SPLASH Sécurisation des ProtocoLes dans les réseAux mobileS ad Hoc
description
Transcript of SPLASH Sécurisation des ProtocoLes dans les réseAux mobileS ad Hoc
SPLASH Sécurisation des ProtocoLes dans les
réseAux mobileS ad Hoc
http://www.inrialpes.fr/planete/splash.html
12 Décembre 2003
Refik MolvaInstitut EURECOM
MANET Security Requirements
Wireless & Mobile• Limited Energy• Lack of physical security
Ad Hoc• Lack of(or limited)
infrastructure• Lack of a priori trust
• Cooperation Enforcement
• Secure Routing
• Key management
[Recent security solutions for mobile ad hoc networks In “Ad Hoc Networks” IEEE Press - Wiley Ed]
Key Management Objectives
• Bootstrapping from scratch
• Fully distributed
• Minimum dependency
Key Management Approaches• Symmetric crypto [Basagni et al.]
• (ID, PK) binding– Certificate = (ID,PK)CA
• Self-organized Authorities [Zhou, Haas] [Kong, et al.] [Yi, Kravets] [Lehane, et al.]
• Web of trust(PGP) [Hubaux, Buttyan, Capkun]
– Certificate-less• Crypto-based IDs: ID = h(PK) [Montenegro, Castellucia] [O’Shea,
Roe] [Bobba, et al] • ID-based Crypto: PK = f(ID) [Halili, Katz, Arbaugh]
• Context-dependent authentication– location-limited channels [Balfanz, et al.] – Shared passwords [Asokan, Ginzborg]
Self-organized Admission ControlPerformance Comparison
• Centralized (simple signatures)– member gets t signatures from other members– Server grants GMC when t or more signatures are shown.
• Distributed (threshold signatures)– member gets “partial” certificates (mSKi) from other members.– member combines t certificates to get a GMC
GMC = mSK1 mSK2 mSK3.. mSKt = mSK
Threshold signatures are NOT suitable in MANET and sensor networks.
• Currently investigating Bilinear mappings
[Admission Control in Peer-to-Peer: Design and Performance Evaluation, ACM SASN Workshop, October 2003.]
[On the Utility of Distributed Cryptography in P2P and MANETs, ICNP 2003.]
(ID, PK) binding without a PKICrypto-Generated Addresses
(CGA)• Statistically Unique Cryptographically Verifiable IDs [Montenegro,
Castellucia] [O’Shea, Roe] IPv6 @ = prefix | h( prefix | PK )
• Secure Routing using CGA: AODV [Castellucia, Montenegro] DSR[Bobba, et al]
PROs: no certificates, no PKI CONs: generation of bogus IDs
• New: CGA based on the small primes variation of the Feige-Fiat-Shamir (MFFS)
[Statistically Unique and Cryptographically Verifiable Addresses: concepts and applications. ACM TISSEC, Feb. 2004]
[Protecting AODV against impersonation attacks, ACM MC2R, October 2002]
Cooperation enforcement mechanisms
Token-based [Yang,Meng,Lu]
Nuglets [Buttyan,Hubaux]SPRITE [Zhong, Chen, Yang]
CONFIDANT[Buchegger,Le Boudec] CORE [Michiardi,Molva]Beta-Reputation [Josang,Ismail]
Reputation-based
Threshold cryptography
Micro-payment
Cooperation Enforcement Evaluation with Game Theory
• Cooperative GT– Study the size (k) of a coalition of cooperating nodes
– Nash Equilibrium lower bound on k
• Non-cooperative GT– Utility function with pricing
– Pricing used to guide the operating point (i.e. maximum of utility function) to a fair position
– ri : dynamic reputation of node ni evaluated by her neighbors
jjy
iyi
iriiyuikU
:sharerelative
:functionutility )()()(
),,,,,(),( irjbibPFEREselfEfjbibiu
[Michiardi,Molva,CMS’02, WiOpt’03] [Srinivasan,et al.,INFOCOM’03]
Simulations: CORE – uniform traffic
Simulations: TFT – uniform traffic
Summary• Specific requirements
– Self organized bootstrapping of security associations
– Cooperation enforcement
• Prospects– New tools from crypto bag of tricks (Id-based crypto, . . .)
– Integrated mechanisms: reputation + key management
• Participation in MOBILEMAN project on Ad Hoc Networks
• ESAS 2004 1st European Workshop on Security in Ad-Hoc and Sensor Networks. (5.-6. August, 2004)
ESORICS 2004 – RAID 2004
September 13-17
Institut EURECOMSophia Antipolis - FRANCE
THANK YOU