Self-Organized Public-Key Management for Mobile Ad Hoc Networks Srđan Čapkun, Levente Buttyàn and Jean-Pierre Hubaux {srdan.capkun, levente.buttyan and jean-pierre.hubaux}@epfl.ch Laboratory for Computer Communications and Application (LCA) Swiss Federal Institute of Technology (EPFL) 1 Security in ad hoc networks Ad hoc networks mobile terminals (can be captured or compromised) wireless communications (passive eavesdropping and active interfering) no centralized management point (cooperation) Vulnerabilities basic mechanisms (e.g. routing) security mechanisms (e.g. (public) key management) 2
Self-Organized Public-Key Management Security: we use public-key cryptography scheme to support security services in mobile ad hoc networks Problem: How can a user u obtain the authentic public key of another user v in the presence of an active attacker? Our system: - users generate their keys and issue certificates - no central certification authority - no certification directories - no specific role assigned to a subset of nodes - no preinstalled keys/procedures 3 Model We assume that if a user i believes that a given public key belongs to a given user j, then i can issue a public-key certificate to j A certificate graph G(V,E) V is a set of keys E is the set of edges, where a directed edge (i,j) is added if i signed a public key certificate {, jk j } to user j Pr K i K i K j {, jk j } Pr K i 4
Certificate graph K 8 K 3 K 12 K K10 K 11 K 1 K 7 K 9 K 6 K 5 K 2 K 4 authentication via a chain of certificates 5 Self Organized Public Key Management The system works in two phases: 1. INITIALIZATION: USERS CONSTRUCT THEIR LOCAL CERTIFICATE REPOSITORIES (STORE A SET OF CERTIFICATES) 2. WHEN USER WANTS TO GET VERIFY A PUBLIC KEY OF ANOTHER USER, USERS MERGE THEIR LOCAL REPOSITORIES AND TRY TO FIND A PATH(S) OF CERTIFICATE BETWEEN THEM IN A CERTIFICATE GRAPH 1. 2. i i j 6
j Initialization (1) k i 7 Initialization (2) Each user stores a local repository of public-key certificates (a subgraph) stores the certificates that it issued (outgoing edges) stores the list of certificates that others issued for it (incoming edges) stores an additional set of certificates chosen according to some algorithm A Users use the same algorithm to build their repositories Centralized Distributed CD sub-graph 1 req 2 sub-graph 8
Merging the local repositories (verifying the key) j i 9 Example of an algorithm: Maximum Degree Node builds its incoming and outgoing path(s) choosing the nodes with the highest degrees. 10
Algorithm performance We define the performance p algorithm A on the certificate graph G as p (, s G) = A {( uv, ) V V: Ku G ua, G K va, v} {( uv, ) V V: K K} A (, s G) of the local repository construction u G v where s is the size of the local repoi stories of the users (i.e. the number of edges in the subgraph of each user): ( ). s= E G ua, 11 Performance of Maximum Degree Node builds its incoming and outgoing path(s) choosing the nodes with the highest degrees. 1 algorithm performance p MD (s,pgp) 0.9 0.8 PGP graph size = ~ 5000 0.7 c = 1 path c = 4 paths 0.6 0.5 4 14 24 34 44 54 64 74 local repository size (s) 12
False certificates { FK, j } Pr K D K i K D {, jk'} j Pr KD K j K' j K D K' j { FK, j } Pr K D a key controlled by a dishonest user a false key created by a dishonest user a certificate binding user F to a key K j j i 13 Design goals performance redefined by taking authentication metrics into account key usage ideally, all vertices need to be used for authentication equal number of times (to be on the path equal number of times) scalability minimize the size of the local repositories (subgraphs) and the communication cost invariance to certificate graph changes 14
