A Comprehensive Approach to Secure Group Communication in Wireless Networks

A Comprehensive Approach to Secure Group Communication in Wireless Networks David González Romero Chicago, August 2009

Agenda Chapter 1: Introduction Chapter 2: Wireless technologies Bluetooth Wi-Fi (Annex 1) ZigBee (Annex 1) Wireless USB (Annex 1) Near Field Communication (Annex 1) Chapter 3: Secure Device Pairing Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography Human-assisted solutions Chapter 4: Secure Group Communication Resurrecting Duckling Identity-based encryption Entity recognition

Introduction Wireless technology has experienced a persisting burst in recent years Raise in portable, handheld and ubiquitous electronic devices for domestic use New applications in wireless communication: data exchange, monitoring, remote controlling… A new set of technology standards (Chapter 2) cover a wide range of needs for casual and professional users Bluetooth Wi-Fi ZigBee Wireless USB Near Field Communication (NFC) Concerns about privacy and network security Secure Device Pairing (Chapter 3) Secure Group Communication (Chapter 4) - - Secure Device Pairing Secure Group Communication Initial key exchange Secure communication Our goal

Wireless technologies - - Complexity (transmission rate, network topology, protocol stack…) Distance range Security needs

Bluetooth technology Bluetooth is a protocol used for ad hoc wireless communication within ranges of up to 100 meters Conceived as a cable replacement for connecting and exchanging data between personal devices such as cell phones, handheld or laptop computers, audio headsets or computer peripherals Many other uses. More than a cable replacement Bluetooth is a standardized technology whose specifications are published by the Bluetooth Special Interest Group (SIG) The most recent specification, Bluetooth 3.0 + H.S. was released on April 21st, 2009 - -

Bluetooth security The most recent versions of Bluetooth include Secure Simple Pairing as its main security policy Secure Simple Pairing aims to simplify the pairing process from the user’s point of view Secure Simple Pairing defines four different pairing modes Numeric Comparison Out-of-Band - - Passkey Entry Just Works 123456 ? OOB channel

Secure Device Pairing Secure Device Pairing allows two mobile devices that share no prior context to establish a secure communication between each other Secure communication between two devices means that no third party can eavesdrop or alter the content of the communication The pairing procedure must ensure a secure First Connection between the devices without the need of a third party authority Once the First Connection is secured, the devices agree a common key which can be securely store and used in future communications without the need of a new secure pairing Two basic approaches or a combination of both Public-key cryptography Diffie-Hellman key exchange Digital signatures Elliptic Curve Cryptography (Annex 3) Human-assisted solutions - -

Public key cryptography Public key cryptography uses asymmetric cryptographic algorithms Based on the use of public and private keys A public key is used to encrypt and a private key is used to decrypt - - Alice Message Bob Communication channel Encrypted message Encryption Bob’s public key Encrypted message Encrypted message Decryption Bob’s private key Message

Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange allows two devices that share no prior context to establish a common secret key D-H Key Exchange is based on the discrete logarithm problem Both devices agree on two public keys: p and q Each device has a private key: a and b Alice computes ( g b mod p ) a mod p while Bob computes ( g a mod p ) b mod p , both obtaining the same final value Given high values of a, b and p, it would be extremely hard for an eavesdropper who doesn’t know any of the secret keys to compute their values The more digits involved, the more difficult to solve (analytically or computationally) the discrete logarithm problem - - a, g, p A = g a mod p K = B a mod p Alice b B = g a mod p K= A b mod p Bob g, p, A B

Digital signatures - - Alice Message Hash function Alice’s private key Digital Signature Algorithm – sign operation Digital Signature Digitally signed message (message + digital signature) Hash function Digital signature Digital Signature Algorithm – verify operation Bob Digitally signed message Digital signature verified / signature verification failed Alice’s public key

Public key schemes The public key schemes presented can be compared in terms of computational complexity for a similar degree of security - -

