Embed Size (px)
Citation preview
1
Security and Cooperation in Wireless and Mobile
Networks
Richard Yang
2
Admin.
Homework 4 due Friday Dec. 8th
3
Recap
TinyOSsoftware as hardware components
Mobile CPU scheduling dynamic voltage scaling
4
Mobile File Systems
5
Discussion
What challenges does the file system face in wireless/mobile environment?
6
Problems Facing File System
Disconnected/weakly connected file system read miss
• stalls progress (the user has to stop working)
synchronization/consistency issues• may need to synchronize multiple copies of the same
file• if multiple users, may need to solve consistency
problems
Heterogeneous device types each device has its own file system and naming
convention, e.g., digital camera, ipod
7
Some Approaches
Handling read miss explicit user file selection, e.g., MS briefcase automatic hoarding, e.g., CODA, SEER
Handling synchronization/consistency issues keep modification logs and develop merge tools, e.g.,
Bayou efficient file comparisons and merging, e.g., rsync, low
bandwidth file system (LBFS )
Handling heterogeneous device types mask the differences , e.g., EnsemBlue
8
Security and Cooperation in Wireless and Mobile
Networks
9
Introduction
This is a vast and active field, a course by itself
A good recent book is Thwarting Malicious and Selfish Behavior
in the Age of Ubiquitous Computing, by Levente Buttyan and Jean-Pierre Hubaux, Cambridge University Press, to appear in 2007.
available at: http://secowinet.epfl.ch/
10
Generic Network Security and Cooperation Issues
confidentiality
integrity authenticity; incentive-compatibility
availability
11
Why is Security Challenging in Wireless Networks? No inherent physical protection
physical connections between devices are replaced by logical associations
sending and receiving messages do not need physical access to the network infrastructure (cables, hubs, routers, etc.)
Broadcast communications wireless usually means radio, which has a broadcast
nature transmissions can be overheard by anyone in range anyone can generate transmissions,
• which will be received by other devices in range• which will interfere with other nearby transmissions
Thus it is easier to implement jamming, eavesdropping, injecting bogus messages, and replaying previously recorded messages
12
Why is Security Challenging in Mobile Networks?
Since mobile devices typically have limited resources (e.g., CPU cycles, battery supply), the designer might want to select simple security mechanisms an interesting example: TELSA
However, this may lead to serious security flaws bad example: Wired Equivalent Protection
(WEP), the original security protocol for 802.11
13
WEP: A Bad Example
14
802.11 Message Flow
data messagesprotected by WEP
15
Wired Equivalent Privacy (WEP)
WEP was intended to provide comparable confidentiality to a traditional wired network, thus the name
WEP implements message confidentiality and integrity
WEP encryption is used in 802.11 authentication
16
WEP Security
WEP confidentiality through encryption using RC4, a stream-
based encryption algorithm using a shared key
WEP integrity through message check sum using encrypted
cyclic redundancy check (CRC)
WEP authentication through challenge/response
17
WEP Encryption
For each message to be sent: RC4 is initialized with the shared secret
between station STA and access point (AP)• WEP allows up to 4 shared keys
RC4 produces a pseudo-random byte sequence (key stream) from the shared key
This pseudo-random byte sequence is XORed to the message
18
WEP Encryption To avoid using the same key stream, WEP
encrypts each message with a different key stream the RC4 generator is initialized with the
shared secret plus a 24-bit IV (initial value)• shared secret is the same for each message• 24-bit IV for each message• there is no specification on how to choose the IV;
sender picks the IV value
19
WEP Integrity
WEP integrity protection is based on computing ICV (integrity check value) using CRC and appended to the message
The message and the ICV are encrypted together
20
WEP
IV secret key RC4RC4
message | ICV
message | ICVIV
IV secret key RC4RC4
message | ICV
encode
decode
KS
KS
CRCCRC
check CRC
check CRC
21
Active Attack on WEP: IV Replay Attacks
A known plain-text message is sent to an observable wireless LAN client (e.g., an e-mail message)
The network attacker will sniff the wireless LAN looking for the predicted cipher-text
The network attacker will find the known frame, derive the key stream (corresponds to the give IV+K), and reuse the key stream
The network attacker can "grow" the key stream
22
Active Attack on WEP: Bit-Flipping Attack
The attacker sniffs a frame on the wireless LAN The attacker captures the frame and flips random bits in the data
payload of the frame The attacker modifies the ICV (detailed later) The attacker transmits the modified frame The access point receives the frame and verifies the ICV based
on the frame contents The AP accepts the modified frame The destination receiver de-encapsulates the frame and
processes the Layer 3 packet Because bits are flipped in the higher layer packet, the Layer 3
checksum fails The receiver IP stack generates a predictable ICMP error The attacker sniffs the wireless LAN looking for the encrypted
error message Upon receiving the error message, the attacker derives the key
stream as with the IV replay attack
23
Bit-Flipping Attack
24
Generating Valid CRC
The crucial step of the flipping attack is to allow the frame to pass the ICV check of the AP
Unfortunately, the CRC algorithm allows generating valid encrypted ICV after bit flipping
25
Bypassing Encrypted ICV
CRC is a linear function wrt to XOR:
CRC(X Y) = CRC(X) CRC(Y)
- Attacker observes (M | CRC(M)) K where K is the key stream output- for any M, the attacker can compute CRC(M) - hence, the attacker can compute:
([M | CRC(M]) K) [M | CRC(M)] = ([M M) | (CRC(M) CRC(M)]) K= [M M) | CRC(M M)] K
26
WEP Authentication
Two authentication modes
open authentication --- means no authentication !
