octopus

31
Octopus CS 259 Taral Joglekar Ryan Wisnesky

Upload: rasia

Post on 25-Feb-2016

62 views

Category:

Documents


1 download

DESCRIPTION

CS 259. Octopus. Taral Joglekar Ryan Wisnesky. Outline. Adhoc networks Octopus Protocol Murphi model and attacks CEDAR with Octopus Attacks on CEDAR Using GDH.2 attack techniques. Ad hoc networks. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Octopus

Octopus

CS 259

Taral JoglekarRyan Wisnesky

Page 2: Octopus

Outline Adhoc networks Octopus Protocol Murphi model and attacks CEDAR with Octopus Attacks on CEDAR Using GDH.2 attack techniques

Page 3: Octopus

Ad hoc networks Network is formed by nodes that do not

have prior knowledge of the network topology, but have to discover it

No central entity Wireless nodes participate in an ad hoc

network by broadcasting their presence and also listening to similar broadcasts from other nodes

These broadcasts are often used to decide the routing information

Page 4: Octopus

Challenges Due to its dynamic structure, many

network protocols are not suitable to use with an ad hoc network

Main concerns include• Authentication• Confidentiality• Integrity• Availability• Non-repudiation

Page 5: Octopus

Challenges (cont) Authentication is used to share a initial key

but there needs to be a shared key established later between all participating parties.

Hence there are separate protocols for authentication and key establishment

Public Key as well as Shared Key secrets are used to achieve these goals

Most use some sort of trust bootstrapping for authentication

Page 6: Octopus

Security Properties for Group Key Establishment Protocol Key establishment: All nodes must agree on

a single shared key Key maintenance: Generate / modify keys as

new nodes enter and leave the groups Key Agreement: How do you ensure that all

nodes actually have the same key• Do not ensure - agents not getting right keys are

as good as having left the network• Design protocol to involve all participants – too

many messages, not suitable for ad hoc networks

Page 7: Octopus

The Octopus Protocol Group Key establishment protocol Assumes authentication has been done

beforehand Is a minimum message protocol 2 level hierarchy 4 - Core elements and other nodes

connect to the core elements Variant of Diffie Hellman key exchange

used to generate the shared key.

Page 8: Octopus

Key exchange protocol

A

C

B

D

ga

gb

gc

gd

gabgcd gabgcd

Shared Key: cdgabgg

Page 9: Octopus

Properties to check Key secrecy

• Can a passive eavesdropper know the secret key (No, already proved in the paper)

• Can an active attacker get the key (without being a part of the group, not evaluated in the paper)

Key Agreement• Can an active attacker prevent key agreement

between the group members Core formation

• How do you elect the core members in a dynamic scenario? – Use another protocol like CEDAR

Page 10: Octopus

Murφ Model Interesting questions:

• How do you use the authentication scheme along with the protocol?

• How do you model individual key parts? Many ways used as model developed 1 core – 1 peer model used DH_Core, DH_Peer 1 Core – multiple peers used boolean arrays 1 Core – multiple peers with active attacker used

boolean array with actual nonce arrays Could also use Power sets and key simplification

rules

Page 11: Octopus

Murφ Model (cont) Try to implement the authentication somehow in the model Establishment of some sort of initial key Either use Public keys of cores or use shared secret keys

with cores Public Keys

• Send peer Id in clear and DH exponent encrypted using PK• If all is encrypted, core is susceptible to DOS attack• Attacks in which intruder can replace the peer name

– Prevent by sending a nonce decided during authentication– Signing the DH component and putting it in the encrypted part

• Replay attacks– Timestamps / challenge response / one-time passwords.

• Core to peer message tampering– Use PK / Share a secret key in the initial message

Page 12: Octopus

Murφ Model (cont) Attacker can corrupt messages if not

authenticated Interesting attack when attacker swaps

the messages from two peers Final key remains the same for everyone

except the two peers Attacks can be avoided by including the

target nonce within the encrypted part

Page 13: Octopus

Invariant for Key agreementinvariant "key agreement" forall i: CoreId do core[i].mainState = C_MAINDONE -> forall j: PeerId do forall k:PeerId do (peer[j].state = P_GOTKEY & peer[k].state = P_GOTKEY) -> forall l:ValidAgentId do peer[j].keyMaterial_V[l] = peer[j].keyMaterial_V[l] &

(peer[j].keyMaterial_V[l] = true -> peer[j].keyMaterial[l] = peer[k].keyMaterial[l] )

endforall endforall endforall endforall

Page 14: Octopus

From Octopus to CEDAR Octopus relies on a four node core.

• Four nodes may not be a good number for all networks, and all the nodes may not have prior knowledge of what the core is.

– Solution: dynamically generate the core nodes.

We need a set of core nodes where every node is ‘attached’ to exactly one member of the core.• In other words, we need a dominating set.

– CEDAR approximates a MDS.

Page 15: Octopus

Dominating Sets A dominating set of a graph (E, N) is a set

of nodes such that every node in the graph is either in the dominating set or is connected to a node in the set.• A minimum dominating set is a dominating set

with a minimum number of nodes.– The fewer the number of core nodes, the fewer

‘multi-party’ exchanges have to occur in the generalized octopus protocol.

