A Comprehensive Approach to Secure Group Communication in Wireless Networks

A Comprehensive Approach to Secure Group Communication in Wireless

Networks

David González Romero

Chicago, August 2009

Index

Chapter 1: Introduction

Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1)

Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions

Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition

Introduction

Wireless technology has experienced a persisting burst in recent years

– Raise in portable, handheld and ubiquitous electronic devices for domestic use

– New applications in wireless communication: data exchange, monitoring, remote controlling…

A new set of technology standards (Chapter 2) cover a wide range of needs for casual and professional users

– Bluetooth

– Wi-Fi

– ZigBee

– Wireless USB

– Near Field Communication (NFC)

Concerns about privacy and network security

– Secure Device Pairing (Chapter 3)

– Secure Group Communication (Chapter 4)

- 3 -

Secure Device Pairing

Initial key exchange

Secure communication

Secure Group Communication

Our goal

Index





Wireless technologies

- 5 -

Complexity (transmission rate, network topology, protocol stack…)

Dis

tan

ce

ra

ng

e

Security needs

Bluetooth technology

Bluetooth is a protocol used for ad hoc wireless communication within ranges of up to 100 meters

Conceived as a cable replacement for connecting and exchanging data between personal devices such as cell phones, handheld or laptop computers, audio headsets or computer peripherals

– Many other uses. More than a cable replacement

Bluetooth is a standardized technology whose specifications are published by the Bluetooth Special Interest Group (SIG)

The most recent specification, Bluetooth 3.0 + H.S. was released on April 21st, 2009

- 6 -

1) Numeric Comparison

2) Out-of-Band

Bluetooth security

The most recent versions of Bluetooth include Secure Simple Pairing as its main security policy

Secure Simple Pairing aims to simplify the pairing process from the user’s point of view

Secure Simple Pairing defines four different pairing modes

- 7 -

3) Passkey Entry

4) Just Works

123456

OOB channel

?

Index





- 9 -

Secure Device Pairing

Secure Device Pairing allows two mobile devices that share no prior context to establish a secure communication between each other

– Secure communication between two devices means that no third party can eavesdrop or alter the content of the communication

The pairing procedure must ensure a secure First Connection between the devices without the need of a third party authority

Once the First Connection is secured, the devices agree a common key which can be securely stored and used in future communications without the need of a new secure pairing

Two basic approaches or a combination of both

– Public-key cryptography

Diffie-Hellman key exchange

Digital signatures

Elliptic Curve Cryptography (Annex 3)

– Human-assisted solutions

Public key cryptography

Public key cryptography uses asymmetric cryptographic algorithms

– Based on the use of public and private keys

A public key is used to encrypt and a private key is used to decrypt

- 10 -

Alice

Message

Bob

Communication channel

Encrypted message

Encryption

Bob’s public key

Encrypted message

Encrypted message

Decryption

Bob’s private key

Message

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange allows two devices that share no prior context to establish a common secret key

D-H Key Exchange is based on the discrete logarithm problem

Both devices agree on two public keys: p and q

Each device has a private key: a and b

Alice computes (gb mod p)a mod p while Bob computes (ga mod p)b mod p, both obtaining the same final value

Given high values of a, b and p, it would be extremely hard for an eavesdropper who doesn’t know any of the secret keys to compute their values

– The more digits involved, the more difficult to solve (analytically or computationally) the discrete logarithm problem

- 11 -

a, g, p

A = ga mod p

K = Ba mod p

Alice

b

B = ga mod p

K= Ab mod p

Bob

g, p, A

B

- 12 -

Digital signatures

Alice

Message

Hash

function

Alice’s private

key

Digital Signature Algorithm – sign

operation

Digital Signature

Digitally signed message

(message + digital signature)

Hash

function

Digital signature

Digital Signature Algorithm – verify

operation

Bob

Digitally signed

message

Digital signature verified / signature verification failed

Alice’s public key

Public key schemes

- 13 -

The public key schemes presented can be compared in terms of computational complexity for a similar degree of security

Human-Assisted solutions

Public key cryptography relies on the effectiveness of using mathematical problems as the base for the encryption and decryption processes

Some kind of human interaction is required to provide authenticating mechanisms

Several solutions have been proposed

– Talking to Strangers (TtS) (Annex 2)

– Seeing-is-Believing (SiB)

– Loud and Clear (L&C) (Annex 2)

