Distributed certificates in ad hoc networks

(1)

Institutionen för datavetenskap

Department of Computer and Information Science

Examensarbete

Distributed certificates in ad hoc networks

av

Tobias Krispinsson Filip Asp

LIU-IDA/LITH-EX-G--15/055--SE

2015-06-16

(2)

Linköpings universitet Institutionen för datavetenskap

Examensarbete

Distributed certificates in ad hoc networks

av

Tobias Krispinsson Filip Asp

LIU-IDA/LITH-EX-G--15/055--SE

2015-06-16

Handledare: Marcus Bendtsen

Examinator: Nahid Shahmehri

(3)

Students in the 5 year Information Technology program complete a semester-long software development project during their sixth semester (third year). The project is completed in mid-sized groups, and the students implement a mobile application intended to be used in a multi-actor setting, currently a search and rescue scenario. In parallel they study several topics relevant to the technical and ethical considerations in the project. The project culminates by demonstrating a working product and a written report documenting the results of the practical development process including requirements elicitation. During the final stage of the semester, students form small groups and specialise in one topic, resulting in a bachelor thesis. The current report represents the results obtained during this specialization work. Hence, the thesis should be viewed as part of a larger body of work required to pass the semester, including the conditions and requirements for a bachelor thesis.

(4)

Abstract

In this report an ad hoc system is defined with the capabilities to validate the integrity of every node in the network without a third party, as long as every node has possession of a certificate. The system is developed to function in an ad hoc network with many external threats. The main target group would be the military and first responders. There are many different problems with such a network, and many parts have been researched, but few full systems have been developed. This report defines a hierarchical system where nodes can communicate in an encrypted way, with the help of certificates. In a military situation the risk for compromised nodes must be considered. Therefore, the system can both detect and handle compromised nodes by revocation certificates. The proposed system is also detecting and handling partitions. The system has been put together by first making a literature study to find existing solutions to different problems, then making a synthesis of those solutions. We also came up with new solutions where the three cornerstones of security: availability, confidentiality and integrity were in focus. To make the solution more trustworthy a risk analysis on the resulting system was made, which defined the weak points of the system.

(5)

1 Introduction

Nowadays almost everyone uses the Internet daily. The idea of always being sure of getting the same information as requested is of course appealing and today this is ensured by the Public Key Infrastructure (PKI). The PKI allows users to exchange information on an insecure communication channel in a secure way with asymmetric encryption. The keys used in the encryption/decryption are tied to a certificate authorized by a third party to validate that the information comes from the right place every time a request for information is sent. The third party is a trusted authority which is continuously undergoing strong controls in order to keep the trust. So in today’s Internet when data is transferred and received, the origin of the data is verified by these trusted authorities.

What would happen if there were no trusted authorities? It would still be appealing to be sure of where the data is coming from and if someone has altered it on the way. This is a scenario that could happen if it was no longer possible to trust the authorities or if they are not available for some reason. A possible situation where it could happen is in crisis situations such as an earthquake or during a war.

Most of the traffic on the Internet is sent over a fixed infrastructure. A fixed infrastructure is very reliable since there are cables between every point that can transfer data. If a crisis would emerge, for example an earthquake, it is possible that these cables would break, the routers crash or the power stations providing electricity to the routers leaving the network broken and unusable. To still be able to communicate, a possible way is to use an infrastructure less network, which is more flexible when it comes to mobility and the set up process [1].

An infrastructure less network could be preferable for different organisations in the case of a crisis situation. For example first responders like the police or the military will still need to transmit information even if the infrastructure has gone down. If they could set up an infrastructure less network, for example an ad hoc network, they could contact each other without the help of the local infrastructure. But since no trusted authorities are available a new problem has arisen where there is no definite way of validating the senders integrity. An infrastructure less network has of course its downsides compared to an infrastructure based network. Some of the problems could be to guarantee the integrity of a sender, the risk of nodes being compromised and partitioning in the network. So is it possible to define a model of an infrastructure less network that can assure the same integrity without the validation of a third party and still solve the problem that comes with a infrastructure less network?

(7)

2 Motivation

In a scenario where there is no infrastructure for telecommunication it is important to have the possibility to communicate. An ad hoc network is a solution of an infrastructure less network. Integrity is important when communicating through a network but in ad hoc networks it is often not possible to have a third party that can distribute certificates and verify the integrity of nodes. With an ad hoc network there are many possibilities but also vulnerabilities. Researchers have developed methods of solving these vulnerabilities one by one, but few solutions for a fully functional system have been made. We want to define a model that deals with these problems. When an ad hoc network is set up it is probable that the network will be built differently depending on who is going to use it. In a scenario where a natural disaster has taken place, usually two types of organisations takes action to re-establish normal conditions. These two are the military and first responders. It is therefore of interest to find a solution from two perspectives, namely the military perspective and first responders perspective.

2.1 Aims

• The first aim is to identify how it is possible to distribute certificates in an ad hoc network without a third party. This is done by answering the following questions:

– How should a node be certified? – Which nodes should be able to certify?

– What happens when many nodes get too far away from each other? – How does the network detect if a node is compromised?

– How should the network react when a certifying node has been compromised? • The secondary aim is to define a model from the answers of these questions with the help

of studies that has been made.

• Since a system never can be 100% secure the tertiary aim is to make a risk analysis on the system to identify remaining threats.

(8)

3 Theory

This section is written in order to give the reader general knowledge about underlying theory to be able to understand the later proposed system.

