1

Peer-to-Peer Security in Wireless Ad Hoc Networks

+ CommonSenseNet

Jean-Pierre Hubaux

EPFL, Switzerland

2

Outline

Brief presentation of the MICS/Terminodes project Mobility helps peer-to-peer security Cooperation between nodes in multi-hop wireless

networks Three more projects :

Cooperation without incentives Power-efficient broadcast in all-wireless networks Water management by means of sensor networks

3

National Competence Centers in Research

Initiative of the Swiss National Science Foundation Call for proposals in late 1998, for several scientific areas

(including Medicine and Physics) Proposals have to be substantial (yearly budget around

3 Mio Euros/year) and long term (from 2001 to 2010) 200+ proposals have been submitted in the first round 14 proposals finally selected (in 2000) The Mobile Infomation and Communication Systems or

Terminodes proposal is the only selected in the area of communications; official start : November 2001

4

Terminal + Node = Terminode All network functions (packet

forwarding, flow control, error control,…) and terminal functions (coding/decoding, A/D and D/A, storage, ciphering,…) are embedded in the terminode

A communication must be relayed by intermediate terminodes

The network is self-organized: it is operated by its users

All terminodes are potentially mobile

Destination

Source

Terminodes are the extreme (or academic) case of several concreteincarnations: multi-hop cellular networks, networks of vehicles,sensor networks, self-operated networks, distributed robots,…

Terminodes are the extreme (or academic) case of several concreteincarnations: multi-hop cellular networks, networks of vehicles,sensor networks, self-operated networks, distributed robots,…

5

National Center for Competence in Research: Mobile Information and Communication

Systems

Academicconsortium(in CH):

EPFLUni Lausanne

Uni Bern

Uni St Gallen

Uni ZurichCSEM

ETHZ

Director of NCCRProf. M. Vetterli

Deputy director of NCCRProf. Th. Gross

Fribourg: CCTC

Industrial partners:

• IBM• Microsoft• Samsung• Siemens• Swisscom• Whitestein Technologies

+ many academic partners worldwide

www.terminodes.org

Around 25 faculty membersand 80 PhD students

6

Main challenge and benefit of the research program : working accross layers

Mathem

atical foundation

Information theory

Security

EconomicsS

ystem architecture

Com

municating

embedded system

s

Information systems

Real-time services

Network layer

Physical and MAC layers

Selected application: environmental monitoring (sensor networks)Other possible applications: crisis networks, networks of cars, networks for rural areas

7

Joint work with Levente Buttyan+ and Srdjan Capkun

Mobility Helps Peer-to-Peer Security

Peer-to-peer Authentication and Key Establishment in Mobile Networks

+ Now with Laboratory of Cryptography and Systems Security (CrySyS) Department of Telecommunications, Budapest University of Technology and Economics

8

Secure communication with cryptography(reminder)

Alicex

EK(x) DK’(y)

Key K

y

Mallory (or Oscar)

Bob

Key K’

Sender Receiver

Attacker or opponent or intruder

x: plain texty: cipher text

Symmetric cryptography: if K’ = KAsymmetric cryptography (or public key cryptography): if K’ K

DK’(EK(x)) = x

Encrypter Decrypter

x

9

Digital Signature (reminder)Alice Bob

Messagem

1 ( )APK

e m 1( ( ))A A

PK PKd e m

m

= ?

Signature: sig or σ Verification: ver

( ) : s= mod

In RSA-bas

(

ed s

, ) if mo

ign :

d

aturea

bver m s true m

sig m

s

n

n

m

( ) : s= mod

In RSA-bas

(

ed s

, ) if mo

ign :

d

aturea

bver m s true m

sig m

s

n

n

m

A certificate is an identity or a public keysigned by another entity

A certificate is an identity or a public keysigned by another entity

1

: public key of Alice

: private key of Alice

A

A

PK

PK 1

: public key of Alice

: private key of Alice

A

A

PK

PK

10

Does mobility increase or reduce security ?

