17-08-2013, 03:10 PM
Personal Marks and Community Certificates: Detecting Clones in Wireless Mobile Social Networks
Personal Marks and Community.pdf (Size: 269.2 KB / Downloads: 14)
Abstract
We consider the problem of detecting clones in wire-
less mobile ad-hoc networks. We assume that one of the devices
of the network has been cloned. Everything, including saved
passwords, certificates and secret keys. We propose a solution
in networks of mobile devices carried by individuals–composed
by nodes that can communicate by short-range technology like
bluetooth or Wi-Fi, and links appear and disappear according
to social relationships between users. Our idea is to use social
physical contacts, securely collected by wireless personal smart-
phones, as a biometric way to authenticate the owner of the
device and detect the clone attack. We introduce two mechanisms:
Personal Marks and Community Certificates. Personal Marks
is a simple cryptographic protocol that works well when the
adversary is an insider, a malicious node in the network that
tries to use the stolen credentials in the social community of
the original device that has been cloned. Community Certificates
works well when the adversary is an outsider, a node that has
the goal of using the stolen credentials when interacting with
other nodes that are far in the social network from the original
device. When combined, these mechanisms provide an excellent
protection against this very strong attack.
INTRODUCTION
You have left your smartphone on the table at a cafeteria.
You soon realize and go back to take it. Fortunately, it is
still there! You feel safe—while you are not safe at all.
An adversary has connected your smartphone to a laptop
and dumped all of its memory, including public and secret
cryptographic keys. It is a matter of seconds or, at most,
minutes. You do not revoke your certificates and passwords
(you feel safe!) but, a month later, you discover that your
credentials have been used by someone else. If you think this
cannot happen—people take very good care of their personal
devices—consider that according to a fairly recent report
(WTOP, 15 Nov 2006) 478 laptops have been lost or stolen
from the IRS (the Internal Revenue Service is the United States
federal government agency that collects taxes and enforces the
internal revenue laws) between 2002–2006; 112 held sensitive
taxpayer data, including SSNs.
RELATED WORK
The detection of the clone attack is one of the most
investigated security issue in wireless ad-hoc networks. As far
as static wireless networks are concerned, there are three main
approaches to the problem: Centralized, local and distributed
random based techniques. The centralized techniques like [4]
require a base station to collect the location information of the
nodes and to check for anomalies (same node ID with different
locations). Local-based schemes like [6] make use of voting
mechanisms within nodes’ neighborhoods to detect clones.
Finally, the distributed and random based techniques like [10],
[34] require nodes to send signed location information to
randomly selected destinations on the network in a hop-by-hop
fashion. All these techniques, by relying on fixed geographical
position of the nodes in the network are not apt to be used in
mobile scenarios such the one we consider [15], [5].
THE SYSTEM
Our network setting is made of last generation smartphones.
Smartphones are not-so-small devices that can easily handle
video/audio streaming, 3D games, web surfing and SSL ses-
sions, and other applications. Therefore, we can safely assume
that nodes are able to perform public key cryptography. The
nodes are equipped with public/private key pairs, and the
former is signed by a trusted authority CA.
Nodes are loosely time synchronized. Loose time synchro-
nization is very easy to get, if a precision in the order of the
second is enough, like in our protocols. We also assume that
the trusted authority is able to send a message to any node in
the system, for example using the cellular network. When a
clone is present, the message is received by the original node
and by the clone as well (of course it is perfectly possible that
the clone has turned off its interface to the cellular network).
We also assume that the users have access to an alternative
way to authenticate to the authority. There are several exam-
ples of such mechanisms. One example is GMail: If you forget
your password, you can still authenticate by responding to a
list of personal questions that, most probably, only you can
respond. In other systems, you might be able to authenticate by
using a smart-card at your desktop at home. Another example
is the PUK code used in GSM mobile phones. In any case,
we assume that the alternative mechanism to authenticate is
secure but long, burdensome, and we definitely want to use it
only in rare and exceptional circumstances like when we need
to recover from a clone attack.
Community Certificates
A community certificate is a cryptographic object used by
a node i to prove that he hasn’t abruptly changed his social
behavior. When node i joins the system, it automatically enters
a training period during which it securely collects signed and
timestamped logs of the physical contacts with the other nodes.
At the end of the period the logs are reported to the authority.
The authority uses the logs to build a signed certificate
ComCi that is sent back to node i. All these messages are
encrypted and authenticated.
Dynamic Community Certificates
So far, we have described Community Certificates as a static
system. However, in real life it may be possible, even if it is
not common, that we change our own community. In general,
it is reasonable to imagine the following scenarios: (i) our
community changes completely since, for example, we move
to another town; and (ii) one of our friends moves away, or
a new node is our new best friend. Here, we see that it is
easy to design protocols to dynamically change the community
certificate in a secure way.
In case (i), it is enough to start off a new training phase
and to get a new certificate. In case (ii), we can initiate a
selective update of the certificate to remove one node, or to
add a new one, or to update the parameter of a node that
is already part of our ring. Of course, the addition and/or
the removal can change all the parameters of the certificate,
like mapping FI i or ki . The procedure can be easily secured.
Indeed, when the procedure starts, the authority sends a GSM
message to the node. If a clone requests the procedure to
change the certificate according to his own communities, then
the message is received by the original owner as well, that
promptly detects the attack and sends to the authority a signed
request of certificate revocation.
CONCLUSIONS
In this paper we introduce Personal Marks and Community
Certificates. The fundamental idea of Community Certificates
is that, in networks of mobile people, authentication can be
based on the notion of community, and nodes can authenticate
by showing that they indeed meet the people that are part of
their community. While the social structure of these networks
has been extensively used in networking, to the best of our
knowledge this is the first time that this has been used as
a biometric to authenticate device. We also present Personal
Marks, a way a community can use to protect itself against
insiders performing a clone attack. The combined used of these
mechanisms deliver an excellent protection of the social mo-
bile network against the clone attack. Indeed our experiments
show that the detection is fast enough considered the slow
dynamics of the trace we have used.