Human-Assisted solutions Public key cryptography relies on the effectiveness of using mathematical problems as the base for the encryption and decryption processes. Some kind of human interaction is required to provide authenticating mechanisms Several solutions have been proposed Talking to Strangers (TtS) (Annex 2) Seeing-is-Believing (SiB) Loud and Clear (L&C) (Annex 2) HAPADEP (Human Assisted Pure Audio Device Pairing) - -

Seeing is Believing Seeing is Believing (SiB) makes use of the capability of taking pictures and process the information in them with a mobile device The ability to take pictures favors the creation of a location-limited visual channel Device A has a 2D barcode (data matrix) attached to it, or is able to display it on a screen. This code represents its public key Device B takes a picture of the code, getting A’s public key Device B will only accept messages authenticated accordingly to the key it has obtained from A The same process is repeated, authenticating B by showing a public key represented on a data matrix - - visual channel Public key B A

Secure Group Communication - - The solutions presented in the previous chapter are oriented to secure point-to-point communications This approach can be insufficient when dealing with larger networks Algorithm efficiency, user-friendliness… Point-to-multipoint or ad hoc solutions can be approached

Resurrecting Duckling - - Imprinting Secure wireless communication Death Resurrection Imprintable device Master device Trusted channel Key exchange Imprinted device Master device A slave device (duckling) gets securely attached to a master device (mother duck) which takes full control over it Any number of slave devices can be associated with a master device in an ad hoc manner Imprintable state : the slave device is ready to be attached to a master device Imprinted state : the slave device is attached to the master device, been unable to be imprinted by a third device Death : the master device release the slave, switching its state from “imprinted” to “imprintable” Resurrecting : a master device uses the trusted channel to set an imprintable device to imprinted Assassination? : only the master device should be able to cause the death of the slave Attacker? Master device Imprinted device Imprintable device Master device Trusted channel Key exchange Message

Identity Based Encryption Identity Based Encryption (IBE) does not require the constant online presence of a Public Key Infrastructure Each device/user has a public key that univocally identifies itself (email address, IP address…) Each user authenticates to a key server, which provides a Private Key Once the pairing is complete, the presence of the Key Server is not required anymore - - PKG Bob Alice Authentication Private key Message encrypted with Bob’s public key

Entity recognition Entity recognition does not require the presence of an authentication authority, nor the intervention of the user The goal of entity recognition is that successive messages in one conversation are sent by the entity that started the conversation and no third party can interfere by eavesdropping or tampering the conversation The Guy Fawkes protocol is an early entity recognition scheme that uses cryptographic hash chains The Jane Doe protocol uses cryptographic hash chains and message authentication codes (MACs) Based on the division of a conversation by different epochs The process is easily extended to a group communication scenario Any number of conversations can be tracked as long as there is enough memory Vulnerable to MITM attacks Can be applied as a supporting technique to public-key schemes Useful with low-power devices which may not be able to implement public key - -

Conclusion WIRELESS SECURITY - - User-managed Technological needs Transparent to the user SSP Ad hoc Certification-authority-dependent DH ECC Digital signature Public Key ? TtS SiB L&C HAPADEP Human-Assisted Resurrecting Duckling policy Entity Recognition IBE Secure Group Communication

Annex 1: other wireless technologies studied David González Romero Chicago, August 2009

WLAN: Wireless Local Area Networking Wireless Local Area Networks operate in the unlicensed 2.4 GHz ISM band Standardized by the IEEE 802.11 standard and marketed under the name Wi-Fi by the Wi-Fi Alliance The Wired Equivalent Privacy (WEP) algorithm was the first to provide security in Wi-Fi Now deprecated after demonstrated vulnerabilities WEP was replaced by Wi-Fi Protected Access (WPA) and WPA2 Based on the Temporal Key Integrity Protocol - -

ZigBee Cheap alternative for mid-range personal communications Lower distance range and transmission rate than Bluetooth and Wi-Fi Different security configurations Tradeoff between security and cost - - Applications and Profiles Application Support (ASP) Layer IEEE 802.15.4 Medium Access Control (MAC) Layer IEEE 802.15.4 Physical (PHY) Layer Network Layer Defined by IEEE 802.15.4 Defined by ZigBee specification Defined by application developer