Very often, people move to increase security: Face to face meetings Transport of assets and physical documents Authentication by physical presence

In spite of the popularity of PDAs and cellular phones, this mobility has not been exploited so far to provide digital security

Mobility is usually perceived as a major security challenge: Wireless channel Unpredictable location of the user Sporadic availability of the user Higher vulnerability of the device Smaller computing capability of the device

So far, client-server security has been considered as the priority (e-business, cellular telephony,…)

Peer-to-peer security is still in its infancy

11

Security of cellular networksExample: GSM

Mobile station(key stored in The SIM card)

Shared, symmetric key

Base station AuthenticationCenter

ChallengeResponse

Setting up of the encryption key

• The key stored in the SIM card incarnates the contract between the subscriber and the operator• It is established manually when the contract is signed• Only symmetric cryptography is used

• The key stored in the SIM card incarnates the contract between the subscriber and the operator• It is established manually when the contract is signed• Only symmetric cryptography is used

12

Example of security for wireless LANs: standard IEEE 802.1x (*)

Supplicant(Mobile Station)

Authenticator(Access Point)

Authentication Server

EAPOL(over IEEE 802.11)

Encapsulated EAP,Typically on RADIUS

EAP: Extensible Authentication Protocol (RFC 2284, 1998)EAPOL: EAP over LANRADIUS: Remote authentication dial in user service (RFC 2138, 1997)

Features of IEEE 802.1x: - Supports a wide range of authentication schemes, thanks to the usage of EAP- One-way authentication- Optional encryption and data integrity

EAP: Extensible Authentication Protocol (RFC 2284, 1998)EAPOL: EAP over LANRADIUS: Remote authentication dial in user service (RFC 2138, 1997)

Features of IEEE 802.1x: - Supports a wide range of authentication schemes, thanks to the usage of EAP- One-way authentication- Optional encryption and data integrity

(*) Notes:• IEEE 802.1x is not specific to wireless LANs and was not designed specifically for them• New standard: IEEE 802.11i (2003)

13

Wireless Transport Layer Security protocol (WTLS)

WTLS

WAPGateway

SSL

Webserver

Authentication classes of WTLS:Class 1: no authentication Class 2: authentication of the server only (similar to traditional SSL / HTTPS used with Web servers); the server certificateis usually signed by a Trusted Third Party (Verisign, Entrust, Smartrust,…)Class 3: authentication of both server and client; requires aPublic Key Infrastructure and a Wireless Identity Module (WIM);very few implementations so far

(Secure Socket Layer)

14

Security in ad hoc networks

Constraints Mobile devices limited computing capabilities Sporadic connectivity prevents from relying on an on-line

server Solutions proposed so far

Some nodes have a special role; they are entitled to perform threshold cryptography operations (Cornell, 1999)

Generalization: any node can take this responsibility (UCLA, 2001)

Users are all in the same location; they agree on a common password, type it into their device; the protocol creates a strong shared key (Nokia, 2001)

Issue mutual certificates and build up a distributed certificate graph à la PGP (EPFL, 2001)

15

Mobility helps security

Infrared link

(Alice, PuKAlice, XYZ)

(Bob, PuKBob , UVW)

Visual recognition, conscious establishment of

a two-way security association

Secure side channel -Typically short distance (a few meters)- Line of sight required- Ensures integrity- Confidentiality not required

Alice Bob

Problem : how to bootstrap security in a mobile network without a central authority ?

Problem : how to bootstrap security in a mobile network without a central authority ?

16

Friends mechanism

IR

Colin

Bob(Colin’s friend)

Alice

(Alice, PuKAlice, XYZ)

(Alice, PuKAlice, XYZ)

Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users

Colin and Bob are friends:• They have established a Security Association at initialisation• They faithfully share with each other the Security Associations they have set up with other users

17

Mechanisms to establish Security Associations

Friendship : nodes know each others’ triplets

Exchange of triplets over the secure side channelTwo-way SA resulting from a physical encounter

i j i knows the triplet of j ; the triplet has been obtained from a friend of i

i

f

j i

f

j

i

f

j i

f

j

i j i ja) Encounter and activation of the Secure Side Channel

b) Mutual friend

c) Friend + encounter

Note: there is no transitivity of trust (beyond your friends)

18

Protocols

19

Pace of establishment of the security associations (1/2)

- Depends on several factors: - Area size- Number of communication partners: s- Number of nodes: n- Number of friends- Mobility model and its parameters (speed, pause times, …)

Established security associations :Desired security associations :

Convergence :

