advertisement

Who are you? Secure identities in ad hoc networks Seth Gilbert Calvin Newport Chaodong Zheng National University of Singapore Georgetown University National University of Singapore Identity establishment in wireless networks 2 The Sybil Attack • [Definition] Sybil attack: refers to the behavior where malicious users dishonestly generate large number of fake identities (also called sybil identities, or sybils) to obtain unfair advantage or conduct other hostile activity. 3 What we offer • Algorithms that solve identity establishment • With good sybil bound • Asymptotically optimal • With correctness guarantee • Every correct node accepts all other correct nodes 4 The basic idea for sybil-resistance… Radio resource testing! !ALERT! channel one Ack for msg msg msg channel two Honest users: always pass the test! Malicious users: lose (fake) identity with 50% chance! [1] N. James, E. Shi, D. Song, and A. Perrig. The sybil attack in sensor networks: Analysis & defenses. [2] D. Mónica, J. Leitão, L. Rodrigues, and C. Ribeiro. On the use of radio resource tests in wireless ad-hoc networks. 5 Challenges • Decentralized (i.e., ad hoc) environment • No central base station • Efficiency of radio resource tests • Test on per-pair basis is too slow • Colluding when multiple malicious clients exist • Insufficient to divide nodes to just two channels 6 Overview of this (short) talk • Background and Motivation • Approach and Results • Model and Problem • The SimpleSybilSieve Algorithm • The SybilSieve2 Algorithm 7 Model: multi-channel wireless network • Network: consists of c channels • Single-hop, synchronous • Users: n nodes in total • Nodes don’t know n, don’t have pre-assigned identities • Can use crypto tools • Communication: each node has one transceiver • Each transceiver can access all channels • Each transceiver can send/receive on one channel at any time channel one …… channel c 8 Model: adversary • t (of the n nodes) are Byzantine • 𝑡 ≤ 𝑛/α, and 𝑡 ≤ 𝑐/α, for some constant 𝛼 ≥ 1 • Faulty nodes can: create sybil, jam, etc… • Faulty nodes can also collude • Model them as one adversary called Eve channel one …… channel c $%#%@#$%@#$^@$^%$#$%^ 9 Problem: sybil-resistant identity establishment • Nodes are activated simultaneously • Each node randomly generate asymmetric key pair • Use public key as the identity • Sign messages to prevent spoofing • Goal: provide each node with a set of identities • Contains all honest nodes • Contains limited number of sybil identities channel one …… channel c 10 SimpleSybilSieve: Intuition Assume we know the value of n Assume we have n/2 channels (i.e., c=n/2) Imagine: each node randomly chooses a channel, then broadcasts or listens each with probability ½ After 𝑛lg(𝑛) time slots, each node will: Hear approximately 1/e fraction of silent rounds Hear each other honest node Θ(lg(𝑛)) times (criteria for accepting identities) Accept at most 𝑂(𝑡) sybil identities (when using the above criteria) 11 SimpleSybilSieve: Handle unknown n Assume we know the value of n Assume we have n/2 channels (i.e., c=n/2) Estimate n via doubling: n=1? n=2? n=4? n=8? n=16? … When estimate 𝑛 = 𝑛, use 𝑛/2 channels Use fraction of silent rounds heard to verify correctness 𝑛 is small: Eve can do nothing due to contention 𝑛 is large: Eve can do nothing due to large number of channels 12 SimpleSybilSieve: Handle small c Assume we know the value of n Assume we have n/2 channels (i.e., c=n/2) When needed channels is larger than c, simulate it! However, this allows Eve’s to create more sybil! channel 1 channel 1 channel 2 time slot 1 channel 2 channel 3 channel 3 channel 4 channel 4 channel 5 channel 1 channel 6 channel 7 channel 8 time slot 2 one round channel 2 channel 3 channel 4 13 The SimpleSybilSieve Protocol • Proceeds in epochs, each of which contains multiple rounds • In epoch i, nodes assume n = 2i, use 2i-1 channels • In each round, each node randomly chooses a channel • Then, broadcast or listen each with probability ½ • Use fraction of silent rounds heard to check if estimation is correct 𝑛 =2? 