AEOLUS School on Security of Global Computers: Challenges and Approaches presentation

About This Presentation

Transcript and Presenter's Notes

Title: AEOLUS School on Security of Global Computers: Challenges and Approaches

1
AEOLUSSchool on Security of Global Computers
Challenges and Approaches

September 18 - 20, 2007
Salerno, Italy

Integrated Project IST-015964 Algorithmic
Principles for Building Efficient Overlay
Computers
2
Analyzing Trust using Formal Logic and
Applications to the KeyEstablishment Problem of
Sensor Networks

Paul Spirakis1,4
joint work with
Chatzigiannakis1,4, E. Konstantinou2 V.
Liagkou1,4,
E. Makri2 and Y.C. Stamatiou3

1Research and Academic Computer Technology
Institute, 2University of the Aegean,
3University of Ioannina and 4University of Patras
3
Structure of the talk

Part A A new paradigm for Trust
Part B Distributed group key management
protocols suitable for energy constrained
networks.
B1Key Management Scheme (K.M.S) based on the
Fixed Radius Graph Model.
B2Key Management Scheme (K.M.S) based on
elliptic curve cryptography
Future Research

4
Part A A new paradigm for Trust

Introduction
Trust Concept
Trust in Global Computing Systems
A new paradigm for Trust
Graph Models
Formal Logic of Graphs
A generic trust model based on threshold laws for
mathematical logic.
Threshold Behavior.

5
Trust Concept

Trust plays a major role in the viability and
usability of a system.
There are
trust management models for complex and
dependable computer systems
schemes for the design of secure information
systems which are based on automated trust
management protocols

6
Trust

Key concepts
Desired TRUST properties are explicitly captured
on the model level
Security is not a separable concern on the
implementation level but it can be captured on
the model level.
Model checkers verify emerging system properties
Use existing model checking/verification
technology
Tools are available for maintaining, adapting,
and verifying security models
Tool support is essential beyond programming
languages
Trusted software systems are automatically
generated for diverse platforms
Model weavers and model-based integration
tools/toolchains address platform diversity
issues.

7
Integration

Direct use of security technology results
principles, algorithms, techniques
Bridge towards social science aspects
integration of duties of care, privacy, and
information policy study results as explicit
TRUST models

8
Fundamental research issues

Modeling language for TRUST properties
What are the right techniques for capturing
provided/required security properties?
How do we integrate these with application
models?
Model verification algorithms
What are the security properties that could be
verified from system models?
What methods and tools are available for
verification?
How to translate security-enriched models into
analysis models?

9
Fundamental research issues
Design Models Functionality
Security Models Solutions
1. Modeling language?
Model Transformer
2. Analysis technique?
Application Models Implementation
Analysis Tool
Analysis Models Abstraction
10
Trust in Global Computing Systems

We believe that the dynamic, global computing
systems are not amenable to a static viewpoint of
the trust concept, no matter how this concept is
formalized.
We believe that trust should be augmented with
a statistical, asymptotic concept
studied in the limit as the system's components
grow according to some growth rate.

11
A New Paradigm for Trust

We define added trust as an emerging system
property that appears when a set of properties
hold, asymptotically, almost certainly in random
communication structures.
This requires
One adopts a random graph model that best suits
the target dynamic system (network).
Then a number of properties are stated using
first order logic or some second order logic
fragment.
Conditions are established under which these
properties appear (or do not appear) in the
limit, as the system grows.

12
Random Graph Models

We will denote by n the number of nodes of graph
G and by O the set of all possible edges
between these nodes.
Model Gn,m select the m edges of G by selecting
them uniformly at random, independently of one
another from O.
Model Gn,p include each edge of O in G
independently of the others and with probability
p.
Model Gn,R0,dgenerate n points in some
d-dimensional metric space uniformly at random
and draw an edge between two points only if their
distance is at most R0.
Model Gk,,m,p (Random intersection graph) each
node i of the k available creates a set S_i by
selecting uniformly at random each of the
available m objects with probability p.

13
Natural Language of Graphs

We are interested in discovering conditions under
which a random graph model displays threshold
behavior for certain properties that can also be
relevant to trust or security issues.