20

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

100 1000 10000 100000 1000000

time (s)

per

cen

tage

of

secu

rity

ass

ocia

tion

s

s=99, f=0, pause=100 s, sr=5 m, v=5 m/s s=99, f=2, pause=100 s, sr=5 m, v=5 m/ss=99, f=0, pause=100 s, sr=5 m, v=20 m/s

5m/s, 2 friends5m/s, 0 friends

20m/s, 0 friends

Pace of establishment of the security associations (2/2)

21

Conclusion on Mobility Helps Security

• Mobility can help security in mobile ad hoc networks, from the networking layer up to the applications

• The proposed solution also supports re-keying• The proposed solution can easily be implemented with both symmetric and

asymmetric cryptography

S. Capkun, J. P. Hubaux, and L. ButtyanMobility Helps Security in Ad Hoc NetworksFourth ACM Symposium on Mobile Networking and Computing (MobiHoc),Annapolis, June 2003

S. Capkun, L. Buttyan, and J.-P. HubauxSelf-Organized Public-Key Management for Mobile Ad Hoc NetworksIEEE Transactions on Mobile Computing, Vol. 2, Nr. 1, 2003

22

Cooperation between Nodes in Hybrid Ad Hoc Networks

Jean-Pierre Hubaux1

Joint work with Naouel Ben Salem1, Levente Buttyan2, and Markus Jakobsson3

1 EPFL/School of Information and Communication 2 Budapest University of Technology and Economics

3 RSA Labs

23

S

D

Hybrid ad hoc networks (1/2)

Set of base stations connected to a backbone (like in cellular)

Potentially, multi-hop communication between the mobile station and the base station (unlike in cellular)

Principle usable for both “classical”, voice centric cellular networks and wireless LANs (e.g., IEEE 802.11)

24

Hybrid ad hoc networks (2/2)

Expected benefits: Energy consumption of the mobile stations can be reduced Immediate side effect: Reduced interference Number of base stations (fixed antennas) can be reduced Coverage of the network can be increased Closely located mobile stations can communicate

independently from the infrastructure (ad hoc networking)

Problem: How to encourage the nodes to relay packets for the benefit of other nodes?

25

Possible solution : systematic micro-payments

A i1 BSA Bj1BSB

Initiator

Correspondent

• Principle: for every packet, the initiator is charged and all relay nodes are rewarded

• Strength : all cheating attempts will be detected

• Weakness : overhead (increase of the communication cost around 3 to 12%)

 N. Ben Salem, L. Buttyan, J. P. Hubaux, and  M. Jakobsson,"A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks"Fourth ACM Symposium on Mobile Networking and Computing (MobiHoc), Annapolis, June 2003

26

Alternative solution : probabilistic micro-payments

Model for the network: Multi-hop up-link Single-hop down-link

S

D

Proposals for probabilistic payments: D. Wheeler(1996) Jarecki and Odlyzko (1997) S. Micali and R. Rivest (2002) …

27

The solution in three easy steps – Step 1

Assume that all packet sending/receiving events can be observed by an observer

The observer could tell who originated a packet (whom to charge) who forwarded a packet (whom to remunerate) who dropped a packet (whom to punish?)

28

The solution in three easy steps – Step 2

Assume that every node honestly reports its own sending/receiving events to the operator

The operator could tell who originated a packet (whom to charge) who forwarded a packet (whom to remunerate) who dropped a packet (whom to punish?)

Problems: nodes may not be motivated to send reports nodes may lie (send false reports) reporting all events may be a huge overhead

29

The solution in three easy steps – Step 3

Nodes get paid for their reports nodes are motivated to send reports

• Events to be reported are selected probabilistically this drastically reduces the overhead

• Neighbors are remunerated as well this further increases the motivation to cooperate

• Based on the received reports, the operator performs statistical analysis (auditing) this allows detection of cheating behavior

30

Assumptions

Hybrid ad hoc network with multi-hop up-link and single-hop down-link

Symmetric-key crypto, each node shares a long-term symmetric key with the operator (base stations)

The operator manages numerous base stations and one accounting center

The operator is trusted by every node for not revealing secret keys correctly transmitting packets correctly performing billing and auditing

Users are not trusted to act according to the protocol users behave rationally they can tamper with their devices they can collude

31

Protocol

Setup users register with the operator each registered user u gets an id and a symmetric key Ku Ku is shared by the user and the operator (base stations)

