bootstrapping security associations in wireless (sensor) networks mario Čagalj university of split,...

Bootstrapping Security Associations in Wireless (Sensor)

Networks

Mario Čagalj University of Split, FESB

ACROSS, 2013

Briefly about the speaker

Mario Čagalj, Associate Professor Department of Electronics, University of Split,

FESBPh.D. degree in Communication Systems from

EPFL (École Polytechnique Fédérale de Lausanne)

Scientific work and research interestsInformation security, applied cryptography, game

theory, energy-efficient communication, HCI, etc.

For more informationhttp://www.fesb.hr/~mcagalj or mcagalj@fesb.hr 2

Motivation

Billions of devices will be interconnected in near futureEricsson forecasts 50 billion M2M connections by

2020IoT, M2M, wearable sensor networks, smart

metering, etc.

Many technologies/systems Include low cost and highly constrained devicesUse wireless channels (highly vulnerable)Operate independently of any authority (are user-

centric)

Prerequisites for adoption of such technologiesData trustworthiness, authenticity and privacy

3

Motivation

Key element towards secure communicationSome cryptographic (keying) material (pwds, keys,

certs) has to be preloaded into communicating devices

However, users are bad when it comes to securityComplicated setup procedures render the security

features useless (e.g., home WiFi networks)What can we then expect from 2020?

42013 2014 2020

attackeruser’s devices

Our goal

Develop mechanisms for secure initialization of wireless devices/for bootstrapping initial security associationsUser-friendly – easily administered by non-

specialistsScalable – support a reasonably large number of

devices Compatibile with resource constrained devices –

lacking usual wired interfaces, displays, keypads, etc.

52013 2014 2020

attackeruser’s devices

Talk outline

Basic security problem

Optimal message transfer authenticator

Group message authentication protocol

Authentication through presenceIntegrity codes

6

A B

Basic security problem

Assumptions high bandwidth public/insecure channel

(e.g. radio) low bandwidth authenticated channel (not

secret) E.g., sound, voice, visible light, etc.

Devices A and B share neither secrets nor certificates

Protect message integrity over the public channelMinimize user’s involvement and hardware

requirements

7

attacker

message

user

Attacker model

People usually have a wrong mental model

E.g., attacks on Bluetooth (designed for 10m range)Eavesdropping from more than 1.5 km (BlueSniper

rifle)Thanks to high gain/sensitivity antennas and

receivers8

=attacker attackerA B

nominal TX range

A B

Straightforward solution

Based on a weak-collision resistant hash function h(·) Given message m0 easy to calculate a hash value

h(m0)

Hard to find different m1 such that h(m0)= h(m1)

9

A Bm

Calculates sA=h(m)

Receives m

Calculates sB=h(m)

If sA==sB “Accept m”

sA sA

high bandwidth insecure channellow bandwidth authenticated channel

ok

Straightforward solution suboptimal

Today, weak-collision implies at least 80-bit hash valueThe minimum load over low bandwidth (human)

channel

Hash function output sizes tend to increase over time Vulnerabilities (e.g., SHA-1), processing power

incresesE.g., MD5, SHA-1, SHA-2 (128, 160, 256... bit

outputs)

More bits over low bandwidth (human) channel implies increased user’s involvementBig issue when user interacts with constrained

devices

10

Optimal message transfer authenticatorBased on a non-malleable commitment scheme

Functionallity similar to that of an ideal hash function

Transforms message m into commitment/openning pairTo commit to m do: (c,d)=commit(m) and hand out

cTo open c do: hand out d and m=open(c,d)

PropertiesOnce commited to m, cannot change to another mMessage m remins secret until opened using d 11

Optimal message transfer authenticator

12

A Bc

high bandwidth insecure channellow bandwidth authenticated channel

NB

d

sA sA

Pick k random bits NB

m, NA=open(c,d)

sB=NA NB

If sA==sB “Accept m”

Given message m

Pick k random bits

NA

(c,d)=commit(m,N

A)

sA=NA NB

Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)

ok

Optimal message transfer authenticator

13

A Bc

high bandwidth insecure channellow bandwidth authenticated channel

NB

d

sA sB

Pick k random bits

NB

m, NA=open(c,d)

sB=NA NB

Accept m

Given message m

Pick k random bits

NA

(c,d)=commit(m,N

A)

sA=NA NB

Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)

okIf sA==sB “Success”

Optimal message transfer authenticator

TheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of authentication strings sA and sB.

