1

Jean-Pierre Hubaux

EPFL/School of Information and Communication

Secure Mobility

2

Some security activities in MICS

• Secure software, secure applications

• Tamper-proof device-based security• Protocol analysis (WTLS)• Zero-infrastructure security• Mobility Vs Security : - Mobility helps security - Provable encounters

LastEncounterRouting

• Immune mobile systems• Cooperation issues : - In multi-hop cellular networks - In pure ad hoc networks

IP1

IP4

IP6

IP8

• Trust in peer-to-peer systems

IP5• Business aspects of security in mobile networks

IP10

3

Provable encounters

claimant certifier

1. Encounter

claimant verifier

2. Proof of encounter

Verification is:• a posteriori• frequent

Verification is:• a posteriori• frequent

• claimant : a node claiming that it has met another node at a given time t• certifier : a node that certified the encounter with the claimant• verifier : a node that verifies the encounter between two nodes- Two scenarios :

- any-to-any (typically mobile ad hoc networks, where any node can be a claimant, a verifier and a certifier)- any-to-one (typically hybrid ad hoc networks, where mobile nodes play roles of claimants and certifiers, and base stations perform verification)

- Two building blocks :- Distance bounding- Proving the time of encounter

4

Applications of provable encounters

Secure protocols based on last encounter (e.g., Last Encounter Routing)

Topology tracking in multi-hop cellular networks (e.g, for misbehaviour detection)

Any service requiring to prove previous encounters, including their distance (e.g., liability issues in road traffic)

Distributed robotics Prevention of wormhole attacks …

5

General assumptions

Loose synchronization of the nodes clocks Abilities of each node :

Measure time with a nanosecond precision Perform cryptographic operations (generate keys, check

signatures, compute hash functions,…) No GPS receivers, no system providing location

information Presence of a centralized authority (off-line or on-line):

assigns a unique, certified identity to each node All nodes share pairwise secret keys (other options are

possible) The claimant and the verifier always authenticate each

other at verification time

6

Authenticated distance bounding

• Similar issue: the Chess Grandmaster Problem

• Solution: Distance-Bounding Protocols (Brands and Chaum, Eurocrypt 1993)

• Related problem: Wormhole Attacks in ad hoc networks• Proposed solution: Packet leashes (Hu, Perrig and Johnson, Infocom 2003) (based on precise clock synchronization or on location awareness)

Alice

Secret communicationchannel

Authenticationprotocol

DamienBernard Carole

Authenticationprotocol

Location 1 Location 2

Mafia Fraud Attack (Y. Desmedt, 1988) :

7

Mutual Authentication with Distance Bounding (MAD) (1/2)

Our solution: MAD Improvements wrt Brands and Chaum’s proposal:

Avoid public key cryptography rely on MAC computations Both nodes can measure the distance to the other node

simultaneously

Assumption: special hardware module in each node Can temporarily take over the control of the radio transceiver from

the CPU Able to respond to a one-bit challenge with a one-bit response

8

Mutual Authentication with Distance Bounding (MAD) (2/2)

9

Guaranteeing Encounter Freshness (GEF) (meaning at or before time t)

• 1. Initialization (at each node)

V0 V1 V2 VN

H HH

• 2. Network operation : disclose the values Vi in reverse order

CertCl1

V96

2.1. Encounters :

1.1. Construct the hash chain :

1.2 Distribute VN to all other nodes

2.2. Verification (certifier authentication only, therefore called GEF-Ce) :

Verif

Cl2

V47

Cl1

V96

HN-47(V47) = VN

?

• Almost optimal hash sequence traversal: Coppersmith and Jakobsson, FC’02• If claimant authentication is also desired: each node produces n hash chains instead of one GEF-CeCl

Cl2

V47

10

Guaranteeing the Time of the Encounter (GTE)

v 0

m 0

m 0 1

m 0 3 m 4 7

m 0 7

m 2 3 m 4 5 m 6 7

v 1

m 1

v 2

tim e ran d2 2

==

m 2

v 3

m 3

v 4

m 4

v 5

m 5

v 6

m 6

v 7

m 7

Purpose: The claimant can prove to the verifier that it met the certifier at the time t of the actual encounter (neither before nor later);Basic mechanism: only certifier authentication: GTE-Ce

1. Initialization • Generation of N values (V0 to VN)• Construction of the Merkle tree

• Deliver the root of the tree to allother nodes (in an authentic way)