3.1 Ad hoc

Ad hoc is an infrastructure less network type used in situations when fixed infrastructure is not available. In these networks it is the devices that participate in the network that also sets it up. Nowadays when the number of mobile devices increases it is a useful way of connecting a group of nodes together. It is also cheaper to build an ad hoc network since no complex infrastructure is needed. Every node in the network take care of the network transmission since each node has their own receiver and transmitter. To be able to transfer packets outside the radio range of the device, ad hoc allows multi-hop transmissions. With the multi-hop technique, nodes can forward packets so that a message can be delivered from one side of the network to another [1].

3.2 Dynamic Source Routing

Dynamic Source Routing (DSR) is an on demand routing protocol which can be used in ad hoc networks. There are two main phases in DSR, route discovery and route maintenance. When a node needs to send information to another node for the first time it uses route discovery. Route discovery can be described by, node A wants to contact node D, it broadcasts out a route request for node D. Any node that receives this route request forwards it and this goes on until it reaches node D. Node D then sends a route reply back to A which contains the route the request travelled. Node A then saves this route in its cache. The next time node A will send a package to node D it will use the route in the cache to transport the package[2].

(a) DSR during route discovery (b) DSR during route maintenance

Figure 1: Overview picture of the two main phases of DSR, route discovery and route maintenance Route maintenance is used to keep the cached routes up to date and more efficiently get packages to the specified node if the dedicated route does not work. For example if node A sends a package to node D but node B, which lies on the way to node D, can not send to node C. Node B then checks in the cache if it has an alternative route to node D and uses that route instead to save node A from resending the package. Node A then receives the route the package actually travelled and can update it in its cache[2].

(9)

3.3 Near Field Communication

Near Field Communication (NFC) is a technology where two devices can set up a close range wireless link between each other. The technology is made so the signals only can travel about 10 centimetres or less, allowing devices to connect to each other if they are close. Since the the radio waves do not travel far it is harder to eavesdrop as well as to meddle with the signal. The NFC technology can both be used for one way communication and two way communication. The one way communication requires only one powered device and can for example be used to open an electronic lock. The scanner by the lock is able to read the tag by electromagnetic induction. The two way communication requires both devices to be powered in some way, and can be used for example to transfer data between two mobile phones [3].

3.4 Data encryption

When sending data in a network it is often important to keep the confidentiality of the data. The standard way of doing this is with encryption. There are two main encryption techniques called symmetric and asymmetric encryption. In both techniques the use of one or multiple keys are necessary to keep the data confidential. Symmetric encryption uses the same key to encrypt the data as well as decrypt it. Whilst asymmetric encryption uses two different keys, one to encrypt and another to decrypt. These two keys are called public and private key. Anyone can have knowledge of the public key because it is only used to encrypt data, whilst the private key is used to decrypt data and can therefore only be known by the one that is going to read the information. With this approach the public key is made available for everyone (and the private key is kept private), in order to enable encryption. The owner of the private key is then the only one that can decrypt that message [4]. The first and one of the most well known asymmetric encryption algorithms is called RSA. To generate the keys, RSA uses large primes [5].

3.5 Public Key Infrastructure

PKI is a way of handling public encryption keys. By using PKI it is possible to create a secure connection in an environment where anyone can pick up the senders transmission. When using PKI, some kind of trusted authority is needed. In today’s Internet Certificate Authority (CA) is used, the certificate authority enables validation of someone. This means when requiring information from a server, the server sends back a certificate authorized by a CA to guarantee integrity. The certificate is encrypted by the CAs private key and is therefore only possible to decrypt with the public key of the CA. Many browsers have the most common CAs public keys built in. That means when you get a certificate from the requested domain, it is possible to automatically check if the information has been tampered with along the way, and if it comes from the domain that you requested [4].

A certificate contains an expiration time, a hash code, a public key from the sender, a digital signature, the identity of the CA, the identity of the sender and what is allowed to do with the public key. An example of when PKI is used is if a company feels the need to provide secure communication with its clients, the company buys a certificate from a CA [4]. Every time a user fetches information from the company’s website, they will receive the certificate and can then be sure that the information comes from the company and has not been changed, if the

(10)

encrypted hash is correct. The CAs also keep track of revoked certificates, revoked certificates are certificates that are no longer valid.

3.6 Partitioning

Because of the possibility of mobility in an ad hoc network the risk for partitioning is something that cannot be ignored. Network partitioning is a kind of network failure and means that a single network topology breaks into two or more network topologies (partitions). Nodes within each network can communicate with each other but it is not possible to communicate between the networks. This makes it important to have a system where partitioning can be detected. To detect partitioning in a network the work of H. Ritter, R. Winter and J. Schiller [6] can be used. In their system they have two sets of nodes. The first set is the non-active nodes that does not take part of the detection system, and the second set consists of nodes that actively probe the network to detect partitions. The active nodes are chosen carefully and their key property is that they have relative few neighbouring nodes compared to the other nodes. The nodes with fewest neighbours is most likely at the border of the network topology and can therefore detect partitioning.

The detection system works in a way that the nodes sends out beacon frames in the network. The function of these frames is to serve as keep-alive messages. Every active node monitor other active nodes to be able to suspect partitions. The non-active nodes helps to forward the beacon frames between the active nodes. If an active node has not heard from a node it is monitoring for a certain amount of time, the node can suspect a partition (see Figure 2b). The active nodes should be placed far apart because if beacon messages needs to be transferred through larger part of the network, the area that is monitored also becomes larger.