For example, with k=15 bitsAttacker successful with probability 2-15 (i.e., 5-digit

PIN)User’s involvement only 15 bits (i.e., 2 hex digits)

We can optimally trade security and the user’s loadTime-invariant (independent of the employed hash

function)Not the case with the standard solution (min. load at least

80 bits) 14Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)

Optimal message transfer authenticatorOptimality and time-invariance

15

Securing Diffie-Hellman key agreement

16

A B

cA

cB

dA

sA sB

Given gXA

Pick k random bits NA

mA=IDA, gXA,NA

(cA,dA)=commit(mA)

mB=open(cB,dB)sA=NA NB

Secret key KAB= gXAXB

dB

Given gXB

Pick k random bits NB

mB=IDB, gXB,NB

(cB,dB)=commit(mB)

mA=open(cA,dA)sB=NA NB

Secret key KAB=

gXAXB

ok okIf sA==sB “Success”

Čagalj, et. al. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE.  (February, 2006)Bluetooth Special Interest Group. Simple Pairing Whitepaper. // (October, 2006)

Example: Initializing home WiFi networkCamera-equipped device and wireless access

point (AP)Single LED at the AP blinks short authentication

string sB

Ephemeral tokens for your guests (AP pwd not disclosed!)

17

MT-auth DH

sA=NA NB

If sA==sB

“Success”

KAB= gXAXB

sB

ok ok

sB=NA NB

KAB= gXAXB

Contrast this with insecure WPS: Push-Button-Method by WiFi Alliance (2006)

Example: Initializing a pair of sensorsNo cameras (only LEDs and a pushbutton)

User just checks that the devices blink the same states 18

MT-auth DH

sA=NA NB

KAB= gXAXB

sB=NA NB

KAB= gXAXB

sBsA

If sA==sB “Success”

ok ok

1 0 0 1 1 0

Ts

Ts

=

How about securely initializing a larger group of resource-constrained device?

Group message Authentication Protocol (GAP) Generalization of our optimal two-party protocol

19Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)

GAP overview

Phase 1: insecure radio channel

Devices exchange messages they want to authenticate and establish Group Authentication String (GAS)

20Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)

...

D1

D2

Dn

Phase 2: visible light channel

User compares the GAS

...

D1

D2

Dn

User

GAP-Phase 1: insecure radio channelGoal: M devices exchange and authenticate

public keys

21

IDi

ci-1

IDj

ci

ci+1

di

Step I:

Step II:

Step III:

Gi={ID1<ID2<…<IDM}

(ci, di) commit(hGi, IDi, PKi, Ni)

hGi=hash(ID1,…,IDi,…,IDM)

(hGj, IDj, PKj, Nj) open(cj, dj)

GASi Ni

...

Verify hGi, IDj

If OK, GASi GASi

Nj

Di

di-1

di+1

......

Di-1

Di+1

GASi =N1 N2 ... Ni ... NM

GAP-Phase 2: authenticated light channelUser enters group size M into one

device/coordinatorPush-button can be used for this taskIf group size OK, the coordinator initiates

synchronized transmission of GAS (blinking LEDs) on all the devices

User verifies simultenously if GASi=GASj, for all devices

22

D1

D2

Dn

...

D1

D2

Dn

...

ok

ok

ok

GAS 1

GASn

GAS2If GAS1=GAS2= ... =GASn

“Success”

GAP security

TheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of the group authentication string (GAS).

User’s involvement only 15-20 bitsRecall, we can set k as low as 15-20 bits

23Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)

1 0 0 1 1 0

Ts

Ts

1 1 1 1 0 0 1 0 0

start

end

GAP usability evaluation

27 participants (age 18-25)GAS verification (GAS match and mismatch tests)

and entering group sizes via a push-button (25 sensors)

Average System Usability Score (SUS) 80,8 (max. 100)

24Very easy Easy Medium

difficultDifficult Very difficult

Num

ber

of

test

ers

0

4

8

12

16

2020

3

6

20 0

21 1

GAS verification

Entering group size

19

Improving usability and scalability of GAPUser records the GAS procedure with a

smartphoneIn turn, reviews the GAS procedure offlineNo special services or software on the smartphone

