From the Eternity Service to Suicide Bombing – a Short History of Ad-hoc Network

Security

Ross Anderson

Cambridge

Overview

• Eternity Service

• The Resurrecting Duckling

• Cocaine Auctions

• Smart Dust

• Eternity II – Economics, and Topology

• Applying it – HomePlug

• Lessons Learned

Early Days

• Penet.fi remailer operated by Julf Helsingius from 93 to 96

• Scientologists got an order in Feb 95 for access to logs to identify a critic

• Same again twice in 96; then Julf shut Penet

• What is the scope of legal threats to the information society?

Censorship and Technology

• Wycliff translated the Bible into English in 1382• Fallout contained in most countries…• William Tyndale did it again in the 16th century• But now there was printing!• What happens to society if books that the rich and

powerful don’t like can be unpublished?• Next question: can we design a system to

withstand compulsion?

The Eternity Service (1996)

• Idea: a peer-to-peer file store• You donate some of your own storage• You can then publish documents• Documents protected by encryption,

fragmentation, redundancy, scattering• You don’t know which parts of which

documents are on your machine• Selective service denial isn’t possible

Peer-to-Peer Security

• After Napster was closed down, the ideas in Eternity were adopted by Freenet, Gnutella

• Music industry starts trying hard to find real attacks!

• Spam it with poisoned content• Download stuff, identify uploaders, and sue them• In other words, in a network that anyone can join,

it’s not the initial authentication that matters so much as subsequent conduct

The Resurrecting Duckling (1999)

• Initial problem: what does it mean for a medical sensor to be ‘secure’?

• The doctor picks up a thermometer from a nursing station and mates it to her PDA

• First requirement: bond to the first device you see (like a baby duckling)

• Second requirement: the mother should be able to break the bond (kill and resurrect her duckling)

Resurrecting Duckling (2)

Cocaine Auctions (1999)

• If we have the opposite of authenticated principals – anonymous broadcast – can we design systems to do real work?

• Surprising answer: yes!• Suppose a dozen Mafiosi are in a room

conducting a cocaine auction• Mistrustful principals, no arbitrator, no PKI

– just anonymous broadcast devices

Cocaine Auctions (2)

• At each successive price, each bidder broadcasts a new Diffie-Hellman key gri

• The final bidder claims the coke by setting up a key with the seller who broadcasts gw and the delivery details encrypted under gwri

• If the seller cheats the buyer, or vice versa, this can be decrypted and broadcast to support an accusation of cheating

• Lesson: you can do standalone transaction crypto. You don’t need long-term security associations

Smart Dust (2002–4)

• Battery-powered devices

• Wireless comms

• Not tamper-proof

• Limited CPU, memory

• Communicate peer-to-peer

• Deployed randomly

• Can then be subverted

Smart Dust (2)

• How can we load keys?– Public key – need too big a CPU

– Combinatorial symmetric keys – messy, fiddly

– Single master key – will be compromised after deployment

• But – does this really matter?• Same effect as devices broadcasting keys locally

in clear on landing, and eavesdropping starts after that

Smart Dust (3)

• Mote i, when it comes to rest, transmits key ki• When mote j hears it, it responds with just enough

power for the link: j i: {j, kji}ki

i j

The key is compromised if a hostile mote lies in the intersectioni

E.g, 1 black mote for 100 white - 97.62% of links secure

Smart Dust (4)

• You can improve this will various extra resilience mechanisms – multiple path keys, privacy amplification etc

• Economic question: how much do you invest in bootstrapping and how much in later resilience?

• Answer: it depends on the initial and marginal costs of both attack and defence!

• Smart dust owner will often favour the resilience mechanisms over the bootstrapping mechanisms in order to cause the defender to give up

Eternity Again – Economics

• If you have a peer-to-peer system, should you put everything into one pot, or not?

• Eternity, freenet, mojonation, chord, oceanstore: everyone shares everything

• The systems that prevailed had people share only their own stuff: Gnutella, Kazaa,…

• We modelled solidarity versus clubs in defence and explained this (WEIS 2005): people fight harder to defend what they care about

• Past a certain point, solidarity will fail

– and Topology (2005)

• Real-world physical systems tend not to have every node talking to every other, or even to a random collection of nodes

• Instead, there’s often a power-law structure with some ‘popular’ nodes

• Knocking these nodes out can disable the network: Ukrainian kulaks, Senegal hookers

• What sort of defences are possible?

Naïve Defenses Don’t Work!

• Basic vertex-order attack – network dead after 2 rounds

• Random replenishment – 3 rounds

• Scale-free replenishment – 4 rounds

Evolving Defense Strategies

• Black – scalefree replenishment

• Green – replace high-order nodes with rings

• Cyan - replace high-order nodes with cliques

• Cliques work very well against the vertex-order attack

Suicide Bombing (2007)

• Revocation is a big problem in real life, and even worse in many ad-hoc network models

• Another possibility: node A on seeing node B misbehaving simply declares them both to be dead

• This is cheap; it scales well; it’s not much affected by mobility; and it works across interesting parameter ranges

• Suicide and high-risk attacks common in nature – bees, helper T-cells, …

• Ad-hoc network models help us understand them

HomePlug

• HomePlug AV is a 2006 standard for power-line communications at 150Mbps

• How do you set up keys between TVs, PVRs, DSL modems, wifi, hifi, PCs, … ?

• Somewhat similar to the problems faced by bluetooth, wifi designers

• Great variety of devices, some with no decent input and / or output interfaces

• Great variety of CPUs, from peanut to Pentium

HomePlug (2)

• Most users just want dependability – they want their speakers to mate with their hifi, not their neighbours’

• A handful want security too• Usability is critical• Too many returned devices would be fatal• Big question: do we include a public key

mode?

Homeplug (3)

• Suppose you have a PK protocol where the user confirms the right key is set up

• Attack on high-value home user attorney…• Man in grey van does microwave DoS on set top

box, attaches similar to mains• User has no TV, sees on PC “found Philips set-top

box with cert ID 4F3D241E… admit/deny?”• Moral: not enough to say Y/N, user must copy text• So might as well just print the key on the label!

HomePlug (4)

• That’s why HomePlug has only two modes, Secure and Simple Connect

• Simple Connect mode: device on power-up, like duckling, looks for a mummy

• Bootstrap key sent in clear, protocols to confirm it’s the right device / network bond

• Secure mode: copy the AES key from the device label into your network management station (I.e. your PC)

• Is this not optimal?

Lessons Learned

• Ad-hoc networks, whether peer-to-peer or wireless, have new needs

• Crypto geeks used to focus on authentication. But bootstrapping is only a tiny part of the lifecycle

• Most of the work usually goes into managing associations once they’re established

• But then that’s how the real world has always worked … can you remember when you first decided to trust your mother?