14
First Order Language of Graphs

We will be confined to properties expressible in
the first order language of graphs.
The alphabet of the first order language of
graphs consists of the following
Infinite number of variable symbols, e.g. z, w, y
which represent graph vertices.
The binary relations (equality between
graph vertices) and (adjacency of graph
vertices) which can relate only variable symbols,
e.g. xy means that the graph vertices
represented by the variable symbols x,y are
adjacent.
Universal, , and existential, ,
quantifiers (applied only to singletons of
variable symbols).
The Boolean connectives used in propositional
logic, i.e. .

15
First Order Language of Graphs

The important extension statement in Natural
Language
The extension statement Ar,s, for given values
of r,s, states that for all distinct x1,x2,,xr
and y1,y2,,ys there exists distinct z adjacent
to all xis but no yj.

16
The Importance of The Extension Statement

When the extension statement Ar,s, applied to the
first order language of graphs, if Ar,s (for all
r,s) holds for a random graph G (in some random
graph model) with probability tending to 1
asymptotically with the number of vertices of the
graph, then for every statement A written in the
first order language of graphs either
lim n-gt8 PrG(n,p) has A 0
or lim n-gt8 PrG(n,p) has A 1.

17
The Importance of The Extension Statement

The Extension Statement can be used in order to
settle the existence of thresholds for all
properties expressible in the first order
language of graphs in any random graph model

18
First Order Graph Properties

Examples of graph properties expressible in the
first order language of graphs
The existence of a triangle
x y w (xy) (yw) (wx).
The diameter of the graph is at most 2
x y xy x y w (xw wy).

19
Thresholds of First Order Properties

Fagin gave the first general proof that first
order properties are threshold properties for
G(n,p) with p1/2.
This proof can be cast into the powerful
extension statement framework and proved more
easily (Spencer, The Strange Logic of Random
Graphs).
Here we give analogous theorems for two
different random graph models.

20
Second Order Language of Graphs

The second order language of graphs is defined
exactly as the first order language except that
it allows quantification over subsets of graph
vertices (predicates) instead of single vertices.

21
Second Order Properties of Graphs

An example of such property follows
Separator Property Let F F1, F2, , Fm be
a family of subsets of some set X. A separator
for F is a pair (S,T) of disjoint subsets of X
such that each member of F is disjoint from
either S or from T. The size of the separator is
min(S,T).

22
The Separator Property In The Context of Trust

Let us assume that Fi 2, modeling an edge of a
graph.
Thus, the sets Fi model a graph's links between
pairs of nodes.
With this constraint, the separator property says
that in a graph there exist two disjoint sets of
nodes S and T such that any set of two adjacent
(i.e. communicating) nodes is disjoint from
either S or T.

23
The Separator Property In The Context of Trust

It is not possible to have one node belonging to
one of the two disjoint sets S and T and the
other node belonging to the other.
no two communicating nodes are authenticated
by two different authentication bodies (the two
disjoint sets of nodes).

24
The Separator Property In The Context of Trust

Thus, the two nodes can trust each other more
since they are not authenticated by two disjoint
(i.e. unrelated) authentication bodies.
Each of the two disjoint sets may form, for
instance, Certification Authority (CA) providing
authentication services.

25
The Separator Property

The separator property can be written in the
second order language of graphs as follows
Let X to be a set of vertices and the subsets Fi
to be of cardinality 2

26
Second Order Properties of Graphs

Trusted representatives A graph G has the
trusted representatives property if there exists
a set of vertices such that any vertex in the
graph is an adjacent with at least one of these
vertices.

27
Thresholds of Second Order Properties

The extension statement, cannot be used in order
to examine whether the Second Order Properties
have a threshold behavior.
Kolaitis and Vardi proved that there are second
order fragments that do not have a threshold
behavior while other second order fragments do.

28
Thresholds of Second Order Properties

Let denote the existential second order
logic.
Some restricted first order logics that have been
studied in connection to are
The Bernays-Schönfinkel class, which is the set
of all first order sentences with quantifier
prefixes of the form
The Ackermann class, which is defined as the
collection of first order sentences of the form
.
The Gödel class, which is defined as the
collection of first order sentences of the form
.

