networks. In particular, we analyze the security require- ments for mobile data collectors and develop a throughput adaptive scheme to ensure data privacy.
Adaptive Security Support for Real-time Transmissions in Ad Hoc Networks (Extended Abstract) Jiejun Kong, Mario Gerla Computer Science Department University of California, Los Angeles, CA 90095 Tel: (310)206-8589, Fax: (310)825-2273 jkong,gerla @cs.ucla.edu �
prescribed security requirements according to real-time network feedbacks.
Abstract— In networks with highly volatile communication dynamics, it is appealing to employ adaptive applications to improve system performance. In this extended abstract we define the concept of mobile real-time data collector and present an adaptive security framework to ensure data security for real-time communications in ad hoc networks. In particular, we analyze the security requirements for mobile data collectors and develop a throughput adaptive scheme to ensure data privacy. In ad hoc networks, the adaptive scheme can be integrated with differentiated and end-to-end QoS services to provide qualitative security support to real-time transmissions.
II. ADAPTIVE MODEL We define mobile real-time data collector as a mobile information source that roams in ad hoc networks and transmits real-time contents back to information sinks. Unlike regular mobile clients roaming in last-hop wireless networks, mobile data collectors produce potentially large amount of real-time data within a working cycle. The collected data must be delivered following real-time constraints. A qualified security solution for mobile data collectors should have following properties:
I. INTRODUCTION With proper hardware configuration, mobile real-time data collectors (Figure 1) can freely roam and provide volumes of useful multimedia information to reflect the changing environment at real time. Applications such as automated battlefields, paramedical emergency, and realtime news report are typical examples of where mobile data collectors are deployed. The applications also demand security supports because wireless communication is vulnerable to various security attacks ranging from passive eavesdropping to active interferencing. Wireless ad hoc networks provide the demanded connectivity support for mobile data collectors to transmit real-time contents back to information sinks. However, providing real-time communication support in ad hoc networks is challenging. Network bandwidth available to a mobile node is highly volatile due to wireless interference, mobility, and dynamic network topology. Consequently it is appealing to employ adaptive mobile applications that can adjust wireless communications according to network conditions measured at real time. This work presents an adaptive security solution for real-time multimedia contents. In contrast to the transaction-based security paradigm which ignores network feedbacks and hence is not adaptable, the new adaptive security paradigm (Figure 2) seeks to satisfy
Network-centric design: Mobile data collectors have different security demands from transactionbased Internet commercial applications. The realtime contents should be protected to resist wireless adversaries, however the collected real-time contents must be transmitted to intended destinations on time. The security supports become useless if data transmission fails to follow real-time constraints. Consequently, available bandwidth, network capacity, processing throughput, and error control are critical factors affecting security design. �
On-device processing: As mobile data collectors roam independently, each of them must prepare to process collected real-time contents on site and on device. It is appealing to employ on-device endto-end QoS measurements with little help from the network. �
Adaptive encoding: Encoding raw data into efficient multimedia format is the first step of processing. State-of-art encoding technology can adapt multimedia contents according to throughput/bitrate, jitter, error rate, and buffer capacity. �
�
Adaptive security processing: The security module must also be adaptable. As we analyse in III, �
1
Throughput / Bitrate γ
network feedback (bandwidth estimation etc.)
security module
(adaptable)
3
4
Highest security complexity
5
Lowest encryption rate
(adaptable)
6
security complexity
key
Fig. 2.
2
secured data
adaptable bitrate adaptable security complexity (both with guaranteed lower bound)
Fig. 1. Mobile realtime data collector
1
throughput lower bound
data encoding
Lowest security complexity Highest encryption rate
7
8
Security complexity χ
lower bound
Adaptive Security Paradigm
when processing bit rate of encoding and enciphering ��� � is and � , respectively, the overall throughput is ����� . If is adaptable to be much larger than � (i.e., � �
), then the overall throughput is ����� � ����� . This implies that the overall scheme is not adaptable if the security module is not adaptable.
Fig. 3. Throughput adaptive security (with differentiated service classes)
III. SYSTEM ANALYSIS A. Assumptions In this work we focus on software-based implementations of data collection and data encryption on mobile devices. Although theoretically all data encoding algorithms, compression algorithms, and encryption algorithms can be realized by hardware chips, we consider the hardware-based solutions are less flexible than their software peers. For example, since vulnerabilities and loopholes of security algorithms have been frequently discovered by recent cryptanalysis, security patches must be applied in a timely manner to realize the corresponding countermeasures. Inflexible implementations pay higher cost in these scenarios. On the other hand, the measurements obtained on software implementation also present useful information of performance evaluation and cost estimation when candidate algorithms need to be built into hardwares and firmwares.