– HAPADEP (Human Assisted Pure Audio Device Pairing)

- 14 -

Seeing is Believing

Seeing is Believing (SiB) makes use of the capability of taking pictures and process the information in them with a mobile device

The ability to take pictures favors the creation of a location-limited visual channel

1) Device A has a 2D barcode (data matrix) attached to it, or is able to display it on a screen. This code represents its public key

2) Device B takes a picture of the code, getting A’s public key

3) Device B will only accept messages authenticated accordingly to the key it has obtained from A

The same process is repeated, authenticating B by showing a public key represented on a data matrix

- 15 -

visual channel

Public key

B A

Index






- 17 -

The solutions presented in the previous chapter are oriented to secure point-to-point communications

This approach can be insufficient when dealing with larger networks

Algorithm efficiency, user-friendliness…

Point-to-multipoint or ad hoc solutions can be approached

Resurrecting Duckling

- 18 -

1) Imprinting

2) Secure wireless communication

3) Death

4) Resurrection

Imprintable device

Master device

Trusted channel

Key exchange

Imprinted device

Master device

A slave device (duckling) gets securely attached to a master device (mother duck) which takes full control over it

Any number of slave devices can be associated with a master device in an ad hoc manner

Imprintable state: the slave device is ready to be attached to a master device

Imprinted state: the slave device is attached to the master device, been unable to be imprinted by a third device

Death: the master device release the slave, switching its state from “imprinted” to “imprintable”

Resurrecting: a master device uses the trusted channel to set an imprintable device to imprinted

Assassination?: only the master device should be able to cause the death of the slave

Attacker?

Master deviceImprinted device

Imprintable deviceMaster device

Trusted channel

Key exchange

Message

Identity Based Encryption

Identity Based Encryption (IBE) does not require the constant online presence of a Public Key Infrastructure

Each device/user has a public key that univocally identifies itself (email address, IP address…)

Each user authenticates to a key server, which provides a Private Key

Once the pairing is complete, the presence of the Key Server is not required anymore

- 19 -

PKG

Authentication Private key

Message encrypted with Bob’s public key

Bob Alice

Entity recognition

Entity recognition does not require the presence of an authentication authority, nor the intervention of the user

The goal of entity recognition is that successive messages in one conversation are sent by the entity that started the conversation and no third party can interfere by eavesdropping or tampering the conversation

The Guy Fawkes protocol is an early entity recognition scheme that uses cryptographic hash chains

The Jane Doe protocol uses cryptographic hash chains and message authentication codes (MACs)

– Based on the division of a conversation by different epochs

The process is easily extended to a group communication scenario

– Any number of conversations can be tracked as long as there is enough memory

Vulnerable to MITM attacks

– Can be applied as a supporting technique to public-key schemes

– Useful with low-power devices which may not be able to implement public key

- 20 -

WIRELESS SECURITY

Conclusion

- 21 -

Us

er-

ma

na

ge

d

Technological needs

Ad hoc Certification-authority-dependent

Tra

ns

pa

ren

t to

th

e u

se

r

DH

ECC

Digital signature

Public Key

?

TtS

SiB

L&C

HAPADEP

Human-Ass

isted

SSP

Resurrecting Duckling policy

Entity Recognition

IBE


Annex 1: other wireless technologies studied



Index





WLAN: Wireless Local Area Networking

Wireless Local Area Networks operate in the unlicensed 2.4 GHz ISM band

Standardized by the IEEE 802.11 standard and marketed under the name Wi-Fi by the Wi-Fi Alliance

The Wired Equivalent Privacy (WEP) algorithm was the first to provide security in Wi-Fi

– Now deprecated after demonstrated vulnerabilities

WEP was replaced by Wi-Fi Protected Access (WPA) and WPA2

– Based on the Temporal Key Integrity Protocol

- 24 -

ZigBee

Cheap alternative for mid-range personal communications

Lower distance range and transmission rate than Bluetooth and Wi-Fi

Different security configurations

– Tradeoff between security and cost

- 25 -

Applications and Profiles

Application Support (ASP) Layer

IEEE 802.15.4 Medium Access Control (MAC) Layer

IEEE 802.15.4 Physical (PHY) Layer

Network Layer

Defined by IEEE

802.15.4

Defined by ZigBee specification

Defined by application developer

Wireless USB

High transmission rate low-range technology

Suitable for communication between multimedia consumer electronics devices

Ideally presented as a replacement for wired technology Universal Serial Bus (USB)