29
Thresholds of Second Order Properties

The separator property belongs to the second
order fragment since it
contains two consecutive universal quantifiers.
The separator property is not guaranteed to be a
threshold property since the second order
logic fragment does not display a threshold
behaviour in general.

30
Thresholds of Second Order Properties

The trusted representatives property belongs to
the second order fragment
since it contains a single
universal quantifier.
It could be a threshold property since the second
order logic fragment has a
threshold behaviour in general.
Asymptotically, it holds with either probability
0 or 1 depending on the random graph model
parameters.

31
A generic trust model based on threshold laws for
mathematical logic

Step 1We adopt a suitable random graph model
that best suits the target dynamic system
(network).

32
A generic trust model based on threshold laws for
mathematical logic

Step 2We define a number of properties that
model facets of trust using first order logic or
some second order logic fragment.

33
A generic trust model based on threshold laws for
mathematical logic

Step 3 if the property can only be written using
second order logic, then we examine whether the
property can be cast into the language of a
fragment of the second order logic that has a
threshold behavior (e.g.
(Ackermann))

34
T R U S T M O D E L
Select Graph Model
Define Trust Properties
Check if trust properties hold asymptotically for
the chosen graph model
NO
Property
Is 1st Order Property?
Is 2nd Order Property?
NO
YES
YES
Describe this second order logic fragment
Establish conditions for thresholds according
the Graph Model
Fragmenti
(Ackermann)
(Gödel)
NO
YES
Have they threshold?
Asyptotic validity

Check this property whether it is a threshold
property or not.
YES
Unknown Property
NO
35
Threshold behavior of the Intersection graph model

Theorem 1 The probability that As,t fails for a
random graph of the Gk,m,p model is bounded from
above as follows
with

(1)
36
Threshold behavior of the Intersection graph model

Theorem 2For the random model Gk,m,p , with m,p
functions of k, three sufficient conditions for
the right-hand side of (1) to tend to 0 are the
following
constant
0 and p2mgtgt
and p2mltlt

37
Proof of Theorem 2

From Inequality (1)(Theorem 1) , it follows that
It is easy to see that the probability of having
an edge between two vertices of a Random
Intersection Graph within this model is equal to
1-(1-p2)m

(2)
38
Proof of Theorem 2

We will establish conditions on the parameters
k,m,p that suffice to force the right-hand side
of (2) to tend to 0.
These conditions will define ranges on k,m,p that
suffice in order to ensure that the intersection
random graph model displays threshold behavior.

39
Proof of Theorem 2

In order to have the right-hand side of (2) to
tend to 0, for any fixed s and t, it suffices to
ensure that

(3)
40
Proof of Theorem 2

We have the following three cases
Assume, first, that
is a constant c, 0
lt c lt 1.
This happens only if p2m is (or tends to) a
constant different from 0.
In this case, Condition (3) holds since the
expression there is T(k).

41
Proof of Theorem 2

Assume, now, that ,
which holds only if p2m tends to 0.
In this case we can apply the approximation
(1-p2)m 1-p2 m.
Then the expression in (3) is, asymptotically,
equal to k(p2 m)s. Thus, a sufficient condition
for (3) to hold is to have p2mgtgt .

42
Proof of Theorem 2

Finally, assume that
which occurs if p2 m tends to infinity. Then for
Condition (3) to hold it suffices to ensure that
(1-p2)m converges to 0.
Equivalently, we need to ensure that
(1-p2)mgtgt1/k,
Taking logarithms, we need to have
mln(1-p2)gtgt-ln(k).
Since p tends to 0, we can approximate ln(1-p2 )
with p2 .
Thus m(-p2 )gtgtln(k), which holds if m p2 ltlt
ln(k) completing the proof of the theorem.

43
Threshold Behavior of the Fixed Radius Random
Graph Model

Lemma 3For the 2-dimensional sphere (circle) the
probability that Ar,s fails for Gn,R0,d is
bounded from above as follows
Where D2(R0) the probability that 2 random points
are within R0 distance from each other

(4)
44
Threshold Behavior of the Fixed Radius Random
Graph Model

Theorem 4
If is a constant,
0 lt c lt 1,
then Equation (4) tends to 0.
If ,
then Equation (1) also tends to 0.

