How to Design Wireless Security Mechanisms

1
How to Design Wireless Security Mechanisms

• Manel Guerrero Zapata
• ltmanel.guerrero-zapata_at_nokia.comgt
• Mobile Networks Laboratory
• Nokia Research Center

2
Introduction

• Problems in our research area
• Not much to be implemented in the near future.
• Researchers do not have enough background
  (routing protocols and security in wired
  networks).
• Too many people needing to publish papers in
  order to get a PhD.
• Too much simulation, not much analysis.

3
Tamper resistant devices

• There is no such thing as a tamper resistant
  device. (See Anderson Kuhn "Tamper Resistance -
  a Cautionary Note" "Low Cost Attacks on Tamper
  Resistant Devices")
• Trying to combine symmetric cryptography
  solutions with tamper resistant devices to create
  the same result provided by alternatives that use
  asymmetric cryptography does not make sense.

4
Misbehaving detection schemes

• It is quite likely that it will be not feasible
  to detect several kind of misbehaving (specially
  because it is very hard to distinguish
  misbehaving from transmission failures and other
  kind of failures).
• It has no real means to guarantee the integrity
  and authentication of the routing messages!
• With all this being common knowledge, it is
  amazing that there are some people writing papers
  on top of this idea (like the guys from EPFL
  Lausane).

5
Systems with unrealistic requirements

• MAC addresses identify unquely a node.
• Every node should have some means to know its
  geographic position.
• There is a central server that is available by
  all the nodes.
• There is a tight time synchronization between all
  the nodes of the network (the latest craze using
  TESLA by Dave Johnson, Perrig and Hu).

6
Complex systems thatuse fancy mathematics

• With mathematics you can hide the fact that,
  actualy, your system does not work at all. Just
  use a lot of formulas.
• My favourite example is 'Securing Ad hoc
  Networks' by Zhou Haas. A distributed CA that
  does not work if there are only two nodes in a
  network partition. (Although is good in that
  recognizes the non-feasibility of the central
  server approaches).

7
So what's the right way?

• Securing routing messages vs data messages.
• The scenario that is going to protect.
• The security features that this scenario
  requires.
• The security mechanisms that will fulfill those
  security features.

8
Analisis

• The analysis of requirements Whether the
  security features are enough for the targeted
  scenario.
• The analysis of mechanisms Whether the security
  mechanisms are indeed fulfilling all the security
  requirements. When doing this, it will be found
  that there are still some attacks that can be
  performed against your system. Some of them,
  typically, aren't avoid because a trade off
  between security and feasibility.
• The analysis of feasibility Whether the security
  mechanisms have requirements that are not
  feasible in the targeted scenario.

9
That's all

• Thank you for your atention.
• More info about SAODV in
• http//ant.eupvg.upc.es/tarom/saodv.html