(a) No partition suspected (b) Partition suspected

Figure 2: Node B montitors A. Node A is sending beacon frames to B

When an active node does not hear from a node its monitoring, it start to suspect a partition. One approach is to interpret the absence of beacon frames as a partition. Though, a reason why a beacon frame does not arrive at the monitoring node could also depend on node failure. To reduce the probability of false partitioning alarms, Ritter et al. [6] suggest a so called buddy

(11)

mechanism. A buddy (which is selected by the beacon sending node) is a node one hop away, that monitors the node who is sending beacon frames. The buddy is periodically trying to contact its one hop neighbours, and if it is not reachable the buddy will start a route request. If the node is found, the buddy tells the node to choose another buddy, since the buddy always should be one hop away. If the node is not found on the other way, the buddy assumes that there is a node failure and notifies the rest of the network.

3.7 Risk analysis with Attack Tree

Making an attack tree is a form of risk analysis where the analysts pretend to be an attacker. When making the attack tree, the first thing to do is to define what asset should be protected. An example could be entries in a database or some other valuable asset. The next step is to think of what the attacker aim to do with the asset and put that as the root of the tree [7]. In Figure 3 an example is shown where the attack is defined as “open a safe”. The next step is to identify different ways of completing that attack, and what things is needed to get it done. These actions are then used to build branches to be able to see different paths of how to accomplish the attack. In some cases there are more than one task to be completed in order to successfully completing a certain task [7]. To illustrate this, an AND node is used.

Figure 3: Example of an attack tree

(12)

certain task is possible to carry out, which is illustrated with a ’P’ in the upper left corner. These values are first assigned to the leaves in the tree. If a leaf is assigned impossible it implies that the parent leaf will also be impossible. However if the parent node has many children it only requires one child node to be possible [7], this can be seen in Figure 4. Then a cost should be assigned to all nodes. As in the case with possibility, the cost of the parent node depends on the cost of the child nodes, where the cheapest cost of a child node becomes the cost of the parent node. This allows the analysts to compare the worth of the asset with the cost of the attack [7].

Figure 4: Example of an attack tree with costs added

If needed, many more values can be assigned to the nodes. For example every node can be assigned with legal or illegal values. It is then possible to map out the cheapest legal way of attacking the asset [7].

(13)

4 Method

In our project we have carried out a literature study. Such a study means that you do a systematic research and critically review the literature you find. We have followed the method proposed by C. Forsberg and Y. Wengstr¨om [8], since it describes a systematic way of gathering information and how to structure a report. The steps preformed were:

1. Motivate why this study is made and why it is important. This was done in Section 2. 2. Formulate questions which were known to be able to answer, which was done in Section

2.1

3. Made a predefined plan of how the information should be acquired to answer the questions. 4. Identifying and choose which literature to use for gathering the information needed. The

literature could be articles and papers as well as books and journals [8].

5. When a sufficient amount of information was gathered, we chose which information to include in our study by evaluating the quality of each piece of information. This was done by discussing which information we thought could best solve our stated problems. 6. We then analysed and discussed our result, and finally put together and drew conclusions

from our study.

In our plan for acquiring information contiguous to our field of research we have defined specific search words. These words were then used as a tool when we searched in different databases. The search words and databases we used are listed in Table 1 and Table 2.

Table 1: Search terms used in literature study Search terms

Certificate Authority Certificate Exchange Threshold Cryptography Ad hoc

Ad hoc Certificate Authority Adi Shamir

Compromised Ad hoc Ad hoc Network Partitions

Table 2: Databases used in literature study Databases

IEEEXplore Scopus

AMC Digital Library Springer

These databases are well known and large providers of scientific articles and papers from con-ferences all over the world. IEEEXplore focus on articles within computer science, electrical

(14)

en-gineering and electronics while Scopus, Springer and AMC Digital Library are wider databases with articles from different areas.

4.1 Risk analysis - Attack tree

Later we tested our hypothetical system using risk analysis. For the risk analysis we used the attack tree method (Section 4.1). Since we had multiple assets we constructed an attack tree on each asset. We used a scale of 1-4 to illustrate how much effort is needed to complete a certain task, where 1 represents least effort, and 4 most effort. We used effort instead of cost because some tasks are better to estimate in time rather than cost. It is also difficult to determine the cost values without rigorous investigation which is out of scope for this project. The value of the effort is set by our own assessment.

After that we overlooked the system as a whole. Finally we concluded which risks still remained within our system, which threats we had reduced, what consequences we had reduced and which problems we had solved.

(15)

5 Result

In this Section the information found in the literature study and the resulting system is de-scribed.

5.1 Theory and techniques embedded in the system

This Section is written in order to give the reader a general idea of what underlying theory and techniques is used to define the system.

5.1.1 Heterogeneity in network

In a scenario like ours, the general structure of an organisation which is setting up and using the ad hoc network has many different kinds of nodes. Throughout the report, a node is defined as a human being with the responsibility of some kind of electronic device. This device which could be a stationary point with the capability to receive and transmit data, or a more mobile device like a phone. The structure of the organisation using the network could be a hierarchy, where different people has different ranks. Since the electronic device of a node could be several things, all nodes will have different capabilities, for example transmission range, power, rank and level of physical security. Nodes with high rank or high transmission range should be used to control more sensitive information [9].

5.1.2 Adi Shamir’s secret sharing algorithm

Adi Shamir’s secret sharing algorithm is an algorithm used for dividing data into n pieces, in such a way that it is possible to reconstruct the data from k of these pieces. The reconstruction is possible by polynomial interpolation if the partial keys are picked according to Shamir’s scheme. An approach like this is called a (k, n) threshold scheme [10].