(zero-configuration auxiliary device)

25

Talk outline

Basic security problem

Optimal message transfer authenticator

Group message authentication protocol

Authentication through presenceIntegrity codes

26

Integrity codes (I-codes)

The presence or absence of energy in a given time slot of duration Ts conveys information

27Čagalj, M.; Čapkun, S.; Rengaswamy, R.; Tsigkogiannis, I.; Srivastava, M.; Hubaux, J.-P.Integrity codes: Message Integrity Protection and Authentication over Insecure Channels // IEEE S&P (2006)

1 0 0 1 1 0

Ts

Ts

1 0 1message

m

balanced codec

on-off keying

Integrity codes (I-codes)

Balanced codeInjective (one-to-one mapping) Equal number of ones and zerosE.g., Manchester code: 0 01 and 1 10

Imposible to convert a codeword c0 into a different codeword c1 without flipping at least one bit 1 to bit 0message codeword 00 0101 01 0110 10 1001 11 1010

28

I-codes security

AssumptionsA applies I-codes to message mB within the TX range of AB synchronized to A wrt to the start and the end of

cB verifies that the received codeword c is balanced Attacker cannot cancel (erase) a radio signal

TheoremThe attacker cannot trick device B into accepting a message that is different from the original m.

29

A B attacker

I-code(m)

I-codes transmission

Delimiter 111000 marks start and end of I-coded mDelimiter and Manchester codewords incongruousIf attacker cannot cancel (erase) a radio signal:Any balanced codword c between delimiters is

authentic

30

ATMEL AT86RF211 transceiver433 MHz, FSK, Ts= 5ms

I-codes reception

Demodulation at the receiverIf average power in the symbol interval high →

output 1If average power in the symbol interval low →

output 0Any balanced codword c between delimiters is

authentic

31

bit 1

bit 0

Anti-blocking property of a radio channelReceived signal at B

r(t)=s(t)⊗hAB(t)+a(t)⊗haB(t)+n(t)

Attacker’s goal r(t)≈n(t) I.e., s(t)⊗hAB(t)+a(t)⊗haB(t)< n(t)

Attacker’s challenges s(t) can be made physically unpredictable for the

attackerAccurate estimate of both hAB(t) and haB(t)

Many sources of uncertainty at high frequenciesInacuracies in the antennas positions

32

A B attacker

s(t) a(t)

Gaussian noisechannel between A/attacker and B (i.e., #paths, delay, phase, attenuation)

<

Anti-blocking property of a radio channel0 → 1 easy1 → 0 very hard

33

A B attacker

s(t) a(t)

bit 1

bit 0

Authentication through presence

User’s involvement minimalEnsures the devices

close-byTurns the devices on

34

TXon

RXon

ok

111000011010…010101111000011010…010101111000…

delimiterI-codes(m)

If I-codes(m) balanced

Accept m

Effect of noise on I-codes

Implementation on Mica2 sensor motes0s → no signal during T0=10ms1s → 18 bytes randomized packet at 19.2kbps

(T1=7.5ms)35

Securing Diffie-Hellman with I-codes

36

A B

cA

cB

dA

Given gXA

Pick k random bits NA

mA=IDA, gXA,NA

(cA,dA)=commit(mA)

mB=open(cB,dB)sA=NA NB

Secret key KAB= gXAXB

dB

Given gXB

Pick k random bits NB

mB=IDB, gXB,NB

(cB,dB)=commit(mB)

mA=open(cA,dA)sB=NA NB

If sA==sB “Success”Secret key KAB=

gXAXB

ok ok

I-codes(sA)

Initializing a large sensor network

Simple procedurePlace the devices close-by Run Group message Authentication Protocol (GAP)Let one device I-codes short GAS (group auth.

string)Ensure all the devices show “green” status

37111000011010…010101111000011010…010101111000…

delimiterI-codes(GAS)

Summary

Presented mechanisms for bootstrapping initial security associations in wireless (sensor) networksUser-friendly, scalable and compatibile with

resource constrained devices

Optimal message transfer authenticatorShort authentication stringsOptimal trade-off between security and user’s

involvement

Integrity codesExploit physical properties of a radio channelEnable authentication through presence

38