bootstrapping security associations in wireless (sensor) networks mario Čagalj university of split,...
TRANSCRIPT
Bootstrapping Security Associations in Wireless (Sensor)
Networks
Mario Čagalj University of Split, FESB
ACROSS, 2013
Briefly about the speaker
Mario Čagalj, Associate Professor Department of Electronics, University of Split,
FESBPh.D. degree in Communication Systems from
EPFL (École Polytechnique Fédérale de Lausanne)
Scientific work and research interestsInformation security, applied cryptography, game
theory, energy-efficient communication, HCI, etc.
For more informationhttp://www.fesb.hr/~mcagalj or [email protected] 2
Motivation
Billions of devices will be interconnected in near futureEricsson forecasts 50 billion M2M connections by
2020IoT, M2M, wearable sensor networks, smart
metering, etc.
Many technologies/systems Include low cost and highly constrained devicesUse wireless channels (highly vulnerable)Operate independently of any authority (are user-
centric)
Prerequisites for adoption of such technologiesData trustworthiness, authenticity and privacy
3
Motivation
Key element towards secure communicationSome cryptographic (keying) material (pwds, keys,
certs) has to be preloaded into communicating devices
However, users are bad when it comes to securityComplicated setup procedures render the security
features useless (e.g., home WiFi networks)What can we then expect from 2020?
42013 2014 2020
attackeruser’s devices
Our goal
Develop mechanisms for secure initialization of wireless devices/for bootstrapping initial security associationsUser-friendly – easily administered by non-
specialistsScalable – support a reasonably large number of
devices Compatibile with resource constrained devices –
lacking usual wired interfaces, displays, keypads, etc.
52013 2014 2020
attackeruser’s devices
Talk outline
Basic security problem
Optimal message transfer authenticator
Group message authentication protocol
Authentication through presenceIntegrity codes
6
A B
Basic security problem
Assumptions high bandwidth public/insecure channel
(e.g. radio) low bandwidth authenticated channel (not
secret) E.g., sound, voice, visible light, etc.
Devices A and B share neither secrets nor certificates
Protect message integrity over the public channelMinimize user’s involvement and hardware
requirements
7
attacker
message
user
Attacker model
People usually have a wrong mental model
E.g., attacks on Bluetooth (designed for 10m range)Eavesdropping from more than 1.5 km (BlueSniper
rifle)Thanks to high gain/sensitivity antennas and
receivers8
=attacker attackerA B
nominal TX range
A B
Straightforward solution
Based on a weak-collision resistant hash function h(·) Given message m0 easy to calculate a hash value
h(m0)
Hard to find different m1 such that h(m0)= h(m1)
9
A Bm
Calculates sA=h(m)
Receives m
Calculates sB=h(m)
If sA==sB “Accept m”
sA sA
high bandwidth insecure channellow bandwidth authenticated channel
ok
Straightforward solution suboptimal
Today, weak-collision implies at least 80-bit hash valueThe minimum load over low bandwidth (human)
channel
Hash function output sizes tend to increase over time Vulnerabilities (e.g., SHA-1), processing power
incresesE.g., MD5, SHA-1, SHA-2 (128, 160, 256... bit
outputs)
More bits over low bandwidth (human) channel implies increased user’s involvementBig issue when user interacts with constrained
devices
10
Optimal message transfer authenticatorBased on a non-malleable commitment scheme
Functionallity similar to that of an ideal hash function
Transforms message m into commitment/openning pairTo commit to m do: (c,d)=commit(m) and hand out
cTo open c do: hand out d and m=open(c,d)
PropertiesOnce commited to m, cannot change to another mMessage m remins secret until opened using d 11
Optimal message transfer authenticator
12
A Bc
high bandwidth insecure channellow bandwidth authenticated channel
NB
d
sA sA
Pick k random bits NB
m, NA=open(c,d)
sB=NA NB
If sA==sB “Accept m”
Given message m
Pick k random bits
NA
(c,d)=commit(m,N
A)
sA=NA NB
Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
ok
Optimal message transfer authenticator
13
A Bc
high bandwidth insecure channellow bandwidth authenticated channel
NB
d
sA sB
Pick k random bits
NB
m, NA=open(c,d)
sB=NA NB
Accept m
Given message m
Pick k random bits
NA
(c,d)=commit(m,N
A)
sA=NA NB
Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
okIf sA==sB “Success”
Optimal message transfer authenticator
TheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of authentication strings sA and sB.