When data needs to be encrypted some kind of key is always needed. A normal way of storing a key is to keep it in a single, often well-guarded location such as a computer or a human brain. This approach is unreliable because with a single key holder the consequences of a lost key could be serious. Instead a (k, n) threshold scheme can be used where n > 1 and k ≤ n. If k and n are picked according to 2k − 1 = n it will result in a robust key management scheme, where it is still possible to recover the secret even if n

2 − 1 partial secrets are destroyed. If

the partial secrets were to be stolen the stealer would still not be able to reconstruct the secret unless more thann

2 −1 were stolen. When implementing the algorithm a function needs to be

constructed. It is important to pick that function so that the key is completely undetermined unless k pieces are collected, which means that every possible value that can be assembled with less than k pieces has the same probability of being correct [10].

To get a deeper understanding of how the algorithm works, an example will be explained. To make the the example more intuitive a basic function is used, but in practice it would be more complex. The complexity consists of larger numbers when constructing the function and the operation modulus is always used when dividing the secret into k parts to ensure that all combinations are equally likely to be correct, even when k − 1 parts are acquired.

(16)

Suppose the secret is 2760 (S = 2760) and is going to be split up into six pieces i.e. n = 6, and to get the full secret, a subset of any three parts is needed (k = 3). The first thing to do is to create a polynomial f (x) of degree k − 1, by generating k − 1 random numbers, in this case k − 1 = 2. a1 is the first random number and a2 is the second. Lets say a1 = 186, a2 = 92.

This gives:

f (x) = 2760 + 186x + 92x2 (1) The polynomial is built on f (x) = S + a1x + a2x2. From f (x) the six parts can be constructed,

Dx−1= (x, f (x)). This gives: D0= (1, 3038) D1= (2, 3500) D2= (3, 4146) D3= (4, 4976) D4= (5, 5990) D5= (6, 7188)

It is important to use Dx−1 since Dxwould expose the whole secret (D0= S). To reconstruct

the secret, three parts is needed. With the help of these three parts, a polynomial interpolation is done by calculating Lagrange polynomial [11]. Lets consider D1 = (x0, y0), D3 = (x1, y1)

and D4= (x2, y2) to be the parts that is known. The secret is then calculated as follows:

l0= x − x1 x0− x1 · x − x2 x0− x2 =x − 4 2 − 4· x − 5 2 − 5 = 10 3 − 3x 2 + x2 6 l1= x − x0 x1− x0 · x − x2 x1− x2 = x − 2 4 − 2 · x − 5 4 − 5 = 5 3 − 7x 6 + x2 6 l2= x − x0 x2− x0 · x − x1 x2− x1 = x − 2 5 − 2 · x − 4 5 − 4 = 8 3 − 2x + x2 3 With these equations f (x) can easily be calculated:

f (x) =

2

X

i=0

yi· li(x) = 2760 + 186x + 92x2

The function, and therefore the secret is now determined, and only three of the six pieces were used. It is also possible to use any three parts to determine the secret.

(17)

5.1.3 Mobile Certificate Authority

When implementing a trusted authority in an ad hoc network a framework called Mobile Cer-tificate Authority (MOCA) can be used. This framework is used to share the responsibility of a CA among multiple nodes [9]. The shared responsibility is done by threshold cryptography which is based on Adi Shamirs secret sharing. The MOCA framework divides the private key into n parts where only k parts is needed to reconstruct the whole key. This means that when a certificate is to be validated, at least k MOCAs need to approve to make the certificate valid [9].

When a MOCA approves a certificate it does not send its private key as the response. Instead an encryption of the data that should be included in the certificate is made with that MOCAs part of the key. When k MOCAs have approved (by encrypting the certificate), the full certificate can be put together with interpolation which will be the same certificate as if the full private key was used. There is never a time when more than one piece of the key is at one place. This means that no node gets more than one piece of the private key and therefore it is impossible to reconstruct the whole key [12].

An important task for a CA is to keep track of revoked certificates. The MOCA framework treats this problem with the Certificate Revocation List (CLR). When a certificate is to be revoked k MOCAs must agree that this certificate should be revoked. All MOCAs then create a revocation certificate which is encrypted with their individual parts of the key and broadcast it to all nodes. Any node that picks up k pieces of encrypted certificates can reconstruct the original revocation certificate and add it to the CLR [9].

It is important to choose which nodes should be MOCAs in the network. If the network is heterogeneous (see Section 5.1.1) the nodes that are more stationary, have more power, physical security and range should be used as MOCAs [9].

5.1.4 Detecting compromised nodes

When using an ad hoc network there is always a possibility that a node will be compromised. If a node is compromised without any other nodes noticing. That node could cause all kinds of trouble, for example create a so called black hole. A black hole means that the node would drop every packet it gets, and thus exclude other nodes from receiving the packets. It could also create a gray hole which means that the node drops some packets of its own selection. The compromised node would also receive information which it is not supposed to have.

It is possible to detect malicious nodes, provided the network uses DSR, which is an on demand ad hoc routing protocol. Yu et al. suggests how it is done with the Honesty, Adaptivity, Diversity, Observer and Friendship protocol (HADOF). In HADOF every node launches a so called Route Traffic Observer (RTO). The RTO collects traffic data from every valid route with a certain interval which you may choose depending on your network. A valid route is a route where the data can be transported from source to destination. When the RTO has gathered all the data it needs, it can calculate the quality of every valid route. Some of the data that defines what quality a route has are the forwarding history of each node on the route, the hop number and the current traffic load.