Performance with authentication metrics Authentication metric : the value ( u, vg, ) represents the assurance with which u can obtain the authentic public key of v using the information in G. Performance of a subgraph selection algorithm: p A, ( G) = 1 J~ ( uv, ) W ( uvg,, u U Gv) ( uvg,, ) { } where W = ( u, v) V V : ( u, v, G) 0 Examples of authentication metrics include: number of disjoint paths of certificates, number of bounded and k-bounded disjoint paths... Authentication metric analysis and design; M. Reiter and S. Stubblebine ACM trans.on Information and System Security 1999. 15 Certificate (Key usage) By usage for key authentication, we mean that a certificate in the merged subgraphs will be used for key authentication by the authentication metric. The number of times that a key is used for authentication is the sum of the numbers of times that the certificates signed by that key are used for authentication Given a certificate graph GV (, E), a local repository construction algorithm Aand an authentication metric, and for each pair of vertices, ( Ku, Kv) V V, a set of edges M ( K, K ) that are used by the authentication metric u v {,,,,,, } M ( K, K ) = ( K, K ) G G : ( K, K, G G \( K, K )) ( K, K, G G ) u v w z u A v A u v u A v A w z u v u A v A and for each vertex K V, the usage U ( K ) in M ( K, K ) w ( u, v),, A, G w u v { } U ( K ) = ( K, K ) M ( K, K ): K = K ( uv, ),, AG, w z x u v z w we define for each Kw V, a vertex (key usage) U, A, G( Kw) : U, AG, ( Kw) = U( uv, ),, AG,( Kw) Ku, Kv V 16
Fundamental design limit (1): size of the repositories Problem 1: Find a set of subgraphs that minimizes the size of local repositories such that p=1 Theorem 1: Let us consider a certificate graph G( V, E), a subgraph construction algorithm A, and an authentication metric 0. If pa, ( s, G) = 1, then s is minimized if 0 K V, G = spk (, K) spk (, K), v v v x x v where sp( K, K ) is the shortest path from K to K in G such that K minimizes Kv V, Kv Kx v x v x x max ( dk (, K) + dk (, K)) v x x v where d( K, K ) is the length of sp( K, K ). v x v x Furthermore, s = min max ( d( K, K ) + d( K, K )) Kx V Kv V, Kv Kx v x x v 17 Fundamental design limit (2): key usage Problem 2: Find a set of subgraphs that minimizes the size of local repositories such that p=1 and U(K v )=U(K u ) Theorem 2: Let us consider a certificate graph G( V, E), a subgraph construction algorithm A, and a binary authentication metric 0. If (i) pa, ( s, G) = 1, (ii) U( K ) ( ) 0 v = U Ku K, K V, and (iii) V( G ) = s for each K V, then s V -1. v v v v V = 4, s = 2 V = 9, s = 4 s = 2( V -1) 18
Maximum degree simulation results 19 Key usage: Maximum degree 20
Helper users 1 0.9 0.8 pa(s,h,g) 0.7 0.6 0.5 0.4 0.3 0.2 1 helper 2 helpers 3 helpers 4 helpers 0 helpers 0.1 0 0 0.2 0.4 0.6 0.8 1 pa(s,0,g) 21 Conclusion and Future work Conclusion We have proposed a public key management system for mobile ad hoc networks no publicly accessible certificate directories needed but can be used off line verification enabled the scheme provides probabilistic guarantees Possible applications Key Authentication in Ad hoc networks in the absence of connectivity to the backbone Peer-to-peer computing with no centralized certificate server Future work Key revocation 22
References g Jean-Pierre Hubaux, Levente Buttyan, Srdjan Capkun The Quest for security of mobile ad hoc networks MobiHoc 2001. g Srdjan Capkun, Levente Buttyan and Jean-Pierre Hubaux Self-Organized Public-Key Management for Mobile Ad Hoc Networks, EPFL/IC Technical Report no. 2002/34, May 2002. g Srdjan Capkun, Levente Buttyan and Jean-Pierre Hubaux Small Worlds in Security Systems: an Analysis of the PGP Certificate Graph, EPFL/IC Technical Report no. 2002/23, May 2002. http:// icwww.epfl.ch http:// www.terminodes.org 23