Maintaining connectivity information each user u keeps a list of triplets (ui, di, Li), where

• ui is a neighbor

• with distance (in hops) di from the base station and

• with reward level Li

the list is sorted in terms of increasing values of di and Li

Reward levels packets have reward levels too a higher reward level means higher charge for the originator and

higher reward for the forwarders ui is willing to forward packets with a reward level higher than Li

32

Packet origination

Originator o wants to send payload p o selects a reward level L

computes a MAC: = MACKo( L | p )

transmits [ o | L | p | ] according to the Packet Transmission Protocol

MAC : Message Authentication Code

33

Packet transmission

User u – originator or forwarder – wants to transmit packet P = [ o | L | p | ]1. u selects his first as yet unselected entry (ui, di, Li) where Li < L

2. sends a forward request to ui (contains L and possibly more info)

3. waits for an ack from ui

• if received, then u sends P to ui

• if not received, then u increases i by one and goes to step 2in any case: if u is not the originator, then u performs the Reward

Recording Protocol

u y

z

x

(u=y, d=2, L=53)

(u=z, d=3, L=82)

(u=x, d=3, L=70)

34

Packet processing by the base station

The base station receives a packet P = [ o | L | p | ] it looks up the secret key Ko of the originator o

verifies the MAC

• if not correct, then drops the packet

• if correct, then transmits the packet to the destination keeps a count of the number of packets transmitted for o records a fraction of all triplets (, L, u), where u is the id of the user from

which it received the packet [ o | L | p | ] periodically sends the recorded information to an accounting center

S

D

Accounting Center

21 3

45

6

Retrieve Ko

Verify

P

35

Reward recording

User u has forwarded a packet P = [ o | L | p | ] u interprets as a lottery ticket

the ticket is winning for u iff f(, Ku) = 1 for some function f

if is winning, then u records (u1, u2, , L), where

• u1 is the user from which he received P

• u2 is the user (or base station) to which he forwarded P

u1 u2 (or base station)u

f(, Ku) = 1 ?

Example for f : f(, Ku) = 1 iff dHamming(, Ku) h

• Note: If f is not one-way, then all claims should be encrypted during transmission

36

Reward claim

User u has a list M of reward records when u is adjacent to a base station, he transmits a claim

[ u | M | MACKu(M) ] to the base station

the base station verifies the MAC

• if incorrect, then ignores the claim

• if correct then records the claim and sends an ack when u receives the ack, he deletes M from memory the base station sends the recorded reward claims to the

accounting center

u

Accounting Center

[ u | M | MACKu(M) ]

37

Accounting

The accounting center receives reward claims of the form: “u claims (u1, u2, , L)”

traffic info recorded by the base stations of the form: “(, L, u) from o”

All originators whose identity has been recorded by a base station are charged

All users whose identity figures as a claimant in an accepted reward claim are credited

All users whose identity appears as sending or receiving neighbor in an accepted reward claim are also credited

38

Auditing

The probability for a ticket to win is independent of the identity of the user who evaluates it

each user should appear as a claimant with approximately the same frequency as he figures as either sending or receiving neighbor of a claimant

39

Examples of abuses and their detection

Packet droppingDescription: the user agrees to forward, but he doesn’t forward

Detection: receiving neighbor freq. > sending neighbor freq.

Ticket sniffingDescription: the user claims credit for overheard packets

Detection: claimant freq. > receiving neighbor or sending neighbor freq. conflicting claims

a b c

d

b claims (a, c, , L)

d claims (b, c, , L)

40

Conclusion on the probabilistic encouragement for collaboration

Cooperation between nodes can be fostered by micro-payments

Probabilistic micro-payments can drastically reduce the overhead

The operator can fine tune the detection mechanisms according to the level of observed cheating

Future work Study attacks by malicious users Pricing issues (e.g., computation of the reward levels)

M. Jakobsson, J. P. Hubaux, and L. Buttyan  A Micro-Payment Scheme Encouraging Collaboration in Multi-hop Cellular NetworksProceedings of Financial Crypto 2003 

41

Cooperation without incentivesin pure ad hoc networks

0)( xi

Examples of strategies:

Strategy Function

Initial cooperation

level

AllD (always defect)

AllC (always cooperate)

TFT (Tit-For-Tat)

0

1

1

1)( xi

xxi )(

σiAi

yi

xi

Conclusion: In a static network, the conditions for spontaneous cooperation are extremely unlikely to be met; but mobility improves things.