The quality of the route Q(R) is constantly recalculated. To calculate Q(R) the RTO needs to calculate the expected packet forwarding of each node on the route by considering the node’s current performance and its past history. This is defined as P (A). The HADOF protocol

(18)

multiplies this with an honesty constant H (0 < H < 1) where 0 means that the node is malicious. This is then subtracted with a constant L scaled with λ. L stands for number of intermediate nodes on the route and λ is a small positive number to account for the effects of the hop number. The full formula is presented in equation 2. The honesty constant is also updated within the update interval. Every node starts with honesty 1 since you trust all the nodes that have received a certificate [13].

Q(R) = H · P (A) − λ · L (2) The honesty constant is changed if the source node suspects a certain node of tampering with the reports. For instance if the source node get a forwarding report from two nodes on the same route but they do not contain same information. Then the source node knows that either one of the nodes are cheating or both of them are, so the source node lowers the honesty constant.

5.2 Our system

The questions in Section 2.1 can be handled with information acquired in the literature study. This information has resulted in a system that can validate certificates without a third party. The system was formed with a crisis scenario in mind, such as an earthquake or war. The system has four main functionalities.

• Certifying nodes • Subnetworks

• How to handle compromised nodes • How to handle partitions

Furthermore it was assumed that the routing protocol in the network would be DSR, since HADOF requires that.

5.2.1 Node types

In a situation when a natural disaster has occurred a lot of people from different organisations and different companies are involved. When setting up an ad hoc network there are several types of objects and people that can act as nodes. In our proposed system, there are three kinds of nodes. The first type, which has the highest rank is called Chief Node (CN). Since the CNs are the nodes with highest rank they need to be chosen carefully. It is good if they are rather stationary, have long transmission range and have a great physical security so the risk for losing a CN to attackers decreases. In a military situation an appropriate CN could for example be a vehicle with a good antenna, or a stationary object in a camp. The work of a CN is to hand out certificates to newly arriving nodes, so they can be able to communicate in the network.

The second node type is called Group Node (GN) and is described in further detail in Section 5.2.4 and the last type is the Regular Node (RN). RNs can be people such as police men, fire fighters or volunteers. In the rest of this Section, Figures are used to illustrate functionalities in the system. Figure 5 is a legend of how nodes are represented.

(19)

Figure 5: Node legend 5.2.2 Initializing network

Before the network is up and running, an initializing process must be executed. First, n CNs are chosen according to the criteria in Section 5.2.1. In the start-up, all CNs agree on a key which is divided into n pieces according to Shamir’s Secret Sharing algorithm (Section 5.1.2). Every CN gets their own piece of the key, and a certificate is created for each CN (based on the newly decided key). Every CN also decides an individual password which is hashed and added to a list which is given to all the CNs. This list is used to secure the integrity of the CNs when a node is being certified, no password is ever stored in plain text. With the help of these certificates all the CNs have an encrypted communication channel to use since the certificates includes private/public key pairs. After this initializing step, RNs can be certified and use the network. How the certifying process works is described in the next Section.

5.2.3 Certifying a node

When a node wants to join the network, it has to get a certificate from a CN. To be able to get a certificate the node has to be physically close to a CN since an authorisation requires NFC. This enables the person in charge of the CN to actually see the person requesting the certificate. When the node is close enough it uses NFC to ask for a certificate as is shown to the right of Figure 6. The CN then puts in its own identity in the certificate along with the identity of the node, the node’s public key, a hash function, a time limit which says how long the certificate is valid and a digital signature which is a hash of all the information in the certificate. The expiration time for the certificates is not defined since the system is theoretical and it is possible that it should vary in different systems. The expiration time of a certificate should be set when the exact purpose of the system is defined.

Now the CN has the content for the certificate and needs to encrypt it with the partial keys shared among the CNs. To get the partial encryptions the CN sends a Certification Request (CREQ) and the password to all other CNs, this is also illustrated in Figure 6. On the receiver’s side the password is hashed and checked against the list of passwords. Provided that the

(20)

password is correct, the other receiving CN encrypt the data with their part of the shared private key and returns the data with a Certification Reply (CREP), which also is illustrated in Figure 6. When the CN sending the CREQs receives k CREPs, it can reconstruct the certificate as described in practical threshold signature [12]. The CN then hands over the certificate to the node via NFC.

Figure 6: Certifying a node with NFC by sending CREQs and CREPs 5.2.4 Subnetworks

To increase the availability in the proposed system it is possible to create subnetworks. In a subnetwork a GN works as a kind of sub chief node. A GN can validate certificates on its own. The nodes with these certificates can however only communicate with that GN and other nodes with a certificate authorized by that GN. The only node that is able to communicate outside the subnetwork is the GN. This means, if a node in the subnetwork wants to send information to a node outside the subnetwork, it will have to send the information to the GN which then forwards it (Figure 7a). The reason for the possibility to create subnetworks is that it should be easy to set up a network for a group of nodes where only one, or a few is certified in the big network. In many cases it is also unnecessary for all nodes to have the possibility to communicate with the whole network. For example if a group of fire fighters are at a scene of accident. They want to be able to communicate with each other but the rest of the network has no use of communicating with them. The leader of the group can then create certificates for the fire fighters in the group, which enables them to validate the integrity of each other. Another reason for having subnetworks is that if a node gets compromised it is easier to handle that problem. If a RN is compromised, the GN can easily cut off that node from the network. If the GN has been compromised, it is not certain that the nodes the GN has certified are trustworthy, and therefore the whole subnetwork can be cut off (Figure 7b).