- 26 -

Near Field Communication (NFC)

Extremely short-range wireless technology

Makes use of the “near field” zone of electromagnetic radiation

Intrinsically protected against external attacks, because of its extreme short rangeç

Complementary to other technologies as out-of-band channel

Promoted by the Near Field Communication Forum since 2004

- 27 -

Annex 2: other human-assisted device pairing solutions



Index





Talking to Strangers

Talking to Strangers avoids the use of a physical out-of-band channel

Talking to Strangers uses a location-limited out-of-band channel for the purpose of the First Connection, instead of the typical wireless medium

An Infrared Data Association (IrDA) can be performed

– Both devices must be able to “see” each other

– A human operator can easily verify which devices are able to establish an infrared connection

– An IrDA connection is limited in space, reducing the risk of eavesdropping

– But it is still invisible

– MiM attack is not impossible

- 30 -

infrared channel (invisible)

Attacker

Loud and Clear (L&C) provides human-assisted device pairing based on audio

Complementary to SiB

Four possible configurations to use depending on the capabilities (has a display, has a speaker…) of each device

3) Hear an audible sequence from the personal device and compare it to text displayed by target device

4) Compare text displayed by the personal device to text displayed by target device (included as an alternative method)

1) Hear and compare two audible sequences, one from each device

2) Hear an audible sequence from the target device and compare it to text displayed by the personal device

Public key exchange

Loud and Clear

- 31 -

Public key exchange

Public key exchangePublic key exchange

Annex 3: other discarded slides



Index





Bluetooth basics

Bluetooth has a star network topology

– Up to seven slave devices can be connected to a master device, forming a piconet

– Each device has a 3-bit Logical Transport Address (LT_ADDR)

000 is reserved for broadcasting

– More devices can be connected in “park state”

8-bit Park Member Address (PM_ADDR)

– Several piconets can be associated forming a scatternet

A Bluetooth profile defines the procedure which must be followed for each particular Bluetooth application

– Generic Access Profile, Headset Profile, File Transfer Profile…

– Each profile makes a different use of the Bluetooth Protocol Stack

- 34 -

Applications and Profiles

L2CAP (Logical Link Control and Adaptation )

HCI (Host Controller Interface)

Link Manager Protocol (LMP)

Baseband [Link controller (LC)]

Bluetooth Radio

SDP (Service

Discovery)

Radio Frequency Communication (RFCOMM)

OBEXPPP

TCP

Host stack

Controller stack

TCS BIN

UDP

IP

- 35 -

Bluetooth network topology

P2P1

P3

M1

S1

S1

S1/S2

M2

S2

M3/S2

S3

Bluetooth security

Bluetooth operates in the 2.4 GHz unlicensed Industrial, Medical and Scientific (ISM) band

Bluetooth uses FHSS (Frequency Hopping Spread Spectrum)

– The frequency range is changed 1600 per second

– A slave device must be synchronized with the master device’s pseudo-random hopping sequence

Before the 2.0 + EDR version, Bluetooth communications were authenticated by the use of a passcode (PIN) which must be entered in both devices as part of the pairing process

– The user acts as an out-of-band channel

Three different security models were defined

– Not secure

– Service level enforced security

– Link level enforced security (security procedure starts before creating the communication channel)

Bluetooth 2.0 + EDR introduced Secure Simple Pairing (SSP)

- 36 -

Index





Man-in-the-Middle Attacks

A Man-in-the-Middle (MiM) attack is a form of eavesdropping based on the ability to impersonate any of the extremes of a communication

– The broadcasting nature of the wireless communication makes the MiM attacks a serious security threat

Original Diffie-Hellman Key Exchange is highly vulnerable to MiM attacks, as it doesn’t provide authentication between the two devices

A MiM attacker can establish two independent connections and eavesdrop the communication or deliver new messages

– The attacker can intercept both Alice and Bob’s public keys and substitute them with their own public value

Authenticated Diffie-Hellman Key Exchange tries to avoid eavesdropping by providing some kind of authentication

All known forms of Authenticated Diffie-Hellman Key Exchange require user interaction (sharing a public key previously known, use of an Out-of-Band channel, etc.)