• an AP could use SSID authentication and MAC address filtering, e.g., at Yale, but this is ineffective
shared key authentication based on WEP
27
WEP Shared Key Authentication Shared key authentication is based on a
challenge-response protocol:…AP STA: rSTA AP: (IV | r) K…
where K is a 128 bit RC4 output on IV and the shared secret
An attacker can compute r (r K) = K
Then it can use K to impersonate STA later:…AP attacker: r’attacker AP: (IV | r’) K…
28
WEP: Lessons
WEP has other problems, e.g., short IV space, weak RC4 keys
Engineering security protocols is difficult one can combine otherwise OK building blocks in a
wrong way and obtain an insecure system at the end• example 1:
– stream ciphers alone are OK– challenge-response protocols for entity authentication are OK– but they shouldn’t be combined
• example 2:– encrypting a message digest to obtain an ICV is a good principle– but it doesn’t work if the message digest function is linear wrt to the
encryption function
Avoid the use of WEP (as much as possible)
29
Fixing WEP
After the collapse of WEP, Wi-Fi Protected Access (WPA) was proposed in 2003
Then the full 802.11x standard (also called WPA2) was proposed in 2004
But WEP is still in wide use
30
TELSA: A Positive Example
Digital Signatures Do Not Work
Problem statement: authentication of packets
The typical approach in the Internet is to
attach a digital signature on each packet
However, signatures are expensive, e.g., RSA
1024 on a 2.1 GHz desktop: high signature cost (~5 ms)
high communication cost (128 bytes/packet)
More expensive on low-end processors
http://www.cryptopp.com/benchmarks.html
TESLA
Timed Efficient Stream Loss-tolerant Authentication
Uses only symmetric cryptography
Basic Authentication Mechanism
t
F(K)AuthenticCommitment
P
MAC(K,P)
Kdisclosed
1: Verify K
2: Verify MAC
3: P Authentic!
F: public one-way function; MAC: message digest function
TELSA Security Condition
Sender distributes initial commitment and key
disclosure schedule using, say, digital signature
Security condition (for packet P):
on arrival of P, receiver is certain that sender did not
yet disclose K
If security condition not satisfied, drop packet
TESLA: Example
K4 K5 K6 K7
tTime 4 Time 5 Time 6 Time 7
K3
P5
K5
P3
K3
P2
K2
P1
K2
Verify MACs
P4
K4
FF
Authenticate K3
Keys disclosed 2 time intervals after use
TESLA Summary
Advantages low overhead
• communication (~ 20 bytes)• computation (~ 1 MAC computation per packet)
tolerate packet loss
Problems time synchronization delayed authentication
Secure Efficient Ad hoc Distance Vector (SEAD)
Uses one-way hash chains to authenticate metric and sequence number for DSDV
Assumes a limit k-1 on metric (as in other distance vector protocols such as RIP, where k=16) metric value infinity can be represented as k
SEAD Metric Authenticators
Each node generates a hash chain and distributes the last element (CN+1) to allow verification: chain values CN-k+1, …, CN authenticate metrics
0 through k-1 for sequence number 1 CN-2k+1,…CN-k authenticate metrics 0 through k-1
for sequence number 2 CN-ik+1,…CN-(i-1)k authenticate metrics 0 through k-1
for sequence number iC0 C1 C3C2 C5C4
C6 C7 C9C8 C10 C12C11
SEAD Metric Authenticators
Each node generates a hash chain anddistributes the last element (CN+1) to allow verification: Chain values CN-k+1, …, CN authenticate
metrics 0 through k-1 for sequence number 1
CN-2k+1,…CN-k authenticate metrics 0 through k-1 for sequence number 2
CN-ik+1,…CN-(i-1)k authenticate metrics 0 through k-1 for sequence number i
C0 C1 C3C2 C5C4
C6 C7 C9C8 C10 C12C11
SEAD Metric Authenticators
Each node generates a hash chain and distributes the last element (CN+1) to allow verification: Chain values CN-k+1, …, CN authenticate metrics
0 through k-1 for sequence number 1 CN-2k+1,…CN-k authenticate metrics 0 through
k-1 for sequence number 2
CN-ik+1,…CN-(i-1)k authenticate metrics 0 through k-1 for sequence number i
C0 C1 C3C2 C5C4
C6 C7 C9C8 C10 C12C11
Each node generates a hash chain and distributes the last element (CN+1) to allow verification: Chain values CN-k+1, …, CN authenticate metrics
0 through k-1 for sequence number 1 CN-2k+1,…CN-k authenticate metrics 0 through k-1
for sequence number 2 CN-ik+1,…CN-(i-1)k authenticate metrics 0 through