� Service quantification and differentiation: Security complexity, real-time constraints, and network conditions are quantified and differentiated into QoS classes. Each class corresponds to a set of service metrics. As the result, mobile data collectors can flexibly choose one of the QoS classes at real-time. � Adversary model: Wireless adversaries can either eavesdrop all packets or inject unauthentic packets into the network. We assume the adversaries can efficiently send all eavesdropped packets back to computing centers with cryptanalytic power constrained by cost and computationally equivalent security [10]. Nevertheless, authentic senders and receivers can share symmetric cipher keys using well-defined key exchange protocols like ISAKMP/IKE [12], [7]. Based on the symmetric keys with appropriate key size, mobile applications can employ effective security protocols, such as IPsec ESP [9] and AH [8], to ensure data privacy and data integrity.
B. Processing throughput As recommended in many security protocols [4], encryption should be applied as the last step before network transmission, because (i) data processed after encryption is not protected, and (ii) compression and other operations help increasing message entropy to foil cryptanalytic attacks. This implies that decryption would be the first step once data is received from the network. We quantify the device’s overall processing throughput based on encryption throughput. A mobile real-time data collector is treated as a single-CPU system.
In this work we use encryption service as example. Figure 3 illustrates the general design framework of encryption services with adaptive throughput guarantees. The differentiated classes are defined on a total order � : for arbitrary two differentiated classes ����� , class � has greater throughput guarantee (��������� ) and less security complexity (� �!�"�#� ) than class � . On every type of data collector we can (i) measure the performance of encryption algorithms by experiments, and (ii) obtain prescribed security complexity classes by cryptanalysis. Therefore, the diagram shown in Figure 3 can be determined on each device prior to its deployment.
Pipelined execution
Sequential execution
for(each data unit) {
for(each data unit) {
A B }
A } for(each data unit) { B }
For two processings $ and % running in a process of a single-CPU system, the pipelined execution and 2
TABLE I S ECURITY COMPLEXITY OF RC5, 128- BIT KEY AND BLOCK SIZE (“ ” DENOTES THE CASE WHEN THE ATTACK IS IMPOSSIBLE EVEN AT A THEORETICAL LEVEL )
rounds differential cryptanalysis (chosen plaintext) differential cryptanalysis (known plaintext) linear cryptanalysis (known plaintext)
4
����� ����� �����
sequential execution have some system-level difference. For example, � ’s response delay is larger in the case of sequential execution. Nevertheless, they are in general equivalent in semantics and throughput because exactly the same amount of machine instructions are executed on CPU. In other words, though a real execution of the single process could be a pipelined one, we can use the sequential case to quantify its throughput. We use this property to quantify device’s overall processing throughput. Encryption is treated as one processing, and all other data processings are abstracted as the other. Suppose the throughput of processing � and � is � and � , respectively, the overall processing throughput is ��� "!�#%$ � � �43 ,
& $('*)%+
-.0/12 ,
� /
�
�
�
9
5 6
�
(1)
An equivalent form of (1) is
�
9
� 3 : 5�6 �6 ) and the differentiated class satisfying (2) with maximal security complexity.
D. Cryptanalysis An attack on a cryptosystem is any method of starting with some information about plaintexts and their corresponding ciphertexts under some key, and figuring out more information about the plaintexts. A common security attack in wireless ad hoc networks is eavesdropping. In this work we focus on resisting eavesdroppers. Depending on the resources available to the potential eavesdroppers, we list four classes of the cryptanalytic attacks as follows ordered by strength. Ciphertext-only attack: The attacker only has the encrypted ciphertext from which to determine the
C. Quantification of security complexity Nowadays advanced encryption algorithms, including the well-known Data Encryption Standard (DES [13]) and Advanced Encryption Standard (AES [14]), are block cipher algorithms based on Feistel structures and Substitution-Permutation Networks (SPN) [5]. Security complexity in these algorithms is achieved by many rounds of permutation and substitution. In particular, (i) the algorithms must achieve one-way property so that it is easy to obtain ciphertext from plaintext, but not
�
1
RC6, one of the five AES finalists, was derived from RC5 and proposed by Rivest and Yin.
3
40 0
5
10
15
20
25
30
RC5 encryption throughput (Mbps)
35
This justifies the validity of our design because chosenplaintext attack is a very powerful attack against modern cipher algorithms. As shown in Table I, RC5’s strength degenerates much slower when facing the less severe known-plaintext and ciphertext-only attacks. We also note that it is questionable to apply the design in other application domains. For example, a flexible design with negotiable number of rounds was proposed in IPsec used in Internet VPNs [15]. Unfortunately, due to lack of end-to-end security guarantee and considerable chances of encrypting chosen plaintexts (e.g., a unauthorized pre-coded video segment), the Internet IPsec design has received negative analytic comments [6].