45
Threshold Behavior of the Fixed Radius Random
Graph Model

Theorem 5
Let be a constant,
with 0 lt c lt 1.
Then for any first order property A,
PrGn,R0,2 has A tends to 1 or 0.
If
then PrGn,R0,2 has A tends to 1 or 0 too.

46
Threshold Behavior of the Fixed Radius Random
Graph Model

According toTheorem 4 and Theorem 3, we only need
to increase the threshold probability (in the
2-dimensional case) from to ,
to , also, ascertain connectivity in the
resulting graph.

47
Part B Key Management Schemes

B1Key Management Scheme (K.M.S) based on the
structure induced by the fixed radius model.
B2Key Management Scheme (K.M.S) based on
elliptic curve cryptography.

48
Part B Key Management Schemes (K.M.S)

Introduction
Wireless Sensor Networks (W.S.N)
Key Management in W.S.N
Relevant K.M.S
Critical Properties of K.M.S
Cryptographic Properties of K.M.S
B1K.M.S of Fixed Radius Model
B2K.M.S based on elliptic curve cryptography

49
Current and Future Applications

Huge range of possible applications
Based on the variety of sensors
(thermal, acoustic, seismic, etc.)
Replacing old wire sensors or in new applications
Costs are constantly going down New sensors are
being produced (biosensors, etc.)

50
Current and Future Applications

Future applications are envisioned for
Monitor and Control
(Habitat, Environmental, Ecosystem,
Agricultural, Structural, Traffic, Manufacturing,
Health)
Security and Surveillance
(Border and Perimeter control, Target
tracking, Intrusion detection)

51
Available Technology

Current sensor devices measured in cubic
centimeters and contain
Processing unit -- Limited Processing
Capabilities (0.6 MIPS)
Non-volatile storage -- Limited Memory
Capabilities (32-512 Kb)
One or more Sensors (Light, Motion, Temperature,
Seismic, Acoustic, etc.)
Wireless Communication -- Advances in low-cost
communication
Radio 38.4 Kbits/sec _at_ 200m
Bluetooth 1 Mbits/sec _at_ 10m
Optical 30 bps _at_ 21.4 km
Battery power -- Operation may last up to a
couple of months

52
The Need for Multi-hop Communication

Sensor devices are not capable of transmitting at
long ranges
Still, in dense deployment of sensor devices
only one transmitter
large number of collisions
consumes a lot of power
obstacles -- requires line of sight
security issues -- intruder can overhear all
communications

53
The Need for Multi-hop Communication

multi-hop communication can effectively overcome
some of the signal propagation effects
may help to smoothly adjust propagation around
obstacles
increases the capacity of the network\item
mitigates some of the security issues

54
A Common Architecture

A number of n ultra-small homogeneous sensor
devices are spread in an area
There is a single point in the area, which we
call the sink S, that represents a control center
S is very powerful and possibly connected to the
Internet

55
A Common Architecture

Each sensor node
has a limited power supply (e.g. battery)
can communicate at a fixed transmission range R
has a set of monitors (sensors) for light,
pressure etc. has a low duty cycle (active and
sleep modes)
has a limited processing capabilities
has a unique identity
knows the identities of the neighbors

56
Challenges of Wireless Sensor Networks

The unique characteristics give rise to very
different design trade-offs compared to current
general-purpose systems
High density deployment
Highly limited resources (battery, CPU, memory,
sensing range, communication bandwidth)
Frequent topology changes due to low duty cycle
and failures
No knowledge of global topology -- Generally, ad
hoc deployment Data centric operations (e.g.,
routing) instead of address centric
Distributed collaboration for information
gathering, processing and decision making
Task (application)-specific information gathering
platform Immediate reporting on critical
changes of phenomenon
The realization of such efficient, robust and
secure ad-hoc networking environments is a
challenging algorithmic, systems and
technological task

57
Comparison with Wireless Ad-hoc Networks

The required solutions differ significantly, not
only with respect to classic distributed
computing but also with respect to ad-hoc
networking.
To further emphasize on the difference consider
that
the number of interacting devices is extremely
large and dense compared to that in a typical
ad-hoc network
the resources of each device are very limited
there is no fixed infrastructure
the network topology is unknown before deployment
there is a high risk of physical attacks in
unprotected sensor devices