k-1 for sequence number i
SEAD Metric Authenticators
C0 C1 C3C2 C5C4
C6 C7 C9C8 C10 C12C11
SEAD Metric Authenticators
Within a sequence number i: CN-ik+1 represents metric 0
CN-ik+2 represents metric 1
CN-ik+m+1 represents metric m
CN-ik+k represents metric k-1
C9 C10 C11
Metric 0 Metric 1 Metric 2When a node receives a routing update:• It first checks the metric authenticator• If the update is to be accepted:
– It increments the metric by one
– and hashes the authenticator
– then adds the metric and authenticator to routing table
43
Cooperation in Wireless, Mobile Networks
44
Cooperation in Wireless Networks
A special case of “security attack” is by rational nodes drop packets, mis-represent information
Motivation wireless networks have limited capacity wireless nodes have limited resource—battery power unlike the Internet, where commercial relationship is
worked out, many ad hoc network nodes belong to different users and have incentive to forward others’ traffic
• similar free-riding problems in P2P applications
45
Cooperation in Wireless Networks
Discussion: how to handle non-malicious but selfish nodes?
46
Payment-based Routing The first setup (kind of the oracle version)
centralized authority: computation and payment Each node has a (private energy/transmission) cost of
sending one packet to a neighbor The network (authority)
pays the nodes so that they will forward traffic from a source to a destination the objective of the
authority is to choose the lowest cost path
• assume cost reflects energy• thus extending network
life time/maximizing capacity—the social welfare
47
Node’s Utility Assume each node wants to maximize its utility Utility is the sum of all source-destination pairs The utility of being on the path P of a source-
destination pair:
where - pi is the amount the network pays node i - 1P(i) is 1 if node i is on the path P; otherwise 0
- ci is the cost of the link used in P, if a link from i is used
)(1 icpu Piii
48
Payment Using VCG Mechanism VCG stands for Vickrey, Clarke and Groves The VCG mechanism
each node sends the costs of its links to the authority the authority computes the lowest cost path from the
source S to the destination D the payment to node i:
where - LCP(S,D) is the lowest cost path from S to D: {S->R1, R1->R2, …, Rk->D}
- LCP(S,D)\{i} is the previous path but does not include the link from i to its next hop, if i is on the path; if i is not on the path, it is just the previous path
- LCP(S,D;-i) is the lowest cost path from S to D without using i, i.e. remove node i from the graph and then find path
}){\),((cost));,((cost iDSLCPiDSLCPpi
49
Example: N1
12
1 3N2
D
N1
S
- assume N1 declares the cost as 2, how much will N1 bepaid according to the VCG mechanism? (1+3)-1 = 3
- assume N1 declares the cost as 1, how much will N1 bepaid according to the VCG mechanism?
- what is the utility of N1? 3 - 2 = 1
(1+3)-1 = 3- what is the utility of N1? 3 - 2 = 1
- assume N1 declares the cost as 4, how much will N1 bepaid according to the VCG mechanism?
Assume the true cost of N1 to D is 2
(1+3)-(1+3) = 0- what is the utility of N1? 0 - 0 = 0
50
Formal Results
Each node reports its link costs truthfully
Thus the network chooses the lowest cost path for each source-destination pair
51
Analysis on Truthfulness
By contradiction Assume node i’s true costs for its links are Ci but
reports Wi
think of Wi and Ci as vectors of link costs
The node decides to declare Wi instead of Ci only if the utility is higher
The best scenario a node can be in is that it is given the declared costs of all other nodes’ links and then decides its declarations of the costs of its links in order to maximize its utility action chosen in this way is called dominant strategy
52
VCG Proof
Assume the lowest cost path computed is - LCP when the node reports Ci, and
- LCP’ when reports Wi
it must be the case that (1P(i) meant i on path P)
)(1}){\),((cost));,((cost
)(1}){\),('(cost));,('(cost ''
iciDSLCPiDSLCP
iciDSLCPiDSLCPLCPLCP
i
LCPLCPi
)(1}){\),((cost)(1}){\),('(cost '' iciDSLCPiciDSLCP LCPLCPi
LCPLCPi
)(1}){\),((cost)(1}){\),('(cost '' iciDSLCPiciDSLCP LCPLCPi
LCPLCPi
Right hand side is LCP we computed; left hand side is one path. Contradiction.