(21)

(a) Group node communicating with full network (b) Group node is compomised, subnetwork can easily be cut off

Figure 7 5.2.5 How to handle compromised nodes

In our system the HADOF protocol is used for detecting malicious nodes 5.1.4. RNs can report a suspected compromised node to a CN. In order to report a compromised node some proof is needed. It can either be data from the HADOF protocol or some kind of visual proof, anything that makes the CNs confident that the node actually is compromised. When the CNs receive this information they create a part of a revocation certificate with their part of the private key. The CNs then flood the network with their part of a the revocation certificate. Any node that receives k parts of the revocation certificate can create the full revocation certificate and then add it to the CRL. In Figure 8 node A has detected that a node is compromised. Node A then sends its evidence of the node being compromised to every CN using the DSR protocol. Then the CNs broadcast their part of the revocation certificate to the rest of the nodes.

Figure 8: Handling compromised nodes

(22)

using the system to know which nodes are compromised, therefore it is worth the load it puts on the network. It is assumed that nodes do not get compromised often which means that this procedure does not appear often.

The CNs exchange their CRL with each other with regular interval since it is possible that a CN did not get k part of a specific revocation certificate. By regularly exchanging the CRL it is likely that every CN always has a fully updated CRL. If a new node enters the network it can get the full CRL right away, as well as if a node has been out of range from the network for some time. That node can request the CRL from any node but the highest possibility of getting the fully updated list is to requests the CRL from a CN.

5.2.6 How to handle a compromised CN

When a CN is compromised it may be uncertain how long it has been compromised and therefore also uncertain if the nodes the CN has certified are trustworthy. The same procedure as when a RN has been discovered malicious is carried out. Then all the nodes that has been certified by that CN needs to get new certificates if they would like to communicate with other nodes in the network again. The CNs embed their own identity in every certificate they hand out through NFC which means that every node can see which CN has certified the node that sends the data. This way when a CN has been added to the CRL the node that gets contacted can just ignore the message if the identity in the certificate correlates to an identity in the CRL. 5.2.7 How to handle partitions

When the nodes are moving in the network, partitioning is a constant threat. To detect if par-titioning occurs, the solution from A partition detection system for mobile ad-hoc networks[6] is used and the solution is described in detail in Section 3.6. When partitioning is detected, some kind of scheme is needed to handle the situation. If there are k CNs in the partition to build a certificate that can allow new nodes to enter the network, there is no major problem (except the inevitable fact that the two partitions cannot contact each other). The CNs can simply use each others parts of the key to build certificates and hand it out to newly arrived nodes. The problem occurs if there is less than k CNs in the partition.

All nodes that were certified before the partition occurred will still be able to communicate. If a new node arrives, there is no way that node can be certified, because of the small amount of CNs. The solution is to start a new network, with new certificates to be able to certify new nodes that arrives.

Since the CNs have an encrypted communication, they can agree on a key which they then split in as many pieces as there are CNs in the partition. The CNs make a new initialization of a network in their partition, as was described in Section 5.2.2. During this initialization the CNs broadcasts a Certification Check (CC) message. The nodes that receive the CC can then respond with an acknowledgement. If a node can acknowledge the CC, the CN can be sure that the node is allowed to communicate in the network. When the CNs know which nodes that has the old certificates, they can validate new certificates to those nodes with the parts of the new key they agreed upon. Since the CC controls the integrity of a node there is no need for the nodes to physically travel to a CN and use the NFC for authentication. New nodes on the other hand have to go to a CN and do the standard authentication procedure with NFC (Section 5.2.3) to become a part of the partition and be able to communicate with the others.

(23)

Newly arrived nodes in the partition can be part of the partitioned network, but not a part of the whole network until it can communicate with k CNs.

5.3 Risk analysis

To evaluate and identify the risks of our proposed system a risk analysis was conducted. The analysis is based on the military scenario because the When the analysis was made, three main assets (risk areas) in the system were in focus. The first risk to be analysed is when certificates are about to be validated (Figure 9). To be able to validate certificates we identified two ways of doing that. An attacker can either act like one CN or act like k CNs. If they act like k CNs they can quite easily hand out certificates to nodes that arrive to the network. The only thing that can stop the infiltrator is if the CREQ is forwarded to nodes that is not in control by the attacker. To be able to act like CNs the attacker need to conquer CN nodes, which can be done either by a stealth attack or a frontal attack.

A stealth attack on one CN is considered possible. Even if CNs are located centrally in a camp and are well guarded objects they can be conquered, but it will probably be detected in a near future. To conquer k CNs is also possible, but since the probability of succeeding with a synchronised attack on k CNs simultaneously is estimated low, the organisation should have the time to pick a new private key. This key is split up and handed out to the remaining CNs, which disables the compromised CNs from certifying new nodes that can enter the network. A frontal attack has higher probability to be detected but has higher potential to succeed. The problem (from an attackers point of view) is that the attacker will be noticed at some point and the CN taken in possession can easily be cut off and not be accepted to certify new nodes. If the attacker only conquer one CN, the attacker requires more knowledge to not be revealed. The compromised node needs to validate CREQs with CREP messages.