𝑛 =4? 𝑛 = 2 lg(𝑛) −1 ? 𝑛 = 2 lg(𝑛) ? 𝑛 = 2 lg(𝑛) +2 ? 1 channel 2 channels 2 lg(𝑛) −2 channels 2 lg(𝑛) −1 channels 2 lg(𝑛) +1 channels Epoch 1 Epoch 2 Epoch lg(𝑛) − 1 Epoch lg(𝑛) …… …… Epoch lg(𝑛) + 2 time 14 The SimpleSybilSieve Protocol (Continued…) • Once fraction of silent rounds reach some constant 𝛾1 • Nodes start accepting identities • Once fraction of silent rounds reach some constant 𝛾2 > 𝛾1 • Nodes terminate • Criteria for accepting an identity • Heard that identity “sufficiently” often in current epoch Epoch 1 Epoch 2 …… Epoch lg(𝑛) − 1 Epoch lg(𝑛) …… Epoch lg(𝑛) + 2 time 15 SimpleSybilSieve’s gurantees • [Theorem] For any 𝑡 ≤ min{𝑛, 𝑐}/α where 𝛼 ≥ 6, SimpleSybilSIeve finishes within 𝑂(𝑛 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) slots, and guarantees the following, with high probability: (a) there are at most 𝑂(𝑡 · max{1, 𝑛/ 𝑐}) sybil identities accepted by the honest nodes, collectively; and (b) every honest node accepts all other honest nodes. • When 𝑐 ≥ 𝑛, running time is 𝑂(𝑛 lg 2 𝑛 ) and sybil bound is 𝑂(𝑡) • Asymptotically optimal sybil bound • When 𝑐 < 𝑛, running time is 𝑂(𝑛2 lg 2 𝑛 ) and sybil bound is 𝑂(𝑛) • Hum… Not so good… 16 Can we do better? • SybilCast: a protocol for centralized wireless networks • SybilCast: guarantees 𝑂(𝑡) sybil bound even if 𝑐 < 𝑛 • Imagine such a protocol: • First run SimpleSybilSieve • Then run SybilCast many times, each time one identity is base station • An identity is accepted only if it is not sybil in most of these SybilCast instances SimpleSybilSieve SybilCast: Alice is BS SybilCast: Bob is BS SybilCast: Charlie is BS …… SybilCast: Zula is BS time [1] Seth Gilbert and Chaodong Zheng. SybilCast: Broadcast on the open airwaves. 17 But, wait… • For SimpleSybilSieve: • Nodes may terminate at different time… • Nodes may accept different sets of identities… • Need synchronization and consensus mechanism! • We build a sybil-resistant consensus primitive: SybilSensus • Based on existing Byzantine consensus protocol SimpleSybilSieve??? SybilCast: Alice is BS SybilCast: Bob is BS SybilCast: Charlie is BS …… SybilCast: Zula is BS time [1] T. Srikanth and S. Toueg. Simulating authenticated broadcasts to derive simple fault-tolerant algorithms. 18 SybilSieve and 2 SybilSieve • SimpleSybilSieve to SybilSieve: add SybilSensus to end of each epoch • Nodes terminate simultaneously • Nodes have same estimation on network size • Use SybilSensus again to agree on set of accepted identities • Run repeated instances of (variant of) SybilCast • Accept an identity if it not sybil in most repetitions Epoch 1 SybilSensus Epoch 2 SybilSensus …… Epoch i SybilSensus SybilSieve2 SybilSieve SybilSensus SybilCast: Alice is BS SybilCast: Bob is BS SybilCast: Charlie is BS …… SybilCast: Zula is BS time 19 2 SybilSieve guarantees • [Theorem] For any 𝑡 ≤ min{𝑛, 𝑐}/α where 𝛼 ≥ 256, SybilSieve2 finishes within 𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) slots, and guarantees the following, with high probability: • (a) there are at most 𝑂(𝑡) sybil identities accepted by the honest nodes, collectively; • (b) every honest node accepts all other honest nodes; • (c) all honest nodes terminate simultaneously and have same estimation on network size which is either 2 lg(𝑛) or 2 lg(𝑛) +1 . 20 Comparison of variants Running Time Correctness Sybil Bound Synchronous Termination SimpleSybilSieve 𝑂(𝑛 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) YES 𝑂(𝑡 · max{1, 𝑛/𝑐}) NO SybilSieve 𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) YES 𝑂(𝑡 · max{1, 𝑛/𝑐}) YES SybilSieve2 𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) YES 𝑂(𝑡) YES 21 To sum up… • New algorithms for sybil-resistant identity establishment • SimpleSybilSieve, SybilSieve, and SybilSieve2 • They provide trade-offs between runtime and sybil bound • Pick the one that is most appropriate • Useful subroutines that can be used elsewhere • Sybil-resistant Byzantine consensus, networks size estimation 22