35
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean- Pierre Hubaux SECURECOMM, 2009

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks

  • Upload
    stacia

  • View
    38

  • Download
    0

Embed Size (px)

DESCRIPTION

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks. Julien Freudiger , Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009. Wireless Trends. Phones Always on (Bluetooth, WiFi ) Background apps New hardware going wireless Cars, passports , keys , …. - PowerPoint PPT Presentation

Citation preview

Page 1: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks

Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux

SECURECOMM, 2009

Page 2: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

2

Wireless Trends• Phones

– Always on (Bluetooth, WiFi)– Background apps

• New hardware going wireless– Cars, passports, keys, …

Page 3: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

3

Peer-to-Peer Wireless Networks

1

MessageIdentifier

2

• Share information with other users• Authenticate message sender

Certificate

Page 4: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

4

Examples

• Urban Sensing networks• Delay tolerant networks• Peer-to-peer file exchange

MiFiSocial networks

Page 5: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

5

Anonymity Problem

Adversary can track activities of pseudonymous users

Passive adversary monitors identifiers used in peer-to-peer communications

MessageJulienFreudiger CertificatePseudonym

Page 6: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

6

Reputation

Privacy

Anonymous Authentication

Page 7: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

7

Previous Work (1)Multiple Pseudonyms

[1] A. Beresford and F. Stajano. Mix Zones: User Privacy in Location-aware Services. Pervasive Computing and Communications Workshop, 2004

MessagePseudonym 1 Certificate 1

+ Simple for users- Costly for operator (pseudonym management)- Limited privacy- Sybil attacks

Pseudonym 2Pseudonym 3Pseudonym 4 Certificate 2Certificate 3Certificate 4

Nodes change pseudonyms

Page 8: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

8

Previous Work (2)Group Signatures

+ Good anonymity- Central management- Traceable

[2] D. Boneh, X. Boyen and H. Shacham. Short Group Signatures. Crypto, 2004

[3] D. Chaum and E. van Heyst. Group Signatures. EuroCrypt, 1991

MessageGroup Identifier

Group Certificate

CentralAuthority

Page 9: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

9

+ No need for infrastructure+ Exploit inherent redundancy of mobile networks - Privacy?

New ApproachSelf-Organized Anonymity

MessageRandomIdentifier

Many Certificates

Network-generated privacy

Page 10: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

10

Outline

1. Ring Signatures

2. Anonymity Analysis

3. Evaluation

Page 11: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

11

Cryptographic PrimitiveRing Signatures

• Procedure1. Select a set of pseudonyms (including yours) in a ring2. Sign messages with ring

• Properties– Anonymity: Signer cannot be distinguished– Unlinkable: Signatures cannot be linked to same signer– Setup free: Knowledge of others’ pseudonym is sufficient

Anonymous authentication: Member of ring signed the message

[4] R. L. Rivest , A. Shamir , Y. Tauman. How to Leak a Secret. Communications of the ACM, 2001

Page 12: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

12

Ring Signatures Explained

vz =+

Ek

+

Ek

+

Ek

+

Ek

+

y1=g( )

y2=g( )

xs=g-1( )

yr-1=g( )y0=g( )x0

x1

x2

ys

xr-1

ys=g( )xs

k=H(m)v is the glue valuexi are random values

Page 13: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

13

Ring Construction in MANETs• Nodes record pseudonyms in rings of neighbors– Store pseudonyms in history – Node i creates ring by selecting pseudonyms

from with strategy

• Rings are dynamically and independently created

Page 14: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

14

Illustration

1

3

4

2 6

5

t1: S1 = [] R1 = [P1]

t2: S1 = [2, 3, 4] R1 = [P1, P2, P4]

t3: S1 = [2, 3, 4, 6]R1 = [P1, P4, P6]

Page 15: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

15

Outline

1. Ring Signatures

2. Anonymity Analysis

3. Evaluation

Page 16: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

16

Anonymity

• Adversary should not infer user i from Ri

Pj

Pi

User i

Ri

Attack: Given all rings, adversary can infer most

probable ring owner

Page 17: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

17

Anonymity Analysis

• Bipartite graph model

is set of nodes

is set of pseudonyms

is set of edges

Captures relation between nodes and rings

Page 18: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

18

Attacking Ring Anonymity (1)Example

Find a perfect matching: Assignment of nodes to pseudonyms

Page 19: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

19

Attacking Ring Anonymity (2)Analysis

• Find most likely perfect matching– Weight edges– Max weight perfect matching

• Bayesian inference– A priori weights– A posteriori weights

• Entropy metric

Page 20: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

20

Optimal Construction

• Maximize anonymity

Theorem: Anonymity is maximum iif• Graph is regular• All subgraphs

are isomorphic to each other

Page 21: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

21

Outline

1. Ring Signatures

2. Anonymity Analysis

3. Evaluation

Page 22: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

22

Validation of Theoretical Results

• LEDA C++ library for graph manipulation• 10 nodes• K=4 (ring size)

u1

Random graphs

P1

P2

P10

u2

u10

… …

u1

K-out graphs

P1

P2

P10

u2

u10

… …

u1

Regular graphs

P1

P2

P10

u2

u10

… …

Page 23: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

23

Entropy Distribution of Random Graphs with edge density p

Page 24: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

24

Minimum & Mean Entropy Distribution for Random and Regular Graphs

Page 25: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

25

Entropy distribution of random, K-out and regular graphs

Page 26: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

26

Fraction of matched nodes for various graph constructions

Page 27: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

27

Evaluation in Mobile Ad Hoc Network

• 100 nodes• K=4 (ring size)• Static– Learn pseudonyms as far as graph connectivity allows– Select pseudonyms randomly

• Mobile: Restricted Random Waypoint– Least popular: Select leas popular pseudonyms– Most popular: Select most popular pseudonyms– Random: Randomly select pseudonyms

Page 28: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

28

Average Anonymity Set size over time

Least

Random

Static

Mobile

Page 29: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

29

Conclusion

• Self-organized anonymous authentication– Network generated anonymity– Analysis with graph theory

• Results– Regular constructions near optimal– K-out constructions perform well– Mobility helps anonymity– Knowledge of popularity of pseudonyms helps

Page 30: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

30

Future Work• Stronger adversary model– Active adversary

• Self-Organized Location Privacy– Linkability Breaks Anonymity

Page 31: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

31

BACKUP SLIDES

Page 32: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

32

Compute Weights• A priori weight• Probability of an assignment

• Probability of an assignment given all assignments

• A posteriori weight of an edge between ui and pj

Page 33: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

33

Revocation

• Keys can be black listed using traditional CRLs• Misbehaving nodes can be excluded by

revoking all keys in a ring– Nodes can reclaim their key to CA– Nodes misbehaving several times would be

detected• Accountability of group of users

Page 34: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

34

Cost

• Computation overhead

• Transmission overhead– Group of prime order q– q = 283 (128-bit security), M = log2(q)

Page 35: Self-Organized  Anonymous  Authentication  in  Mobile Ad Hoc Networks

35

CDF of the average anonymity set size