30/04/2004Gene Tsudik, UCLA CSD Research Review1 Some Security Issues & Challenges in MANETs and...

30/04/2004 Gene Tsudik, UCLA CSD Research Review 1

Some Security Issues & Challenges in MANETs and

Sensor NetsGene Tsudik

SCONCE: Secure Computing and Networking Center

UC Irvinehttp://sconce.ics.uci.edu/

04/30/2004

http://sconce.ics.uci.edu/


Outline

• Background• Some security issues

– Secure Casual Multicast– Aided Cryptography– Secure Routing– Privacy Issues– Aggregation and minimization – Group Membership: Admission and

Eviction– DoS resistance

• Some on-going work


Secure Casual Multicast

• An important service in MANETs and sensor networks is the need to communicate to dynamic subsets/clusters of nodes, e.g.,– All routers with x available bw– All nodes close to some location– All nodes with >t% power remaining

• This kind of multicast can be one-time• How to distribute a group key to such

subsets?• “Broadcast encryption” doesn’t help here


Secure Casual Multicast

• If the subset is large (around n) then “broadcast encryption” techniques could be used

• But what if subset size is much smaller than the total # of nodes, e.g., n/c for some constant c.

• Solutions today are:– encrypt the message as many times as there are

receivers or,– use group key establishment protocols

• Both solutions are very expensive– Can we do better???


Aided Cryptographic Computations

• Assume nodes have limited computation and communication ability as well as limited energy…

• Computationally intensive tasks, e.g., full-blown PK crypto operations are costly

• Many setting involve a (small) number of more powerful devices (gw-s, servers, etc.)

• Can be used for off-loading crypto computations…– if power needed for computing is greater than that for

communication

– if time needed for computing would adversely impact sensor’s other tasks


Aided Cryptographic Computations

• “Server-aided” cryptography is applicable but state-of-the-art (2-party, mediated, server-aided, etc..) still too expensive– Designed to enforce various policies (fine-

grained control, revocation,…) not to minimize computation…

• Can we design an architecture that off-loads heavy computation to more powerful devices?


Secure Routing/Key distribution

• Most MANET routing protocols are vulnerable to attacks that can paralyze the whole network

• Existing secure MANET routing protocols (such as Ariadne) authenticate each data and control packet

• Proposed authentication solutions are:– Signatures: too costly!– TESLA: needs buffering, synchronization, some complexity– Pair-wise keys: not flexible - all nodes must be updated

when a new node joins the MANET.– Shared (common) group key: not secure – one corruption

is enough to break the system!

• No general solution exists…


Secure Routing/Key distribution

• Similarly, state-of the art secure routing in sensor networks:– relies on time synchronization (is this realistic?)– remains secure only if less that “t” nodes are

compromised• Since wholesale re-keying/re-initializing is often

impossible, these solutions might not be practical!

• Also, it is often difficult to identify compromised nodes in monitoring applications– Ideally we need solutions that work even if

some nodes have been compromised …

• New key distribution and secure routing protocols are required for these types of networks!


Privacy-Aware Routing

• MANET routing is cooperative

• Traffic analysis is very easy!

• Some technical solutions exists : onion routing, mixes… very expensive!

• Can we build routing protocols that prevent intermediate nodes from performing traffic analysis?

• Privacy-aware routing is needed!


Privacy of Associations• MANETs and sensor nets can operate in multi-

cultural environment

• Need to tell kin from strangers (friend-or-foe)

• Need to do so in private manner – no observability!

• Secret Handshakes can help – Balfanz, et al.

– Castelluccia, et al.

– Still need to solve one-time credential issue

– Group handshakes?

• Sensors operating in hostile settings need to produce signatures that are anonymous/untraceable– Group signatures? Too expensive…


Group Key Management

Group Key Distribution (GKD): requires a center, large groups, multicast, wireline

Group Key Agreement (GKA): distributed (group-based), expensive, small groups, wireline

Current solutions unsuitable for MANETs

• GKD: no center, long messages, broadcasts

• GKA: multi-round, many messages, broadcasts

• GKA: need underlying reliable group comm.

• GKA: tries to minimize computation

• GKD: tries to minimize bw

• Sometimes need to switch priorities

• GKA: protocols need to complete even if membership changes in the interim

• GKA: center availability (partitions/failures/compromise)

• No practical protocol tolerates malicious insiders


Aggregation / Minimization

• MACs, signatures are examples of crypto tags

• If information is collected from each node (sensor, router, etc), much bw and storage is “wasted” on tags

• Need to minimize tag size; aggregate signatures, MACs, etc.

• If multiple nodes report the same data, can aggregate it

• Why not aggregate tags too?

• Example techniques: Mykletun [NDSS’04], Boneh [EuroCrypt’03], Mazieres [IPTPS’04]

• Much more work needed…


DoS Resistance

• DoS attacks are here to stay

• Worst (best) attacks target servers: Web, Time, Name, Authentication, etc.

• So-called “Client Puzzles” are touted as an effective solution– Waste of computation

– Punishes anemic clients

– Powerful adversary can afford fast hw

• Other solutions?


Group Membership Control – Goal: secure admission of members to a group

while tolerating adversaries both outside and inside

– Standard Model: • A “CA” is distributed among n nodes (all or only some)• A new node must gets a partial signature from each of at

least k (out of n) nodes • It then computes its membership certificate and becomes a

bona fide member– Can prove membership by presenting his certificate– Can compute pair-wise keys– Can authenticate to insiders and outsiders

– TS-RSA, TS-DSA, ID-based – All areTOO expensive!– New crypto algorithms/protocols needed– Distributed Eviction is harder (need to maintain

MRLs)


Membership Control

• [KMT03] Y. Kim, D. Mazzocchi and G. Tsudik, Admission Control in Collaborative Groups, IIEEE Symposium on Network Computing and Applications (NCA-03)

• [NTY03] M. Narasimha, G. Tsudik and J. Yi, On the Utility of Distributed Cryptography in P2P and MANETs,IEEE International Conference on Network Protocols (ICNP'03)

• [STY03] N. Saxena, G. Tsudik and J. Yi, Admission Control in P2P: Design and Performance Evaluation, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '03)


Key (pre-)distribution

• Combine key pre-distribution (Blom scheme) with secret sharing to achieve (pairwise) key distribution in MANETs

• Model:– Each node (a priori) gets a share of its “secrets”

from k “servers” – Uses shares to compute a secret– This secret can be used to compute a pair-wise

key with any other node• Sometimes more appropriate than the “distributed-

CA” model – Members get keys not certificates!– efficient…few modular multiplications per key

computation

• Extending this to INEXPENSIVE group keying


Aggregation of crypto-tags

• “Efficient” Secure Routing

• Using DH for securing Route Discovery (as in DSR)

• Constant-size tags

• Few (2) exponentiations to verify route integrity

• Few (2) exponentiations per route hop

• Also, using ID-based cryptography

30/04/2004Gene Tsudik, UCLA CSD Research Review1 Some Security Issues & Challenges in MANETs and...

Documents

Transcript of 30/04/2004Gene Tsudik, UCLA CSD Research Review1 Some Security Issues & Challenges in MANETs and...