58
Security issues

Should at least guarantee the integrity and
confidentiality of the information reported to
the controlling authorities regarding the
realization of environmental events
The integrity (and the confidentiality) of
control messages sent by the supervising nodes to
the sensors must be guaranteed

59
Security issues

Availability is also an important security
requirement
especially when the sensor network is used in
life critical applications (e.g., earthquake
prediction and telemonitoring of people's health
conditions)
These are more or less standard security
requirements that can also be found in
traditional wired and wireless networks
However, the challenge is to satisfy these
requirements under the special operating
conditions of sensor networks

60
Vulnerabilities and Challenges

Low cost -- protection against tampering is very
difficult
Can easily capture the devices, and easily read
the content of their memory
Can be easily reverse engineered and replicated
Limited Capabilities
Risk of DoS attacks
Restrictions on cryptographic primitives to be
used
Storing one-way chains of keys along message
route requires more memory

61
Vulnerabilities and Challenges

Deployment is not known in advance
Can be random
Pre-configuration is difficult
Unattended operation
Difficult to monitor individual nodes constantly
Some sensors can be maliciously moved around

62
The need for Multi-level Approach

These constraints make it difficult to secure
sensor networks
A single solution is highly vulnerable\item
Still, building secure sensor networks is of
paramount importance

63
The need for Multi-level Approach

Multi-level Approach only viable solution is to
combine different techniques for securing the
system
implement secure routing schemes, secure
aggregation, provide group key establishment
methods, cryptographically encrypt messages etc.
the combination of multiple attacking angles
increases the overall achieved security

64
Key Management in WSN

Key management is critical for the protection in
WSN
Key management schemes help to prevent
adversaries from attacking the wireless network.

65
Key Management in WSN

Key management schemes help to guarantee the
confidentiality and integrity of the information
reported to the controlling authorities regarding
the realization of environmental events.

66
Pairwise Key Pre-distribution

Random Pair-wise Key Pre-distribution
A set of keys randomly chosen from a key pool
Physical Topology Virtual
Key-Sharing Topology

67
Pairwise Key Pre-distribution -- Performance
Issues

Reservoir of k keys
m(ltlt k) keys pre-distributed in each sensor
Probability for any 2 nodes to have a common key

68
Relevant K.M.S

A lot of them do not provide a proof of security.
Bresson et al. were the first to present a formal
model of security and the first to give rigorous
proofs of security for particular protocols.
Recently,Katz and Yung proposed a more general
framework that provides a formal proof of
security for Burmesters and Desmedts protocol.

69
Relevant K.M.S

Most group key establishment protocols
are based on generalizations of Diffie-Hellman
key exchange protocol.
are very demanding for use in WSN (according the
number of transmitted data, exponentiations and
collisions).
Steiner, Tsudik and Waidner introduced GDH.3
protocol, its simplicity and the limited memory
requirements make it more applicable in WSN.

70
Critical Properties of Key Management Protocols

Availability any sensor node or service must be
available whenever required.
Key authentication assuring only intended nodes
can access a key.
Integrity ensuring that there is no unauthorized
data modification.
Confidentiality providing security measures in
order to avoid eavesdropping

71
Critical Properties of Key Management Protocols
in WSN

Scalability, in order to operate in extremely
large networks.
Efficiency, with respect to both energy and time.
Fault-tolerance, as sensor devices are prone to
several types of faults and unavailabilities, and
may become inoperative.

72
Cryptographic Properties of Key Management
Protocols

Computational group key secrecy It must be
computational infeasible for any passive
adversary to discover any group key.
Decisional group key secrecy There is no
information leakage other that public blinded key
information.

73
Cryptographic Properties of Key Management
Protocols

Key independence A passive adversary who knows a
proper subset of group keys can not discover any
other of the remaining keys.
Forward secrecy A passive adversary who knows a
contiguous subset of old group keys cannot
discover any subsequent group key.
Backward secrecy A passive adversary who knows a
contiguous subset of group keys cannot discover
preceding group key.

