provided
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) 9. Conclusions Security threats an ad hoc networks was analyzed Secure routing Secure key management service Threshold cryptography Weaknesses: –prototype, no details –still problems