A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine http://sconce.ics.uci.edu/ 06/13/2005 1 Some Challenges • Location privacy, network unobservability and location verification • Distributed decision-making in MANETs • Privacy-preserving authentication and authorization • Secure data and tag aggregation • Device pairing with varying degrees of human intervention 2 Secure Membership Control in MANETs Membership control is the foundation of all security features/services in a MANET Why is Membership Control Hard? Objective: Technical Approach: A set of practical, robust and secure techniques for distributed decision-making in multi-hop MANETs. Employ (and design) state-of-the-art (threshold and proactive) cryptographic methods to construct protocols for distributed admission and eviction of nodes in a MANET. Implement in a general-purpose toolkit & integrate with sample applications; experiment with limited deployment scenarios. No omni-present centralized/trusted authority Dynamic topology Sporadic connectivity Frequent outages/failures New nodes can “appear” at any time, esp. in a battlefield setting Trust in nodes is ephemeral, e.g., captured nodes/units must be evicted from network •Architecture: consider security needs of various applications. •Short-lived versus long-lived MANETs/groups •Interaction with outside: closed vs open groups •Is non-repudiation needed? •Is communication pair-wise or group-wise? • RSA doesn’t work • DSA, Schnorr, ID-based techniques for long-lived groups • Bivariate polynomial secret sharing for short-lived groups http://sconce.ics.uci.edu/gac 3 Some Recent Results: An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol, Stanislaw Jarecki, Nitesh Saxena and Jeong H. Yi, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), October 2004. Identity-based Access Control for Ad Hoc Groups, Nitesh Saxena, Gene Tsudik and Jeong H. Yi, International Conference on Information Security and Cryptology (ICISC), December 2004. Futher Simplifications in Proactive RSA Signature Schemes, Stanislaw Jarecki and Nitesh Saxena, Theory of Cryptography Conference (TCC), February 2005. Efficient Node Admission for Short-Lived MANETs Nitesh Saxena, Gene Tsudik and Jeong H. Yi, in submission. 4 Privacy-preserving Authentication and Authorization A few basic concepts: • Oblivious Envelopes – Alice is an informant, has secret info for police – Bob claims to be a cop, doesn’t want to show his credentials – See, e.g., Li, et al. PODC’03 • Secret Handshakes – – – – – Alice wants to talk to Bob iff Bob is a CIA agent Bob wants to talk to Alice iff Alice is a CIA agent Must be unobservable to others, anonymous, unlinkable Generalizable to groups? See, e.g., Balfanz, et al. S&P’03, Castelluccia, et al. AC’04 • Privacy-Preserving Trust Negotiation (Hidden Credentials) – Alice wants to access one of Bob’s resources – Bob doesn’t want to divulge his access control policies – More generally, Alice has many credentials; doesn’t want Bob to know them; as long as at least one satisfies one of Bob’s policies – See, e.g., Bradshaw et al. CCS’04 5 Secure Data and Tag Aggregation • Data Aggregation: how to reduce bw if only interested in statistical values? – E.g., in sensor nets and MANETs • Tag Aggregation: how to reduce bw consumed by multiple MACs, signatures, etc? – E.g., in reliable multicast, sensor nets, MANET routing, etc. • Aggregated MACs are easy, but… • Aggregated signatures by same signer are cheap (e.g., RSA) • Aggregated signatures by different signers are viable but expensive (e.g., BLS ID/pairing-based) • Some require partial interaction, e.g., Schnorr-based ASM 6 Some Recent Results: Securing Route Discovery in DSR. Jihye Kim and Gene Tsudik IEEE Mobiquitous, July 2005. Secure and Robust Acknowledgement Aggregation Claude Castelluccia, Stas Jarecki and Gene Tsudik Security in Computer Networks (SCN). September 2004. Aggregation of Encrypted Data in WSNs Claude Castelluccia, Einar Mykletun and Gene Tsudik IEEE Mobiquitous July 2005. Authentication and Integrity for Outsourced Data Maithili Narasimha, Einar Mykletun and Gene Tsudik Network and Distributed System Security (NDSS) February 2004. 7 Secure Device Pairing • • • • • Two devices must be securely paired on-the-fly No prior association No specialized connection No common PKI authentication irrelevant Involving human as an aid – E.g., “Seeing-is-believing” (S&P’05) or “Shake-them-up” (Mobihoc’05) • What if we want to pair more than 2 devices? 8 The end… 9