– Not applicable when the users share no prior context

Most of the proposed solutions include the use of additional Out-of-Band channels

- 38 -

Elliptic Curve Cryptography

ECC is a public-key scheme using the concept of elliptic curves over finite fields

A generic elliptic curve over the finite field Fp is formed by the points satisfying the equation y2 = x3 + a4x + a6

– x, y, a4, a6 F∈ p and (x , y) are the coordinates of a bilinear space

The discrete logarithm of Q to the base P is defined as the value k which satisfies the equation k·P = Q, where P and Q are two points of an elliptic curve

ECC is based on the elliptic curve discrete logarithm problem (ECDLP)

– Given k·P and Q and with the coordinates large enough it is infeasible to get the value k

k·P and Q are used in an algorithm to determine a public key and a private key

ECC requires shorter keys than other public-key schemes

It is used in group communication schemes such as the identity based encryption scheme presented in chapter 4

- 39 -

Key agreement in peer-to-peer wireless networks

When two human users try to connect their devices, there are several solutions which do not require de use of a side-channel or additional passwords

The ability of users to authenticate each other by visual or verbal contact is used in a Diffie-Hellman key exchange

1)Visual comparison of short strings (DH-SC)

– Two verification strings are obtained after performing a DH Key Exchange, one for each device

– The users compare the two strings and accept them if equals

2)Distance bounding (DH-DB)

– The devices can estimate the distance between each other by sending messages and measuring the time to obtain a response

– An integrity region is created, with any device out of it being unable to establish a connection

– The users must ensure that there are not other devices inside the integrity region

3) Integrity codes (DH-IC)

– This authentication scheme relies on the knowledge of a common integrity code

- 40 -

Proposed device pairing solutions

- 41 -

Index





Group authentication

A group authentication protocol aims to establish a secret key shared by all the devices in a group

The key must be refreshed every time a new member joins or leaves the group

– The overhead introduced may be excessive

Three main approaches to the group authentication problem

1)Centralized group key distribution

A master device maintains a secure connection to each of the devices at any moment

Too much overhead for Bluetooth technology

2)Decentralized group key distribution

A distributed algorithm selects the device which acts as the master device, changing it periodically

Same limitation as in 1)

3)Contributory group key management

All the devices contribute in the generation of the shared secret key by using broadcasting capabilities

Not applicable for Bluetooth, as it does not provide full support for message broadcasting

- 43 -

Identity Based Encryption (II)

The Private Key Generator (PKG) authenticates all the users in the system and transfer their private keys to them using a secure channel

The PKG also provides all the users with a Master Public Key

The main phases of the standard IBE scheme are:

1) Initial setup

– The PKG generates all public and private keys

2)Private Key Extraction

– Bob authenticates with his identity string, getting the Private Key from the PKG

3)Encryption

– Alice computes Bob’s public key using Bob’s identity and the Master Public Key

– Alice encrypts the message she wants to send using Bob’s Public Key

4)Decryption

– Bob decrypts Alice's message using his own Private Key

- 44 -

Annex 4: selected references



Selected references

Astuni, S. (2008). Enabling Secure Group Communication for Mobile Devices Using Bluetooth Technology

Stajano, F. & Anderson, R. (1999). The Resurrecting Duckling: security issues for adhoc wireless networks

Diffie, W., & Hellman, M.E. (1976). New directions in cryptography. IEEE transactions on Information Theory, 22, 644-654

Anderson, R., Bergadano, F., Crispo, B., Lee, JH., Manifavas, C., and Needham, R. A New Family of Authentication Protocols. ACM SIGOPS Operating Systems Review, 1998

Miller, VS., Use of Elliptic Curves in Cryptography. Lecture notes in computer sciences; 218 on advances in cryptology---CRYPTO 85, 1986

Duffy, A., Dowling, T., An Object Oriented Approach to an Identity Based Encryption Cryptosystem, Eighth IASTED International Conference on Software Engineering and Applications, 2004

Boneh, D. and Franklin, M., Identity Based Encryption from the Weil Pairing. Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, 2001

- 46 -

Contact

This was just a survey and introduction to the thesis “A Comprehensive Approach to Secure Group Communication in Wireless Networks”. If you need more information or have any suggestion regarding this presentation, contact me at any of the following:

www.linkedin.com/in/davidgonzalezromero

© David González Romero 2009. All rights reserved.

- 47 -

http://www.linkedin.com/in/davidgonzalezromero

A Comprehensive Approach to Secure Group Communication in Wireless Networks

Technology

Transcript of A Comprehensive Approach to Secure Group Communication in Wireless Networks