Upload
marvin-owens
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Integrity-regions: Authentication ThroughPresence in Wireless Networks
Srdjan Čapkun1 and Mario Čagalj2
1Department of Computer Science, ETH Zurich 2FESB, University of Split, Croatia
ACM WiSe 2006
2
Key Establishment: Diffe-Hellman
ga mod p
gb mod p
KAB=(gb)a mod p KAB=(ga)b mod p
Mallory
Alice Bob
3
Man in the Middle Attack (MITM)
4
Solution to the MITM: Authentication of DH Contributions
ga mod p A Bgb mod p, sigB(gb,ga)
sigA(ga,gb)
Uses signatures ... (DH contributions are authenticated)
A B
here are the public keys
TTP
5
Our goal: Avoiding Certificates (Reliance on TTPs)
ga mod p A Bgb mod p
A B
Visual recognition, conscious establishment of keys
h(ga)
h(gb)
6
Existing Solutions
• Stajano and Anderson propose the “resurrecting duckling” security policy model (physical contact)
• Balfanz et al. “location-limited channel” (e.g., an infrared link)• Asokan and Ginzboorg propose a solution based on a shared
password• Perrig and Song, hash visualization (image comparison)• Maher presents several methods to verify DH public parameters
(short string comparison), found flawed by Jakobsson• Jakobsson and Larsson proposed two solutions to derive a
strong key from a shared weak key• Dohrmann and Ellison propose a method for key verification
that is similar to DH-SC (short word comparison)• Gehrmann et al., (short string comparison)• Goodrich et al. Loud And Clear: Human Verifiable
Authentication Based on Audio• Cagalj et al. (short string comparison (1/2 string size))• Capkun, et al. key establishment for self-organized mobile
networks (IR channel, mobility)
• Castellucia, Mutaf (device signal indistinguishability)• Cagalj, Capkun, Hubaux, distance-based verification, channel
anti-blocking• Cagalj, Capkun, ... Integrity-codes (awareness of presence)
7
The Seriousness of the MITM Attack
• Devices using low-power radios can avoid it? – not all radios can control their tx power– the ranges are highly unpredictable– the attacker can use high-gain directional
antennas and increase its listening range up to 10x
– neighboring/hidden devices
• I will establish keys in my own living room, I do not need security ... – maybe your neighbor steals your dvd UWB
output?– you meet someone at a conference ... – ad hoc groups of emergency staff, police, ... – ...– yes, you probably do not need any security in your
living room
8
Our Solution: Integrity-regions
• Main idea: message authentication through distance verification (e.g. ultrasonic distance-bounding)
• Assumption: the user can assume or visually verify that there are no malicious devices within the integrity region
No certificates or preshared keys exchanged prior to the protocol execution
9
Integrity Region Protocol
A
B
d
M
A’s integrity region
d*
(c,o) = commit(gb)c,B
d*=(tR-tS)vsound
[1] verify (c,o)[2] verify that d* is within its (A's) integrity region d (i.e., d* d)[3] verify that there are no devices at any distance d** d*[4] if verifications (1-3) pass, A accepts message gb as genuine
NA oUS channel
tR
NAtS
10
Diffie-Hellman with Integrity Regions
Given ga Pick NA , NA U {0,1}k
mA0gaNA
(cA ,oA) commit (mA)
Alice Bob
*Given gb Pick NB U {0,1}k
mB 1gbNB
(cB ,oB)commit (mB)cA
cB
oBmBopen (cB ,oB)
Verify 1 in mB
sANA NB
oA mAopen (cA ,oA) Verify 0 in mA
sBNB NA
*RBNA sB
NA
RB
tS
tRdA=(tR-tS)vsound
Verify sA = NA RB
*
*
Only Alice verifies her integrity region. If verification OK, Alice and Bob accept mB and mA, respectively.
11
Analysis of the Implementation with Ultrasound
A
B
d
M
A’s integrity region
d*
c,B
NA oUS channel
tR
NAtS
(c,o) = commit(gb)
(c*,o*) = commit(gm)c*,B
NA o*
12
Main Consequence of Integrity Regions
• Forcing the attacker to be physically close to the devices to perform the MITM attack.
without integrity regions with integrity regions
13
Integrity-regions with (Omni)directional Antennas
14
Example Application Scenarios
Setup of wireless sensor networks (establishment of keys)
no attackers inthis space (sensors’ I-region)
Setup of a home network
15
Summary/Future Work
• Physical presence of the attacker (i.e., the attacker cannot be omnipresent (physically))
• Honest devices (users) can have an awareness of presence (distance, space, surrounding devices)
• One solution: Integrity regions, message authentication through distance verification
• Impact on (mobile) ad hoc / sensor networks: – verification of the distance prevents MITM
attacks on key establishment from remote locations
– enables P2P key establishment / key pairing
16
Authentication Through Presence (Awareness)
• M. Čagalj, S. Čapkun, R. Rengaswamy, I.Tsigkogiannis, M. Srivastava, and J.-P. Hubaux. Integrity (I) codes: Message Integrity Protection and Authentication Over Insecure Channels. In Proceedings of the IEEE Symposium on Security and Privacy, 2006
• M. Čagalj, S. Čapkun, and J.-P. Hubaux,Key Agreement in Peer-to-Peer Wireless Networks Proceedings of the IEEE (Special Issue on Security and Cryptography), 94(2), 2006