For example, with k=15 bitsAttacker successful with probability 2-15 (i.e., 5-digit
PIN)User’s involvement only 15 bits (i.e., 2 hex digits)
We can optimally trade security and the user’s loadTime-invariant (independent of the employed hash
function)Not the case with the standard solution (min. load at least
80 bits) 14Čagalj, Mario; Čapkun Srđan; Hubaux, Jean-Pierre.Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. 94 (2006)
Optimal message transfer authenticatorOptimality and time-invariance
15
Securing Diffie-Hellman key agreement
16
A B
cA
cB
dA
sA sB
Given gXA
Pick k random bits NA
mA=IDA, gXA,NA
(cA,dA)=commit(mA)
mB=open(cB,dB)sA=NA NB
Secret key KAB= gXAXB
dB
Given gXB
Pick k random bits NB
mB=IDB, gXB,NB
(cB,dB)=commit(mB)
mA=open(cA,dA)sB=NA NB
Secret key KAB=
gXAXB
ok okIf sA==sB “Success”
Čagalj, et. al. Key Agreement in Peer-to-Peer Wireless Networks. // Proceedings of the IEEE. (February, 2006)Bluetooth Special Interest Group. Simple Pairing Whitepaper. // (October, 2006)
Example: Initializing home WiFi networkCamera-equipped device and wireless access
point (AP)Single LED at the AP blinks short authentication
string sB
Ephemeral tokens for your guests (AP pwd not disclosed!)
17
MT-auth DH
sA=NA NB
If sA==sB
“Success”
KAB= gXAXB
sB
ok ok
sB=NA NB
KAB= gXAXB
Contrast this with insecure WPS: Push-Button-Method by WiFi Alliance (2006)
Example: Initializing a pair of sensorsNo cameras (only LEDs and a pushbutton)
User just checks that the devices blink the same states 18
MT-auth DH
sA=NA NB
KAB= gXAXB
sB=NA NB
KAB= gXAXB
sBsA
If sA==sB “Success”
ok ok
1 0 0 1 1 0
Ts
Ts
=
How about securely initializing a larger group of resource-constrained device?
Group message Authentication Protocol (GAP) Generalization of our optimal two-party protocol
19Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
GAP overview
Phase 1: insecure radio channel
Devices exchange messages they want to authenticate and establish Group Authentication String (GAS)
20Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
...
D1
D2
Dn
Phase 2: visible light channel
User compares the GAS
...
D1
D2
Dn
User
GAP-Phase 1: insecure radio channelGoal: M devices exchange and authenticate
public keys
21
IDi
ci-1
IDj
ci
ci+1
di
Step I:
Step II:
Step III:
Gi={ID1<ID2<…<IDM}
(ci, di) commit(hGi, IDi, PKi, Ni)
hGi=hash(ID1,…,IDi,…,IDM)
(hGj, IDj, PKj, Nj) open(cj, dj)
GASi Ni
...
Verify hGi, IDj
If OK, GASi GASi
Nj
Di
di-1
di+1
......
Di-1
Di+1
GASi =N1 N2 ... Ni ... NM
GAP-Phase 2: authenticated light channelUser enters group size M into one
device/coordinatorPush-button can be used for this taskIf group size OK, the coordinator initiates
synchronized transmission of GAS (blinking LEDs) on all the devices
User verifies simultenously if GASi=GASj, for all devices
22
D1
D2
Dn
...
D1
D2
Dn
...
ok
ok
ok
GAS 1
GASn
GAS2If GAS1=GAS2= ... =GASn
“Success”
GAP security
TheoremComputationally bounded attacker can succeed with probability at most approx 2-k (in a single session), where k is the size of the group authentication string (GAS).