2. Network operation 2.1 Encounters - At each time interval, the certifier broadcasts a Vi with its siblings

2.2 Verification - Example : H(H(m01||H(H(V2)||m3))||m47) = m07 ?

11

The full solution : MAD + GTE-CeCl

Enc

ount

er

Pro

of o

fen

coun

ter

12

Attacks

claimant certifier

1. Encounter

claimant verifier

2. Proof of encounter

Attack-Cl : deceive an honest verifier about previous encounters

Attack-Cl : deceive an honest verifier about previous encounters

Attack-Ce : deceive a honest claimant about its identity or about the time of encounter

Attack-Ce : deceive a honest claimant about its identity or about the time of encounter

Attack-V : deceive a honest verifier (to be met in the future) about previous encounters

Attack-V : deceive a honest verifier (to be met in the future) about previous encounters

13

Resistance to attacks

Resistant to

Attacker-1-0 and

Attacker-0-1

Resistant to

Attacker-x-0 and

Attacker-0-1

Resistant to

Attacker-x-y

Resistant to

Attacker-1-0 and

Attacker-0-1

Resistant to

Attacker-x-0 and

Attacker-0-1

Resistant to

Attacker-x-y

Resistant to

Attacker-1-0

Resistant to

Attacker-x-0

Resistant to

Attacker-x-y

GEF-CeGTE-Ce

GEF-CeGTE-Ce

GEF-CeClGTE-CeCl

With MAD

Attack-Cl

Attack-Ce

Attack-V

Other attacks: AttackClCe,…Attacker-x-yx : # owned nodesy : # compromised nodes

Attacker-x-yx : # owned nodesy : # compromised nodes

14

Conclusion on Provable Encounters

Well-established cryptographic techniques can allow mobile nodes to prove their time and distance of encounters, at a very reasonable cost

Very first contribution to a novel and promising research area Future work:

Study different mobility scenarios Identify applications more precisely; examples:

• Single-hop wireless networks in which the Access Points are not (fully) trusted

• Intelligent Transport Systems

 S. Capkun, L. Buttyan, and  J. P. HubauxSECTOR : Secure Tracking of Node Encounters in Multi-hop

Wireless NetworksFirst ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN),

Washington, October 2003

15

Mobility helps security

Infrared link

(Alice, PuKAlice, XYZ)

(Bob, PuKBob , UVW)

Visual recognition, conscious establishment of

a two-way security association

Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required

Alice Bob

Problem : how to bootstrap security in a mobile network without a central authority ? Problem : how to bootstrap security in a mobile network without a central authority ?

16

Friends mechanism

IR

Colin

Bob(Colin’s friend)

Alice

(Alice, PuKAlice, XYZ)

(Alice, PuKAlice, XYZ)

Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users

Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users

17

Mechanisms to establish Security Associations

Friendship : nodes know each others’ triplets

Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter

i j i knows the triplet of j ; the triplet has been obtained from a friend of i

i

f

j i

f

j

i

f

j i

f

j

i j i ja) Encounter and activation of the Secure Side Channel

b) Mutual friend

c) Friend + encounter

Note: there is no transitivity of trust (beyond your friends)

18

Pace of establishment of the security associations (1/2)

- Depends on several factors: - Area size- Number of communication partners: s- Number of nodes: n- Number of friends- Mobility model and its parameters (speed, pause times, …)

Established security associations :Desired security associations :

Convergence :

19

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

100 1000 10000 100000 1000000

time (s)

per

cen

tage

of

secu

rity

ass

ocia

tion

s

s=99, f=0, pause=100 s, sr=5 m, v=5 m/s s=99, f=2, pause=100 s, sr=5 m, v=5 m/ss=99, f=0, pause=100 s, sr=5 m, v=20 m/s

5m/s, 2 friends5m/s, 0 friends

20m/s, 0 friends

Pace of establishment of the security associations (2/2)

20

Conclusion on Mobility Helps Security

• Mobility can help security in mobile ad hoc networks, from the networking layer up to the applications

• The proposed solution also supports re-keying• The proposed solution can easily be implemented with both

symmetric and asymmetric cryptography

S. Capkun, J. P. Hubaux, and L. Buttyan

Mobility Helps Security in Ad Hoc Networks

Fourth ACM Symposium on Mobile Networking and Computing (MobiHoc), Annapolis, June 2003

21

Conclusion

Security in mobile and wireless networks is a major research area

MICS has pioneered the exploration of mobility Vs. security

MICS is strongly committed to make further fundamental contributions