74
Group-key Establishment -- Membership Events

We distinguish the following four membership
events
Join Event a single member wants to join the
existing group. The group key is updated to
include the new member and the all participants
are informed about the new key.
Leave Event a member wishes to leave the group,
or is forced to leave it. The group key must be
properly modified so that the departing
participant can no longer use the old group key
in order to encrypt/decrypt the group's
communications.

75
Membership Events

Group Merge Event multiple potential members
want to join an existing group. The keys of the
two groups are merged so that all participates
can communicate with each other using a common
shared key.
Group Partition Event multiple members leave the
group with or without forming their own subgroup.
A new key must be established for each
partitioned subgroup to guarantee secrecy.

76
B1K.M.S of Fixed Radius Model

Key Predistribution Schemes(K.P.S)
Problems in K.P.S
The Theoretical tools
Our Proposed KMS
The Number of Shared Keys
Searching Good properties

77
Key Predistribution Schemes(K.P.S)

Initially each node is assigned a predefined set
of keys.
When the node enters the network, it will
communicate with other nodes, whose key sets has
non empty intersection with its own key set.
In order to communicate with nodes whose key sets
do not intersect with its own, it communicates
via other nodes (multiple hops)

78
Problems in K.P.S

One node may never need to communicate with nodes
whose predefined key sets intersect its own.
One node may need to communicate more often with
nodes with whom it shares no key.

79
K.M.S of Fixed Radius Model

It does not rely on predistribution.
It creates and discards, dynamically, key sets
for sensor nodes depending on their current
position.
It forms an interdependence between the key sets
of physically nearby nodes.

80
Threshold Behavior of the Fixed Radius Random
Graph Model

In Theorems 4 and 3 (Presented at Part A), we
proved the threshold behavior of this Graph
model.
We only need to increase the the threshold
probability (in the 2-dimensional case) from
to ,
to , also, ascertain connectivity in the
resulting graph.

81
K.M.S. of Fixed Radius Model
n nodes randomly distributed within a circle of
radius R
Each node transmits only Within distance C
R
The nodes knows its coordinates
C
A fixed radius random graph, with n nodes,
includes edges between nodes only if their
distance is at most 2C
2C
2C
82
K.M.S of Fixed Radius Model

Think a lattice, of the
area With radius R
which is known
to the nodes.
Each of the nodes
will occupy a point
of the lattice.

R
83
K.M.S of Fixed Radius Model

Each node according its current position on the
lattice, it generates its coordinates.
Using these coordinates we can form a set of
keys.
Each node interacts with each neighbors within
distance 2C.
It uses a key agreement protocol to establish a
secure communication with this set of keys.

84
The Number of Shared Keys
R
The number of shared keys can be computed as
the number of points within the common part of
two intersecting circles whose centers are at
a distance s.
C
s
85
The Number of Shared Keys

Setting s aC, 0lta 2 a constant, for the
distance between the nodes, we see that the
number of shared keys is equal to
Thus we have T(C2) shared keys to choose from
using, e.g., some key agreement protocol

86
Good Properties

We can define good properties, with regard to
the key distribution scheme described above,
which can be expressed in the first order
language of graphs
For any node v, its key set Av is not a subset of
the key set of any other node.

87
Good Properties

For any node v, its key set Av cannot be a subset
of the union of the key sets of l or less than l
other nodes. This property cannot, possibly, be
expressible in the first order language of
graphs, it nevertheless can be approximated''
by a property that is expressible.

88
B2K.M.S based on elliptic curve cryptography

Elliptic Curve Cryptosystems
The Diffie-Hellman Algorithm
Protocols Description based on elliptic curve
cryptography
An agent-based K.M.S based on elliptic curve
cryptography

89
Elliptic Curve Cryptosystems

Based on groups which are defined on elliptic
curves.
Elliptic Curve
Defined over a prime (Fp) or a binary field
EC over Fp (E(Fp)) set of solutions (x,y) in Fp
to
along with a special point denoted by ? , called
the point at infinity.