User’s involvement only 15-20 bitsRecall, we can set k as low as 15-20 bits
23Perković T., Čagalj M., Mastelić T., Saxsena N.,Begušić D.Secure Initialization of Multiple Constrained Wireless Devices for an Unaided User. // IEEE TMC (2012)
1 0 0 1 1 0
Ts
Ts
1 1 1 1 0 0 1 0 0
start
end
GAP usability evaluation
27 participants (age 18-25)GAS verification (GAS match and mismatch tests)
and entering group sizes via a push-button (25 sensors)
Average System Usability Score (SUS) 80,8 (max. 100)
24Very easy Easy Medium
difficultDifficult Very difficult
Num
ber
of
test
ers
0
4
8
12
16
2020
3
6
20 0
21 1
GAS verification
Entering group size
19
Improving usability and scalability of GAPUser records the GAS procedure with a
smartphoneIn turn, reviews the GAS procedure offlineNo special services or software on the smartphone
(zero-configuration auxiliary device)
25
Talk outline
Basic security problem
Optimal message transfer authenticator
Group message authentication protocol
Authentication through presenceIntegrity codes
26
Integrity codes (I-codes)
The presence or absence of energy in a given time slot of duration Ts conveys information
27Čagalj, M.; Čapkun, S.; Rengaswamy, R.; Tsigkogiannis, I.; Srivastava, M.; Hubaux, J.-P.Integrity codes: Message Integrity Protection and Authentication over Insecure Channels // IEEE S&P (2006)
1 0 0 1 1 0
Ts
Ts
1 0 1message
m
balanced codec
on-off keying
Integrity codes (I-codes)
Balanced codeInjective (one-to-one mapping) Equal number of ones and zerosE.g., Manchester code: 0 01 and 1 10
Imposible to convert a codeword c0 into a different codeword c1 without flipping at least one bit 1 to bit 0message codeword 00 0101 01 0110 10 1001 11 1010
28
I-codes security
AssumptionsA applies I-codes to message mB within the TX range of AB synchronized to A wrt to the start and the end of
cB verifies that the received codeword c is balanced Attacker cannot cancel (erase) a radio signal
TheoremThe attacker cannot trick device B into accepting a message that is different from the original m.
29
A B attacker
I-code(m)
I-codes transmission
Delimiter 111000 marks start and end of I-coded mDelimiter and Manchester codewords incongruousIf attacker cannot cancel (erase) a radio signal:Any balanced codword c between delimiters is
authentic
30
ATMEL AT86RF211 transceiver433 MHz, FSK, Ts= 5ms
I-codes reception
Demodulation at the receiverIf average power in the symbol interval high →
output 1If average power in the symbol interval low →
output 0Any balanced codword c between delimiters is
authentic
31
bit 1
bit 0
Anti-blocking property of a radio channelReceived signal at B
r(t)=s(t)⊗hAB(t)+a(t)⊗haB(t)+n(t)
Attacker’s goal r(t)≈n(t) I.e., s(t)⊗hAB(t)+a(t)⊗haB(t)< n(t)
Attacker’s challenges s(t) can be made physically unpredictable for the
attackerAccurate estimate of both hAB(t) and haB(t)
Many sources of uncertainty at high frequenciesInacuracies in the antennas positions
32
A B attacker
s(t) a(t)
Gaussian noisechannel between A/attacker and B (i.e., #paths, delay, phase, attenuation)
<
Anti-blocking property of a radio channel0 → 1 easy1 → 0 very hard
33
A B attacker
s(t) a(t)
bit 1
bit 0
Authentication through presence
User’s involvement minimalEnsures the devices
close-byTurns the devices on
34
TXon
RXon
ok
111000011010…010101111000011010…010101111000…
delimiterI-codes(m)
If I-codes(m) balanced
Accept m
Effect of noise on I-codes
Implementation on Mica2 sensor motes0s → no signal during T0=10ms1s → 18 bytes randomized packet at 19.2kbps
(T1=7.5ms)35
Securing Diffie-Hellman with I-codes
36
A B
cA
cB
dA
Given gXA
Pick k random bits NA
mA=IDA, gXA,NA
(cA,dA)=commit(mA)
mB=open(cB,dB)sA=NA NB
Secret key KAB= gXAXB
dB
Given gXB
Pick k random bits NB
mB=IDB, gXB,NB
(cB,dB)=commit(mB)
mA=open(cA,dA)sB=NA NB
If sA==sB “Success”Secret key KAB=
gXAXB
ok ok
I-codes(sA)
Initializing a large sensor network
Simple procedurePlace the devices close-by Run Group message Authentication Protocol (GAP)Let one device I-codes short GAS (group auth.
string)Ensure all the devices show “green” status
37111000011010…010101111000011010…010101111000…
delimiterI-codes(GAS)
Summary
Presented mechanisms for bootstrapping initial security associations in wireless (sensor) networksUser-friendly, scalable and compatibile with
resource constrained devices
Optimal message transfer authenticatorShort authentication stringsOptimal trade-off between security and user’s
involvement
Integrity codesExploit physical properties of a radio channelEnable authentication through presence
38