In order to certify nodes the attacker must have the password for the CN that is compromised. A standard way of getting a password is by brute force. That is considered impossible because the password is checked by other CNs when sending CREQs, and will easily be detected after just a few tries. Since we have a theoretical system we have to assume that no password is ever saved in memory in plain text neither when sending nor when receiving passwords. This way the attacker can not get a hold of a password by just taking over a CN and check in its memory. Bribing and threatening are two other attacks which are difficult to protect against, but they are still considered quite low.

If an attacker has compromised a CN without being detected, it is possible for the attacker to wait for CREQs with a password and compare that with the list of hashed passwords. Theoretically, the attacker can find out all passwords if the attacker receives CREQs from every CN. This means that if the attacker accomplishes to take over another CN without being detected, the attacker can start certifying malicious nodes into the network. Another scenario is that the attacker gets the password for the compromised CN and the network has not detected that it is compromised. This leads to the possibility for the attacker to send CREQs and receive CREPs in order to validate certificates for malicious nodes. As long as the attackers manage to do these tasks it can be considered that the system has a single point of failure. But since a compromised CN will be detected in a near future, all the nodes certified by that CN can be cut off and therefore and the failure is being handled.

The conclusion of Figure 9 is that it takes a lot of effort for an unauthorised person to be able to hand out certificates. The easiest way would be to infiltrate one CN, but that will require a

(24)

password which is hard to get. Alternatively, k CNs can be conquered but that will most likely be detected. In such a scenario the best way to act is to set up the network from scratch since k CNs are a major part of the network.

Figure 9: Attack tree, handing out certificates

The second tree (Figure 10) focuses on the possibility of getting access and read the information that flows in the network. One way is to steal the information, which can be done by sniffing packets. This is something that does not take a lot of effort from attackers and is almost impossible to prevent. To be able to read the information, decryption has to be made which is considered impossible if a good encryption algorithm is used. Another way of taking part of the information is to have control over a device with a valid certificate. The easiest way is to take over a node with a frontal assault or a stealth attack.

A possible vulnerability to analyse is how attackers can alter the information in the packets. That analysis is fairly similar to Figure 10 and will therefore not be presented with an extra tree.

(25)

Figure 10: Attack tree with focus on how to read the information in the network

The third and last tree (Figure 11) focuses on how information can be hindered from reaching its destination. This approach is the most difficult for the system to prevent. Partitioning can easily occur and the mechanisms implemented are for detecting partitions rather than preventing them. An attacker can also flood the network which only requires a transmitter and getting close enough to the enemies. Another option is to create black- or grey holes, which requires that a node is compromised.

(26)

6 Discussion

It is important to critically review the method used to derive the results as well as the result itself. That is what has been done in this Section.

6.1 Method

When making a literature study a substantial amount of literature needs to be reviewed. There-fore it is likely that someone else who is using the same method will find other articles that handle our defined questions in a different manner. In order to perform a literature study no special tools or equipment are needed and the same goes for the risk analysis. Therefore it is easy to replicate our method and then derive at a different solution and then compare the two solutions.

We believe that our references are reliable since all of them come from well known databases. Some of them like [9], [10] and [7] are older papers, but are cited in many new articles and the methods they describe are still valid and used.

When the risk analysis was made we modified some parts of the method for using attack trees in order to optimise it to our work. All the risks do not need an attack to be bad for the system, for instance partitioning can happen without an attack being made. It is possible that we would have made different conclusions from the risk analysis if we had used a different method. An even more secure conclusion could be made if the system was analysed by an second party. It would give an even greater mapping of the risks of our system if someone who has not been part of the design it would make a risk analysis as well.

6.2 Result

When defining a system there is almost always some downsides with the system. In the proposed system, DSR is assumed to be the routing protocol. This is necessary to be able to discover compromised nodes effectively. The effectiveness will be uncertain if another protocol is used. Aside from that the functionality in the system is not based on any specific underlying protocol which makes it flexible and it can be used in many different environments.

There may be scenarios where the risk of a node being compromised are most likely low. This could make our system unnecessary complex and make it slower than necessary in that scenario. Since our system is only theoretical and we have not made any measurements of any kind it is also difficult to know what the speed of the system would be in reality.

In the proposed system, any kind of node can report that another node is compromised by sending the information to every CN. Another solution would be that the reporting node broadcasts the information to all other nodes. This would be faster but it might interfere with other important traffic and other nodes might not need this information that fast. Another reason is that the compromised node would also realize that it has been detected.

All of our results are separated from each other which means that it is possible to change any part of the system without affecting the rest of the system.

Since it was an iterative process of making the system the risk analysis did not give us many new conclusions. It made us realize some new risks, most of them only became threats when large

(27)

portions of the network had been compromised. If that many nodes have been compromised the people in charge of the network should restart the system in a smaller scale.

6.3 A broader perspective

When we designed the system we discussed the uses, and which organisations that could use it. We concluded that the system itself is not unethical, to put it shortly it is a system that ensures that the right information gets to the right person. However since our paper is an open document it is of course possible that an organisation that is considered unethical can implement our system and use it to aid their work.

To conclude, we believe that our system can be used in order to aid actions of unethical nature but the system itself is not unethical.

(28)

7 Conclusion and further development

In this report a method of how to build a secure certificate distributing system has been presented. The main aim was to develop this system by reading existing research on the field in order to make it handle the different circumstances that can occur during the use of an ad hoc network. The questions defined in Section 2.1 has all been answered in the result. Some of them are answered with well known algorithms and techniques which also can be applied in other areas. Techniques that are more specifically developed for a certain problem is also being used in order to optimise the final solution.