90
Example

y2 x3- 4x 3 solutions (x,y) in
F23
Q F23

91
Generation of a key pair (private-public)
Elliptic Curve Cryptosystems based on Fp 1.
Choose at random a private key d ?1,m-1 2.
Find a random point G on the EC 3. Calculate the
public key e dG mod p

Conventional Cryptosystems
based on Fp
1. Choose at random a private
key d ?1,p-1
2. Find a generator g of the field
3. Calculate the public key
e gd mod p

92
EC Cryptosystems vs Conventional Systems

Same level of security N ?
M1/3(ln(Mln2))2/3)

93
Advantages of ECC

More Efficient (smaller parameters)
Faster
Less Power and Computational Consumption
Cheaper Hardware (Less Silicon Area, Less Storage
Memory)

94
Generation of secure ECs

Cryptographic Strength suitable order
m
Suitable order
m nq where q a prime gt 2160
m ? p
pk ? 1 (mod m) for all 1 ? k ? 20
The above conditions guarantee resistance to all
known attacks to solve ECDLP

95
Generation of ECs

The goal is to determine the following parameters
of an EC
y2 x3 ax b
The order p of the finite field Fp.
The order m of the elliptic curve.
The coefficients a and b.

96
Generation of ECs-Known Methods

Constructive Weil descent
Samples from a, rather, limited subset
of ECs.
Point counting
Rather slow
The Complex Multiplication method
Rather involved, but efficient for
generating secure ECs.

97
Attacks on ECC

The security of ECC is based on the difficulty of
solving ECDLP (Elliptic Curve Discrete Logarithm
Problem).
ECDLP find m for which QmP, where Q,P are two
known points on the EC.
An attack on ECC is an algorithm for solving
ECDLP exponential time

98
Pollards Rho Method

Begins with a point G0 and defines a random walk
Gk F(Gk-1). Terminates when Gj Gi for j ? i.
G0

99
The Elliptic Curve Diffie-Hellman Algorithm

The security of elliptic curve cryptosystems is
based on the difficulty of solving the discrete
logarithm problem (DLP) on the EC group.
The Elliptic Curve Discrete Logarithm Problem
(ECDLP) is about determining the least positive
integer k which satisfies the equation QkP for
two given points Q and P on the EC group.

100
The Elliptic Curve Diffie-Hellman Algorithm
A and B wish to share a secret key
He generates a private key kA and a public key
QA
She generates a private key kB and a public key
QB
sends QA to B
A
B
She computes SkB QA
He computes SkA QB
sends QB to A
S is now their shared secret key
101
Our Protocol

A setup phase is assumed -- generates a unique
group ID, an initial secret shared key and
calculates the group size
initial keys are used only for a short period of
time
no guarantee that a member truly belongs to the
network

102
Our Protocol based on elliptic curve cryptography
Group member M1 generates a random secret value
k1.
M1
k1
Mn
The M1 selects a point P and sends to M2 the
point Q1 k1 P
Q1k1P
M2
Qn
Then M2 sends to M3 the point Q2k1 k2 P
Q2 k1k2 P
Mn-1
M3
Mi
And so on until the protocol reaches member Mn.
Qn-1 k1k2kn-1 P
The point Qn k1k2kn-1kn P is the shared secret
key and is calculated by Mn
103
Protocol Description
Mn encrypts Qn with Mn-1s public key Qn-1 and
sends it to Mn-1
M1
Mn
Encrypted(Qn)

Mn-1
decrypts the message
with his private key kn-1,
acquire the secret value Qn,
encrypts it
with the public key of Mn-2
sends the result to Mn-2

M2
Encrypted(Qn)
Encrypted(Qn)
Mn-1
M3
Mi
Decripts(Qn)
Encrypted(Qn)
And so on until the protocol reaches member M1.
Encrypted(Qn)
104
Final K.M.S

We propose a new lightweight, distributed group
agent-based key establishment protocol suitable
for such energy constrained networks.
We evaluate the performance of our protocols in
comparison to existing group key establishment
protocols.

105
Final K.M.S

We study the feasibility of implementing our
protocol in real sensor network devices
We highlight the advantages and disadvantages of
each approach given the available technology and
the corresponding efficiency (energy, time)
criteria.