Page 16: Octopus

ExampleMDS

Page 17: Octopus

CEDAR OverviewLet N1(u) denote all the nodes that u is connected to.

Let N1’(u) = N1(u) – {u}.

Let dom(u) denote u’s dominator.

Let d(u) = |N1’(u)|.

Let d*(u) = the number of u’s neighbors that have chose u as their dominator. This is u’s effective degree.

1. Periodically, u broadcasts a beacon (u, d*(u), d(u), dom(u)) to its neighbors.

2. If u does not have a dominator, it sets its dominator to the node v in N1(u) with the largest value for (d*(u), d(u)) in lexicographic order. It may choose itself.3. u then sends v the message (u, {(w, dom(w))|w in N1’})

4. If d*(u) > 0, u joins the core.

Page 18: Octopus

Key points about CEDAR The Algorithm approximates the MDS because when choosing

dominators, nodes prefer to select nodes that are already dominators and are well connected.

The algorithm depends on the order of messages.

The only way for a node to leave the core is by listening to its neighbors and discovering that its effective degree has become zero.

A node only re-chooses its dominator if that dominator disappears.

The generalized octopus protocol relies on reliable core-broadcast, which depends on each node having a correct understanding of the local topology. (This can also be attacked…)

Page 19: Octopus

Questions to ask about CEDAR Can an intruder prevent the formation of a stable core?

• Java model: do changes in the core set keep occurring in the presence of an intruder?

Can an intruder cause an inconsistency in which nodes do not agree on the core?• Java model: when the core set is no longer changing, does

each node have the same ‘view’?

Can an intruder cause an incorrect core to form?

Eventually, the insight gained from the model was useful in analyzing CEDAR without tools. The Java model can’t prove anything, but it suggests directions.

Page 20: Octopus

Two example analyses Can an intruder prevent the formation of a stable

core?• A node only re-chooses its dominator if that dominator

has disappeared. So if an intruder cannot make it look like a node’s dominator has disappeared, then the intruder cannot force a node to change its dominator. That means that once dominators are chosen, they cannot be changed by the intruder. And because every node will eventually choose a dominator, there is no action the intruder can take to modify the core once that point is reached. So, an intruder cannot prevent the formation of a stable core.

– Assumes no topology changes.

Page 21: Octopus

A more interesting example Can an intruder cause an incorrect core to

form?• Assume the intruder can disrupt

communications.• Assume authentication, so that only replay

attacks are considered.

Page 22: Octopus

Example

A B

A -> B : B dom AB -> A : beacon

The intruder is listening…

Page 23: Octopus

Example

A B

Topology change.A -> C : C dom A

C

Page 24: Octopus

Example

A B

Intruder blocks communication between A and C. This means C removes itself from the core.

C

I

Page 25: Octopus

Example

A B

I -> A : B’s beaconI -> B : A’s beaconA -> I : B dom AI -> B : B dom A

Result: A and B think they are connected, but they are not. This prevents correct routing.

C

I

Page 26: Octopus

GDH.2 and Octopus There is a mathematical technique used to

analyze the security of GDH.2.• GDH.2 is a related set of protocols; both GDH.2

and Octopus are distributed versions of DH. So, can we use these techniques for octopus?

ga gab gabc gabcd

Broadcast

Each node uses the information in the broadcast to determine the shared secret.

Page 27: Octopus

GDH.2 and Octopus Because of the step-wise nature of GDH.2,

and the fact that each node simply raises its input to a number and sends the result to the next node, each node may be viewed as providing a ‘service’: s(ga) = gab

• These services commute with each other because ga^b = gab. So, we can write any use of these services as ge

1^s

1 e

2^s

2 ... e

n ^ s

n

Page 28: Octopus

GDH.2 and OctopusWe can write the key in a similar form, to get an

equationge

1^s

1 e

2^s

2 ... e

n ^ s

n = ge1

^k1

e2

^k2

... en

^ kn

So, this becomes a set of equations between exponents that we can try to solve:

s1 = k1 and s2 = k2 and … and sn = kn

Of course, these sn aren’t atomic, so the equations aren’t trivial. If this system can’t be solved, then there isn’t an attack (or so the paper claims…). If it can, then further refinement is needed.

Page 29: Octopus

GDH.2 and Octopus Why does this fail for Octopus?

• Our services require multiple inputs. – This leads to non-commutativity, so our resulting

system is potentially infinite.

Each leaf node does DH with the core node. The core node then uses processes these keys and exchanges them with another core node.

Page 30: Octopus

GDH.2 and Octopus

Initial Knowledge Initial Knowledge

e1

en

Apply s1 times

Apply s1 times

…..

key

e1

e1

key

Apply s11 times

Apply s1n times

Other applications

Page 31: Octopus

Conclusions Secure and robust group key

establishment is a difficult goal to achieve Analysis is complex and dependant on

cryptographic properties Need some way to represent symbolic

knowledge in Murphi Need better subtyping Mathematical attacks usually geared to

attack specifics in a protocol