30/04/2004Gene Tsudik, UCLA CSD Research Review1 Some Security Issues & Challenges in MANETs and...
-
Upload
betty-brown -
Category
Documents
-
view
212 -
download
0
Transcript of 30/04/2004Gene Tsudik, UCLA CSD Research Review1 Some Security Issues & Challenges in MANETs and...
30/04/2004 Gene Tsudik, UCLA CSD Research Review 1
Some Security Issues & Challenges in MANETs and
Sensor NetsGene Tsudik
SCONCE: Secure Computing and Networking Center
UC Irvinehttp://sconce.ics.uci.edu/
04/30/2004
30/04/2004 Gene Tsudik, UCLA CSD Research Review 2
Outline
• Background• Some security issues
– Secure Casual Multicast– Aided Cryptography– Secure Routing– Privacy Issues– Aggregation and minimization – Group Membership: Admission and
Eviction– DoS resistance
• Some on-going work
30/04/2004 Gene Tsudik, UCLA CSD Research Review 3
Secure Casual Multicast
• An important service in MANETs and sensor networks is the need to communicate to dynamic subsets/clusters of nodes, e.g.,– All routers with x available bw– All nodes close to some location– All nodes with >t% power remaining
• This kind of multicast can be one-time• How to distribute a group key to such
subsets?• “Broadcast encryption” doesn’t help here
30/04/2004 Gene Tsudik, UCLA CSD Research Review 4
Secure Casual Multicast
• If the subset is large (around n) then “broadcast encryption” techniques could be used
• But what if subset size is much smaller than the total # of nodes, e.g., n/c for some constant c.
• Solutions today are:– encrypt the message as many times as there are
receivers or,– use group key establishment protocols
• Both solutions are very expensive– Can we do better???
30/04/2004 Gene Tsudik, UCLA CSD Research Review 5
Aided Cryptographic Computations
• Assume nodes have limited computation and communication ability as well as limited energy…
• Computationally intensive tasks, e.g., full-blown PK crypto operations are costly
• Many setting involve a (small) number of more powerful devices (gw-s, servers, etc.)
• Can be used for off-loading crypto computations…– if power needed for computing is greater than that for
communication
– if time needed for computing would adversely impact sensor’s other tasks
30/04/2004 Gene Tsudik, UCLA CSD Research Review 6
Aided Cryptographic Computations
• “Server-aided” cryptography is applicable but state-of-the-art (2-party, mediated, server-aided, etc..) still too expensive– Designed to enforce various policies (fine-
grained control, revocation,…) not to minimize computation…
• Can we design an architecture that off-loads heavy computation to more powerful devices?
30/04/2004 Gene Tsudik, UCLA CSD Research Review 7
Secure Routing/Key distribution
• Most MANET routing protocols are vulnerable to attacks that can paralyze the whole network
• Existing secure MANET routing protocols (such as Ariadne) authenticate each data and control packet
• Proposed authentication solutions are:– Signatures: too costly!– TESLA: needs buffering, synchronization, some complexity– Pair-wise keys: not flexible - all nodes must be updated
when a new node joins the MANET.– Shared (common) group key: not secure – one corruption
is enough to break the system!
• No general solution exists…
30/04/2004 Gene Tsudik, UCLA CSD Research Review 8
Secure Routing/Key distribution
• Similarly, state-of the art secure routing in sensor networks:– relies on time synchronization (is this realistic?)– remains secure only if less that “t” nodes are
compromised• Since wholesale re-keying/re-initializing is often
impossible, these solutions might not be practical!
• Also, it is often difficult to identify compromised nodes in monitoring applications– Ideally we need solutions that work even if
some nodes have been compromised …
• New key distribution and secure routing protocols are required for these types of networks!
30/04/2004 Gene Tsudik, UCLA CSD Research Review 9
Privacy-Aware Routing
• MANET routing is cooperative
• Traffic analysis is very easy!
• Some technical solutions exists : onion routing, mixes… very expensive!
• Can we build routing protocols that prevent intermediate nodes from performing traffic analysis?
• Privacy-aware routing is needed!