Conclusion: In a static network, the conditions for spontaneous cooperation are extremely unlikely to be met; but mobility improves things.

M. Felegyhazi, Levente Buttyan, and J. P. Hubaux"Equilibrium Analysis of Packet Forwarding Strategies in Wireless Ad Hoc Networks – the Static Case"Proceedings of Personal Wireless Communications (PWC `03), Venice, Italy, September 2003

42

Power-efficient Broadcast in all-wireless networks,α

ijij dc 2

11}{max},{

aax

ihx

da pcp

Calculate gains

6 dacbd

da ppppg

5 eadcbe

ea pppppg

2 cac

ca ppg

6 badcb

ba ppppg

Calculate new transmission power

0},{maxarg

xa

xaa

newa

xa

ggppp

pb=8

8

2

pa=2

d

i

h

c

ab

f

jg

e

1

pc=55

55pe=4

4

pd=4

4

4

Try to remove node d:

M. Cagalj, J. P. Hubaux, and C. Enz,“Minimum-Energy Broadcast in All-Wireless Networks : NP-completeness and Distribution Issues”,Mobicom 2002

43

COMMON-Sense Net:Agriculture and water management with the use of wireless

sensor networks

Joint work with IISc

44

The need for water

Consequence: Growing humanitarian crises and political instability

Water supply, distribution of unserved populations

Sanitation, distribution of unserved populations

45

Water and agriculture

Agriculture consumes 70% of the fresh water used worldwide by human activity

Around 40% of the fresh-water used for agriculture is lost (evaporation, spills, undue absorption)

70%

Agriculture

Industrial

Domestic

Agriculture is largely responsible for ground water’s Agriculture is largely responsible for ground water’s depletion and salinisation. depletion and salinisation.

46

Assumptions

An optimized water management in agriculture is needed

Optimised water management means better information gathering on the soil’s and plants’ condition

Sensors and sensors networks can provide this enhanced information

47

A concrete test case (1)

48

A concrete test case (2)

25 villages over a radius of 25km Marginal farmers (< 1 ha) and small farmers (< 2 ha) No powered irrigation Cultures:

groundnut (for oil), cereals millets (finger millet -locally known as Ragi-, sorghum)rice in some irrigated patches

49

User requirements

A better access to critical data and information to help farmers in their decision making processSoil: humidity, salinityGround-water: level, quality (nitrates,phosphates)Local meteorological data: temperature, radiance, wind velocity and direction...Global meteorological data: weather forecast, seasonal estimates...Cultural and social issues are critical

51

System characteristics

Self-organizing network of heterogenous wireless sensor-nodes (ease of deployment, non-intrusiveness)

Nodes communicate in a multihop fashion Low data-rate Scalability and adaptability to network changes Node failure detection and adaptability Internet-connectivity

52

Technical requirements

Communication Range : around 500m (up to 1 km) Power-saving mechanisms: life-time of every node over 1 year

(the longer the better) Possibility to connect heterogenous sensors to a communication

node: « universal » port Costs-constraints

53

Project consortium

Indian Partners Centre for Electronics Design and Technology (CEDT/IISc) Centre for Atmospheric and Oceanic Studies (CAOS/IISc) Chennakeshava Trust

Swiss Partners Laboratory for computer Communications and Applications

(LCA/EPFL) Laboratory of Hydrology and Planning (HYDRAM/EPFL) HEC, Lausanne (UNIL)

54

COMMON-Sense Agenda

June 2003: Build-up of the consortium July-August 2003: Project proposal Fall 2003: Development of first prototype August 31st: Project submitted to SDC/EPFL cooperation fund January 2004: Project approved February 2004: Project meeting in Bangalore March-April 2004: Gathering of final user requirements May 2004: System High-Level Design June-November 2004: Work on first release December 2004: Outdoor testing of prototype

55

Conclusion

Ad hoc and sensor networks raise new challenges in a number of areas

Security in particular needs to be redesigned from scratch

The solutions very much depend on the presence and role of an authority

This is an exciting and promising research area…

Presented papers available online at:http://lcawww.epfl.ch/hubaux/or Google (hubaux) home page