0
4
8
12
16
20
24
28
32
RC5 substitution-permutation rounds
Fig. 4. RC5’s adaptive encryption performance on iPAQ3670 PocketPC (CPU is used for encryption only. Security lower bound ��� is known plaintexts per re-keying. Throughput lower bound is 5Mbps)
IV. C ONCLUSION
AND FUTURE WORK
In this work we proposed an adaptive security framework for real-time data transmissions in ad hoc networks. Based on network feedbacks measured at real time, our scheme is resilient to highly volatile network dynamics. It can be integrated with differentiated and end-to-end QoS services to provide qualitative security support to mobile data collectors roaming in ad hoc networks.
secret plaintext, with no knowledge whatsoever of the latter. Known-plaintext attack: The attacker has certain amount of plaintext and corresponding ciphertext, but out of his choice. These plaintext and ciphertext are said to be “compromised”. Chosen-plaintext attack: The attacker can obtain the ciphertext corresponding to an arbitrary plaintext data of his choice. Adaptive chosen-plaintext attack: The attacker can determine the ciphertext of chosen plaintexts in an interactive or iterative process based on previous results. Security attacks other than the above ones require more active interference than eavesdropping, thus are not the focus of this paper. For example, if an adversary actively sends chosen bit strings to a decryptor, and is also capable of analysing the decryptor’s reactions or even decrypted results, then it can launch (adaptive) chosenciphertext attack against the cryptosystem. Such attack is normally referred to in the context of public key cryptosystem and can be foiled by adding non-malleability support [17]. Some security attacks like denial-of-service attacks are based upon active interference in some bruteforce physical manner. Normally these attacks do not have cryptanalytic concerns, and are not related to the subject studied in this paper. For mobile data collectors, known-plaintext attack is feasible due to standard headers used in network protocol (e.g., RTP) and common encoding formats (e.g., MPEG). However, since the data collectors collect and encode data from volatile environment at real time, we observe that the chance of launching (adaptive) chosenplaintext attack is negligible in the application domain. �
�
R EFERENCES [1] R. Baldwin and R. Rivest. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms. http://www.ietf.org/rfc/ rfc2040.txt, 1996. [2] E. Biham. New Types of Cryptanalytic Attacks Using Related Keys. In Advances in Cryptology–EUROCRYPT’93, pages 487– 496. Spring-Verlag, 1994. [3] E. Biham and A. Shamir. Differential Crypanalysis of the Data Encryption Standard. Spring-Verlag, 1993. [4] T. Dierks and C. Allen. The TLS Protocol, version 1.0. http: //www.ietf.org/rfc/rfc2246.txt, 1999. [5] H. Feistel. Cryptography and Computer Privacy. Scientific American, 228(5):15–23, 1973. [6] N. Ferguson and B. Schneier. A Cryptographic Evaluation of IPsec. http://www.counterpane.com/ipsec.html. [7] D. Harkins and D. Carrel. The Internet Key Exchange (IKE). http://www.ietf.org/rfc/rfc2409.txt, 1998. [8] S. Kent and R. Atkinson. IP Authentication Header (AH). http://www.ietf.org/rfc/rfc2402.txt, 1998. [9] S. Kent and R. Atkinson. IP Encapsulating Security Payload (ESP). http://www.ietf.org/rfc/rfc2406.txt, 1998. [10] A. K. Lenstra and E. R. Verheul. Selecting Cryptographic Key Sizes. In Public Key Cryptography, pages 446–465, 2000. [11] M. Matsui. Linear Cryptanalysis Method of DES Cipher. In Advances in Cryptology–EUROCRYPT’93. Spring-Verlag, 1994. [12] D. Maughan, M. Schertler, M. Schneider, and J. Turner. Internet Security Association and Key Management Protocol (ISAKMP). http://www.ietf.org/rfc/rfc2408.txt, 1998. [13] National Institute of Standards and Technology. Federal Information. Data Encryption Standard, Processing Standards Publication 46-2. http://www.itl.nist.gov/fipspubs/ fip46-2.htm, 1993. [14] National Institute of Standards and Technology. Advanced Encryption Standard. http://csrc.nist.gov/ encryption/aes/, 2001. [15] R. Pereira and R. Adams. The ESP CBC-Mode Cipher Algorithms. http://www.ietf.org/rfc/rfc2451.txt, 1998. [16] R. L. Rivest. The RC5 Encryption Algorithm. In Fast Software Encryption: Second International Workshop, pages 86–96, 1994. [17] V. Shoup. Why Chosen Ciphertext Security Matters. Technical Report RZ 3076(#93122), IBM Research Division, Zurich Research Laboratory, November 1998. [18] Y. L. Yin. The RC5 Encryption Algorithm: Two Years On. RSA CryptoBytes, 2(3):14–15, 1997.
�
4