106
Our Agent-based Protocol

We avoid using a virtual data structure for the
network topology
We organize the devices in a distributed manner
we use of a mobile agent (software, mobile code)
traverses the network randomly passing through
all the devices
It is particularly suitable for environments that
are dynamic and require minimum coordination
among the group members

107
Our Agent-based Protocol

The protocol is executed in two stages
First stage all the sensor nodes contribute
their random information to construct a shared
secret key
Second stage the shared secret key is
communicated to all nodes

108
First Stage (1)

We activate participant M1 (the Base Station S)
Selects a point P and Generates a random value k1
Calculates the point Q1 k1P
Constructs a new mobile agent A
encrypts A it with the shared key
transmits A to a random neighbor

109
First Stage(2)

Suppose that this neighbor is participant M2
decrypts agent's data, acquires point
generates a random value k2
computes the point Q2k2Q1
updates agent's A information with the point Q2
item encrypts A and transmits to a random
neighbor
The encryption/decryption uses the secret shared
point Qold
The size of A is only 224-bits (fits in a single
TinyOS packet)

110
First Stage(3)

A may pass more than once from each participant
(random walk)
We keep track of the first visit by evaluating a
flag (keyID)
avoid unnecessary operations involving
multiprecision integers
We keep track of the number of nodes visited by A
When the last unvisited node Mn is reached the
stage finishes

111
First Stage(4)

Mn calculates Qn kn kn-1 k1 P
the output of the 1st stage
A is injected back into the network to inform all
participants about the new key

112
Second Stage

Mn puts the point Qn-1 kn-1 Qn in A
Sends A to a random neighbor Mi
When A reaches Mi (is received by)
Multiplies Qn-1 with ki-1 \item Updates A and
sends it back to Mn
When A reaches Mn (is received by)
Multiplies the agent's value with kn
Updates A and sends it back to Mi

113
Second Stage

Mi is now be able to acquire Qn by multiplying
A's context with ki
This three-step procedure is followed in order
to encrypt/decrypt A and extract the shared key
A traverses the network and visits all
participants

114
Correctness of Our Protocol

Fundamental property for any protocol that tries
to establish a common shared key among the
participants of a group
We assume here that the duty cycle of the sensor
devices of the network are determined by
application protocols
The decision of when to sleep is independent of
the motion of A
he devices are not deliberately trying to avoid A
do not enter sleep mode when A is located in the
device

115
Correctness of Our Protocol

We assume that sensors have enough power for
communication
We here assume that channels are safe
messages are delivered without loss or alteration
after a finite delay
A will eventually meet all the participants of
the group with probability 1
based on the Borel-Cantelli Lemmas for infinite
sequences of trials
given an unbounded period of (global) time, A
will meet the devices infinitely often with
probability 1

116
Evaluation

Our results indicate that the protocol
increases the communication overhead
achieves higher robustness in case of node
failures that happen during the key establishment
period
achieves energy balance among the participants

117
Future Research

The design of a kind of reductions among second
order properties.
The definition of random graph models that seem
to hinder the appearance of threshold properties
written in some second order logic fragment

118
Publications

V. Liagkou, E. Makri, P. Spirakis Y.C.
Stamatiou, Trust in global computing systems as
a limit property emerging from short range random
interactions, pp. 741-748, in Proc. of IEEE
International Conference ARES (2007)
I.Chatzigiannakis, E. Konstantinou, V. Liagkou
and P. G. Spirakis, Design, Analysis and
Performance Evaluation of Group Key Establishment
in Wireless Sensor Networks. Electr. Notes
Theor. Comput. Sci. 171(1), pp. 17-31 (2007)
V. Liagkou, E. Makri, P.Spirakis and Y.C.
Stmatiou, On the asymptotic behaviour of formal
logic based trust models P.C.I (2007)
I. Chatzigiannakis, E. Konstantinou, V. Liagkou
and P. Spirakis, Agent-based Distributed Group
Key Establishment in Wireless Sensor Networks,
on Proc of the 3rd IEEE International Workshop on
Trust, Security, and Privacy for Ubiquitous
Computing (TSPUC 2007)
V. Liagkou, E. Makri, P. G. Spirakis, and Y. C.
Stamatiou, The Threshold Behaviour of the Fixed
Radius Random Graph Model and Applications to the
Key Management Problem of Sensor Networks.
ALGOSENSORS 2006, pp.130-139

AEOLUS School on Security of Global Computers: Challenges and Approaches PowerPoint PPT Presentation