Upload
stacia
View
38
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks. Julien Freudiger , Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009. Wireless Trends. Phones Always on (Bluetooth, WiFi ) Background apps New hardware going wireless Cars, passports , keys , …. - PowerPoint PPT Presentation
Citation preview
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks
Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux
SECURECOMM, 2009
2
Wireless Trends• Phones
– Always on (Bluetooth, WiFi)– Background apps
• New hardware going wireless– Cars, passports, keys, …
3
Peer-to-Peer Wireless Networks
1
MessageIdentifier
2
• Share information with other users• Authenticate message sender
Certificate
4
Examples
• Urban Sensing networks• Delay tolerant networks• Peer-to-peer file exchange
MiFiSocial networks
5
Anonymity Problem
Adversary can track activities of pseudonymous users
Passive adversary monitors identifiers used in peer-to-peer communications
MessageJulienFreudiger CertificatePseudonym
6
Reputation
Privacy
Anonymous Authentication
7
Previous Work (1)Multiple Pseudonyms
[1] A. Beresford and F. Stajano. Mix Zones: User Privacy in Location-aware Services. Pervasive Computing and Communications Workshop, 2004
MessagePseudonym 1 Certificate 1
+ Simple for users- Costly for operator (pseudonym management)- Limited privacy- Sybil attacks
Pseudonym 2Pseudonym 3Pseudonym 4 Certificate 2Certificate 3Certificate 4
Nodes change pseudonyms
8
Previous Work (2)Group Signatures
+ Good anonymity- Central management- Traceable
[2] D. Boneh, X. Boyen and H. Shacham. Short Group Signatures. Crypto, 2004
[3] D. Chaum and E. van Heyst. Group Signatures. EuroCrypt, 1991
MessageGroup Identifier
Group Certificate
CentralAuthority
9
+ No need for infrastructure+ Exploit inherent redundancy of mobile networks - Privacy?
New ApproachSelf-Organized Anonymity
MessageRandomIdentifier
Many Certificates
Network-generated privacy
10
Outline
1. Ring Signatures
2. Anonymity Analysis
3. Evaluation
11
Cryptographic PrimitiveRing Signatures
• Procedure1. Select a set of pseudonyms (including yours) in a ring2. Sign messages with ring
• Properties– Anonymity: Signer cannot be distinguished– Unlinkable: Signatures cannot be linked to same signer– Setup free: Knowledge of others’ pseudonym is sufficient
Anonymous authentication: Member of ring signed the message
[4] R. L. Rivest , A. Shamir , Y. Tauman. How to Leak a Secret. Communications of the ACM, 2001
12
Ring Signatures Explained
vz =+
Ek
+
Ek
+
Ek
+
Ek
…
…
+
y1=g( )
y2=g( )
xs=g-1( )
yr-1=g( )y0=g( )x0
x1
x2
ys
xr-1
ys=g( )xs
k=H(m)v is the glue valuexi are random values
13
Ring Construction in MANETs• Nodes record pseudonyms in rings of neighbors– Store pseudonyms in history – Node i creates ring by selecting pseudonyms
from with strategy
• Rings are dynamically and independently created
14
Illustration
1
3
4
2 6
5
t1: S1 = [] R1 = [P1]
t2: S1 = [2, 3, 4] R1 = [P1, P2, P4]
t3: S1 = [2, 3, 4, 6]R1 = [P1, P4, P6]
15
Outline
1. Ring Signatures
2. Anonymity Analysis
3. Evaluation
16
Anonymity
• Adversary should not infer user i from Ri
…
Pj
…
Pi
User i
Ri
Attack: Given all rings, adversary can infer most
probable ring owner
17
Anonymity Analysis
• Bipartite graph model
is set of nodes
is set of pseudonyms
is set of edges
Captures relation between nodes and rings
18
Attacking Ring Anonymity (1)Example
Find a perfect matching: Assignment of nodes to pseudonyms
19
Attacking Ring Anonymity (2)Analysis
• Find most likely perfect matching– Weight edges– Max weight perfect matching
• Bayesian inference– A priori weights– A posteriori weights
• Entropy metric
20
Optimal Construction
• Maximize anonymity
Theorem: Anonymity is maximum iif• Graph is regular• All subgraphs
are isomorphic to each other
21
Outline
1. Ring Signatures
2. Anonymity Analysis
3. Evaluation
22
Validation of Theoretical Results
• LEDA C++ library for graph manipulation• 10 nodes• K=4 (ring size)
u1
Random graphs
P1
P2
P10
u2
u10
… …
u1
K-out graphs
P1
P2
P10
u2
u10
… …
u1
Regular graphs
P1
P2
P10
u2
u10
… …
23
Entropy Distribution of Random Graphs with edge density p
24
Minimum & Mean Entropy Distribution for Random and Regular Graphs
25
Entropy distribution of random, K-out and regular graphs
26
Fraction of matched nodes for various graph constructions
27
Evaluation in Mobile Ad Hoc Network
• 100 nodes• K=4 (ring size)• Static– Learn pseudonyms as far as graph connectivity allows– Select pseudonyms randomly
• Mobile: Restricted Random Waypoint– Least popular: Select leas popular pseudonyms– Most popular: Select most popular pseudonyms– Random: Randomly select pseudonyms
28
Average Anonymity Set size over time
Least
Random
Static
Mobile
29
Conclusion
• Self-organized anonymous authentication– Network generated anonymity– Analysis with graph theory
• Results– Regular constructions near optimal– K-out constructions perform well– Mobility helps anonymity– Knowledge of popularity of pseudonyms helps
30
Future Work• Stronger adversary model– Active adversary
• Self-Organized Location Privacy– Linkability Breaks Anonymity
31
BACKUP SLIDES
32
Compute Weights• A priori weight• Probability of an assignment
• Probability of an assignment given all assignments
• A posteriori weight of an edge between ui and pj
33
Revocation
• Keys can be black listed using traditional CRLs• Misbehaving nodes can be excluded by
revoking all keys in a ring– Nodes can reclaim their key to CA– Nodes misbehaving several times would be
detected• Accountability of group of users
34
Cost
• Computation overhead
• Transmission overhead– Group of prime order q– q = 283 (128-bit security), M = log2(q)
35
CDF of the average anonymity set size