Wireless USB High transmission rate low-range technology Suitable for communication between multimedia consumer electronics devices Ideally presented as a replacement for wired technology Universal Serial Bus (USB) - -

Near Field Communication (NFC) Extremely short-range wireless technology Makes use of the “near field” zone of electromagnetic radiation Intrinsically protected against external attacks, because of its extreme short rangeç Complementary to other technologies as out-of-band channel Promoted by the Near Field Communication Forum since 2004 - -

Annex 2: other human-assisted device pairing solutions David González Romero Chicago, August 2009

Talking to Strangers Talking to Strangers avoids the use of a physical out-of-band channel Talking to Strangers uses a location-limited out-of-band channel for the purpose of the First Connection, instead of the typical wireless medium An Infrared Data Association (IrDA) can be performed Both devices must be able to “see” each other A human operator can easily verify which devices are able to establish an infrared connection An IrDA connection is limited in space, reducing the risk of eavesdropping But it is still invisible MiM attack is not impossible - - infrared channel (invisible) Attacker

Loud and Clear (L&C) provides human-assisted device pairing based on audio Complementary to SiB Four possible configurations to use depending on the capabilities (has a display, has a speaker…) of each device Loud and Clear Hear an audible sequence from the personal device and compare it to text displayed by target device Compare text displayed by the personal device to text displayed by target device (included as an alternative method) Hear and compare two audible sequences, one from each device Hear an audible sequence from the target device and compare it to text displayed by the personal device - - Public key exchange Public key exchange Public key exchange Public key exchange

Annex 3: other discarded slides David González Romero Chicago, August 2009

Bluetooth basics Bluetooth has a star network topology Up to seven slave devices can be connected to a master device, forming a piconet Each device has a 3-bit Logical Transport Address (LT_ADDR) 000 is reserved for broadcasting More devices can be connected in “park state” 8-bit Park Member Address (PM_ADDR) Several piconets can be associated forming a scatternet A Bluetooth profile defines the procedure which must be followed for each particular Bluetooth application Generic Access Profile, Headset Profile, File Transfer Profile… Each profile makes a different use of the Bluetooth Protocol Stack - - Applications and Profiles L2CAP (Logical Link Control and Adaptation ) HCI (Host Controller Interface) Link Manager Protocol (LMP) Baseband [Link controller (LC)] Bluetooth Radio SDP (Service Discovery) Radio Frequency Communication (RFCOMM) OBEX PPP TCP Host stack Controller stack TCS BIN UDP IP

Bluetooth network topology - - P2 P1 P3 M1 S1 S1 S1/S2 M2 S2 M3/S2 S3

Bluetooth security Bluetooth operates in the 2.4 GHz unlicensed Industrial, Medical and Scientific (ISM) band Bluetooth uses FHSS (Frequency Hopping Spread Spectrum) The frequency range is changed 1600 per second A slave device must be synchronized with the master device’s pseudo-random hopping sequence Before the 2.0 + EDR version, Bluetooth communications were authenticated by the use of a passcode (PIN) which must be entered in both devices as part of the pairing process The user acts as an out-of-band channel Three different security models were defined Not secure Service level enforced security Link level enforced security (security procedure starts before creating the communication channel) Bluetooth 2.0 + EDR introduced Secure Simple Pairing (SSP) - -

Man-in-the-Middle Attacks A Man-in-the-Middle (MiM) attack is a form of eavesdropping based on the ability to impersonate any of the extremes of a communication The broadcasting nature of the wireless communication makes the MiM attacks a serious security threat Original Diffie-Hellman Key Exchange is highly vulnerable to MiM attacks, as it doesn’t provide authentication between the two devices A MiM attacker can establish two independent connections and eavesdrop the communication or deliver new messages The attacker can intercept both Alice and Bob’s public keys and substitute them with their own public value Authenticated Diffie-Hellman Key Exchange tries to avoid eavesdropping by providing some kind of authentication All known forms of Authenticated Diffie-Hellman Key Exchange require user interaction (sharing a public key previously known, use of an Out-of-Band channel, etc.) Not applicable when the users share no prior context Most of the proposed solutions include the use of additional Out-of-Band channels - -