30/04/2004 Gene Tsudik, UCLA CSD Research Review 10
Privacy of Associations• MANETs and sensor nets can operate in multi-
cultural environment
• Need to tell kin from strangers (friend-or-foe)
• Need to do so in private manner – no observability!
• Secret Handshakes can help – Balfanz, et al.
– Castelluccia, et al.
– Still need to solve one-time credential issue
– Group handshakes?
• Sensors operating in hostile settings need to produce signatures that are anonymous/untraceable– Group signatures? Too expensive…
30/04/2004 Gene Tsudik, UCLA CSD Research Review 11
Group Key Management
Group Key Distribution (GKD): requires a center, large groups, multicast, wireline
Group Key Agreement (GKA): distributed (group-based), expensive, small groups, wireline
Current solutions unsuitable for MANETs
• GKD: no center, long messages, broadcasts
• GKA: multi-round, many messages, broadcasts
• GKA: need underlying reliable group comm.
• GKA: tries to minimize computation
• GKD: tries to minimize bw
• Sometimes need to switch priorities
• GKA: protocols need to complete even if membership changes in the interim
• GKA: center availability (partitions/failures/compromise)
• No practical protocol tolerates malicious insiders
30/04/2004 Gene Tsudik, UCLA CSD Research Review 12
Aggregation / Minimization
• MACs, signatures are examples of crypto tags
• If information is collected from each node (sensor, router, etc), much bw and storage is “wasted” on tags
• Need to minimize tag size; aggregate signatures, MACs, etc.
• If multiple nodes report the same data, can aggregate it
• Why not aggregate tags too?
• Example techniques: Mykletun [NDSS’04], Boneh [EuroCrypt’03], Mazieres [IPTPS’04]
• Much more work needed…
30/04/2004 Gene Tsudik, UCLA CSD Research Review 13
DoS Resistance
• DoS attacks are here to stay
• Worst (best) attacks target servers: Web, Time, Name, Authentication, etc.
• So-called “Client Puzzles” are touted as an effective solution– Waste of computation
– Punishes anemic clients
– Powerful adversary can afford fast hw
• Other solutions?
30/04/2004 Gene Tsudik, UCLA CSD Research Review 14
Group Membership Control – Goal: secure admission of members to a group
while tolerating adversaries both outside and inside
– Standard Model: • A “CA” is distributed among n nodes (all or only some)• A new node must gets a partial signature from each of at
least k (out of n) nodes • It then computes its membership certificate and becomes a
bona fide member– Can prove membership by presenting his certificate– Can compute pair-wise keys– Can authenticate to insiders and outsiders
– TS-RSA, TS-DSA, ID-based – All areTOO expensive!– New crypto algorithms/protocols needed– Distributed Eviction is harder (need to maintain
MRLs)
30/04/2004 Gene Tsudik, UCLA CSD Research Review 15
Membership Control
• [KMT03] Y. Kim, D. Mazzocchi and G. Tsudik, Admission Control in Collaborative Groups, IIEEE Symposium on Network Computing and Applications (NCA-03)
• [NTY03] M. Narasimha, G. Tsudik and J. Yi, On the Utility of Distributed Cryptography in P2P and MANETs,IEEE International Conference on Network Protocols (ICNP'03)
• [STY03] N. Saxena, G. Tsudik and J. Yi, Admission Control in P2P: Design and Performance Evaluation, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '03)
30/04/2004 Gene Tsudik, UCLA CSD Research Review 16
Key (pre-)distribution
• Combine key pre-distribution (Blom scheme) with secret sharing to achieve (pairwise) key distribution in MANETs
• Model:– Each node (a priori) gets a share of its “secrets”
from k “servers” – Uses shares to compute a secret– This secret can be used to compute a pair-wise
key with any other node• Sometimes more appropriate than the “distributed-
CA” model – Members get keys not certificates!– efficient…few modular multiplications per key
computation
• Extending this to INEXPENSIVE group keying
30/04/2004 Gene Tsudik, UCLA CSD Research Review 17
Aggregation of crypto-tags
• “Efficient” Secure Routing
• Using DH for securing Route Discovery (as in DSR)
• Constant-size tags
• Few (2) exponentiations to verify route integrity
• Few (2) exponentiations per route hop
• Also, using ID-based cryptography