The system is developed with the military and first responders in mind. With our system they can rely on a secure way of communicating without the validation of a third party that can also handle problematic scenarios, such as partitioning and compromised nodes. Our system is also very flexible. If anyone would like to use this system but change a specific part of the system, it would be possible to do so.

7.1 Further development

Since we have an abstract system there are still many things that can be added when it is defined how the system should function. Here we discuss possible functions that could be added depending on what the system should be used for.

7.1.1 Certificate self-revocation function

In a military network nodes may be compromised more often, and the nodes may realize that they are to be overtaken soon. In this scenario it would be smart if the node itself could broadcast that it is being compromised and take away its own certificate so that even when the node has been taken it will not be able to do any harm to the network.

7.1.2 Security mechanism for receiving part of certificate

Since it is considered difficult to take control of a CN, the method for granting parts of a certificate could be more secure. If this system is to be used by an organisation where their CNs are more likely to be compromised it would be of interest to have more steps or more advanced procedure to grant parts of a certificate.

7.1.3 Functionality for fooling a compromised node

When a node is compromised we deemed it very important that every node get hold of that knowledge. Therefore the CNs broadcast every part of the revocation certificate. However this way the compromised node will most surely learn that it is detected. If it is of interest to the system that the compromised node remains unaware of the system knowing that the node is compromised. The system could have a different strategy of informing the rest of the network of the compromised node. This way the system could try to fool the compromised node by for example handing it false information.

(29)

References

[1] R. Hekmat. Ad-hoc networks : fundamental properties and network topologies. Dordrecht : Springer, 2006.

[2] D. Johnson and D. Maltz. Dynamic source routing in ad hoc wireless networks. In Mobile Computing, volume 353 of The Kluwer International Series in Engineering and Computer Science, pages 153–181. Springer US, 1996.

[3] V. Coskun, K. Ok, and B. Ozdenizci. Near field communication : from theory to practice. Hoboken, NJ : Wiley, 2012.

[4] A. J. Menezes, P. C. van Oorschot, and Vanstone S. A. Handbook of Applied Cryptography. CRC Press, 2001.

[5] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126, February 1978.

[6] H. Ritter, R. Winter, and J. Schiller. A partition detection system for mobile ad-hoc networks. In Sensor and Ad Hoc Communications and Networks. IEEE SECON. First Annual IEEE Communications Society Conference on, pages 489–497, Oct 2004.

[7] B. Schneier. Attack trees. Dr. Dobb’s Journal of Software Tools, 24:21–29, 1999.

[8] C. Forsberg and Y. Wengström. Att göra systematiska litteraturstudier : värdering, analys och presentation av omv˚ardnadsforskning. Stockholm : Natur & Kultur, 2008.

[9] S. Yi and R. Kravets. Moca: Mobile certificate authority for wireless ad hoc networks. In In Proceedings of the 2nd Annual PKI Research Workshop (PKI 03), 2003.

[10] A. Shamir. How to share a secret. Commun. ACM, 22(11):612–613, November 1979. [11] Jean-Paul Berrut and Lloyd N. Trefethen. Barycentric lagrange interpolation. SIAM

Review, 46(3):501–517, 2004.

[12] V. Shoup. Practical threshold signatures. In Proceedings of the 19th International Con-ference on Theory and Application of Cryptographic Techniques, EUROCRYPT’00, pages 207–220, Berlin, Heidelberg, 2000. Springer-Verlag.

[13] W. Yu, Y. Sun, and K.J.R. Liu. Hadof: defense against routing disruptions in mobile ad hoc networks. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, volume 2, pages 1252–1261 vol. 2, March 2005.

(30)

Distributed certificates in ad hoc networks

Institutionen för datavetenskap

Department of Computer and Information Science

Examensarbete

Distributed certificates in ad hoc networks

av

Tobias Krispinsson Filip Asp

LIU-IDA/LITH-EX-G--15/055--SE

2015-06-16

Examensarbete

Distributed certificates in ad hoc networks

av

Tobias Krispinsson Filip Asp

LIU-IDA/LITH-EX-G--15/055--SE

2015-06-16

Handledare: Marcus Bendtsen

Examinator: Nahid Shahmehri

Contents

1

Introduction

2

Motivation

2.1

Aims

3

Theory

3.1

Ad hoc

3.2

Dynamic Source Routing

3.3

Near Field Communication

3.4

Data encryption

3.5

Public Key Infrastructure

3.6

Partitioning

3.7

Risk analysis with Attack Tree

4

Method

4.1

Risk analysis - Attack tree

5

Result

5.1

Theory and techniques embedded in the system

5.2

Our system

5.3

Risk analysis

6

Discussion

6.1

Method

6.2

Result

6.3

A broader perspective

7

Conclusion and further development

7.1

Further development

References

Linköping University Electronic Press

Upphovsrätt

Detta dokument hålls tillgängligt på Internet – eller dess framtida ersättare –från

publiceringsdatum under förutsättning att inga extraordinära omständigheter

uppstår.

Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner,

skriva ut enstaka kopior för enskilt bruk och att använda det oförändrat för

icke-kommersiell forskning och för undervisning. Överföring av upphovsrätten vid

en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av

dokumentet kräver upphovsmannens medgivande. För att garantera äktheten,

säkerheten och tillgängligheten finns lösningar av teknisk och administrativ art.

Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i

den omfattning som god sed kräver vid användning av dokumentet på ovan

be-skrivna sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form

eller i sådant sammanhang som är kränkande för upphovsmannens litterära eller