Elliptic Curve Cryptography ECC is a public-key scheme using the concept of elliptic curves over finite fields A generic elliptic curve over the finite field F p is formed by the points satisfying the equation y 2 = x 3 + a 4 x + a 6 x , y , a 4 , a 6 ∈ F p and (x , y) are the coordinates of a bilinear space The discrete logarithm of Q to the base P is defined as the value k which satisfies the equation k·P = Q, where P and Q are two points of an elliptic curve ECC is based on the elliptic curve discrete logarithm problem (ECDLP) Given k·P and Q and with the coordinates large enough it is infeasible to get the value k k·P and Q are used in an algorithm to determine a public key and a private key ECC requires shorter keys than other public-key schemes It is used in group communication schemes such as the identity based encryption scheme presented in chapter 4 - -

Key agreement in peer-to-peer wireless networks When two human users try to connect their devices, there are several solutions which do not require de use of a side-channel or additional passwords The ability of users to authenticate each other by visual or verbal contact is used in a Diffie-Hellman key exchange Visual comparison of short strings ( DH-SC ) Two verification strings are obtained after performing a DH Key Exchange, one for each device The users compare the two strings and accept them if equals Distance bounding ( DH-DB ) The devices can estimate the distance between each other by sending messages and measuring the time to obtain a response An integrity region is created, with any device out of it being unable to establish a connection The users must ensure that there are not other devices inside the integrity region Integrity codes ( DH-IC ) This authentication scheme relies on the knowledge of a common integrity code - -

Proposed device pairing solutions - -

Group authentication A group authentication protocol aims to establish a secret key shared by all the devices in a group The key must be refreshed every time a new member joins or leaves the group The overhead introduced may be excessive Three main approaches to the group authentication problem Centralized group key distribution A master device maintains a secure connection to each of the devices at any moment Too much overhead for Bluetooth technology Decentralized group key distribution A distributed algorithm selects the device which acts as the master device, changing it periodically Same limitation as in 1) Contributory group key management All the devices contribute in the generation of the shared secret key by using broadcasting capabilities Not applicable for Bluetooth, as it does not provide full support for message broadcasting - -

Identity Based Encryption (II) The Private Key Generator (PKG) authenticates all the users in the system and transfer their private keys to them using a secure channel The PKG also provides all the users with a Master Public Key The main phases of the standard IBE scheme are: Initial setup The PKG generates all public and private keys Private Key Extraction Bob authenticates with his identity string, getting the Private Key from the PKG Encryption Alice computes Bob’s public key using Bob’s identity and the Master Public Key Alice encrypts the message she wants to send using Bob’s Public Key Decryption Bob decrypts Alice's message using his own Private Key - -

Annex 4: selected references David González Romero Chicago, August 2009

Selected references Astuni, S. (2008). Enabling Secure Group Communication for Mobile Devices Using Bluetooth Technology Stajano, F. & Anderson, R. (1999). The Resurrecting Duckling: security issues for adhoc wireless networks Diffie, W., & Hellman, M.E. (1976). New directions in cryptography. IEEE transactions on Information Theory, 22, 644-654 Anderson, R., Bergadano, F., Crispo, B., Lee, JH., Manifavas, C., and Needham, R. A New Family of Authentication Protocols. ACM SIGOPS Operating Systems Review , 1998 Miller, VS., Use of Elliptic Curves in Cryptography. Lecture notes in computer sciences; 218 on advances in cryptology---CRYPTO 85, 1986 Duffy, A., Dowling, T., An Object Oriented Approach to an Identity Based Encryption Cryptosystem, Eighth IASTED International Conference on Software Engineering and Applications , 2004 Boneh, D. and Franklin, M., Identity Based Encryption from the Weil Pairing. Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology , 2001 - -

A Comprehensive Approach to Secure Group Communication in Wireless Networks

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to A Comprehensive Approach to Secure Group Communication in Wireless Networks (20)

Recently uploaded (20)

A Comprehensive Approach to Secure Group Communication in Wireless Networks