Keyless Security in Wireless Networks - Springer Link

4 downloads 113 Views 689KB Size Report
Jul 25, 2014 - Springer Science+Business Media New York 2014. Abstract Security in mobile wireless networks is difficult to achieve because of vulnerability.
Wireless Pers Commun (2014) 79:1713–1731 DOI 10.1007/s11277-014-1954-1

Keyless Security in Wireless Networks Salah A. Albermany · Ghazanfar A. Safdar

Published online: 25 July 2014 © Springer Science+Business Media New York 2014

Abstract Security in mobile wireless networks is difficult to achieve because of vulnerability of the links, inadequate physical protection, dynamically changing topology and the sporadic nature of the connectivity. The change in topology results in the change of trust relationships among the communicating nodes and as a consequence any security solution with a static configuration will not suffice. Key management and related protocols play a vital role and are the basis of security in many distributed systems. Cryptographic keys require dedicated mechanisms in place for their exchange before substantial security can be achieved; subsequently this exchange results in additional overhead and is prone to serious compromise of the security. The drawbacks of key oriented cryptographic techniques have resulted in the demand to develop keyless security schemes. This paper presents a novel keyless security scheme Reaction Automata Direct Graph (RADG), which is based on automata direct graph and reaction states. The novelty of RADG lies in the fact that it does not require any key to perform the cryptographic operations thus making it a feasible scheme for large wireless systems. Paper presents implementation of RADG and the results have shown that the hamming distance between individual cipher texts differ significantly a lot making the process of code breaking within the large systems very difficult compared to the schemes that rely on classical cryptography. The Security analysis of RADG proves that it is cryptographically sound in terms of confidentiality, integrity and non-repudiation. Keywords

Communication · Keyless · Security · Networks

1 Introduction The basic aim of cryptography is to achieve confidentiality and integrity for communication taking place in public channels. Confidentiality ensures that the data shared is not revealed S. A. Albermany · G. A. Safdar (B) Department of CST, University of Bedfordshire, Park Square, Luton LU1 3JU, UK e-mail: [email protected] S. A. Albermany e-mail: [email protected]

123

1714

S. A. Albermany, G. A. Safdar

to any other parties but only to authorised, whereas integrity means that the data cannot be modified by illegitimate users and is received unblemished. The most effective way to achieve the mentioned aim of cryptography is by establishing a common secret or session key to be used with standard cryptographic algorithms for message encryption etc. Thus the key design and exchange protocols that allow the communicating parties to establish session keys are at the core of establishing confidential and integrity preserving communication. Accordingly, lots of research has been devoted to the design and analysis of key exchange protocols in a collection of settings [1–5]. According to Shannon [6], a message encrypted with the same session key usually results in the same encrypted message. This gives statistical code breakers an opportunity to gain knowledge about the encryption (session) key, thus leading to compromise of primary goal of cryptography. As a solution, cryptography can be achieved by employing keyless techniques which do not require creation and subsequent exchange of keys as this will also serve the purpose of relieving from the overhead of key exchange protocols. To date, considerable research has been conducted to achieve the primary aim of cryptography by using keyless techniques. A keyless approach has been adopted in [7] where information is hidden by keeping the originator of the message secret. But despite its name, the proposed concept still makes use of random keys exchanged via anonymous channel to achieve security. An informationtheoretically secure keyless authentication scheme generates shared information theoretically secure key by assuming that the parties involved in communication are honest [8]. This scheme has serious flaws: it is not possible to assume that the involved parties are honest as otherwise there is no need for any subsequent authentication for the parties which are assumed honest in the first place. Also even though the schemes mentions about keyless authentication, effectively it relies on generation and exchange of shared information secure key. Keyless techniques have also been proposed for jam resistance where the focus is made on expected resistance to jamming and error rates in a broadcast environment rather achieving secure communication among peer entities [9]. Secret sharing cryptography usually involves a central trusted authority which divides a secret into multiple parts, called shares, such that a secret can only be recovered when a certain number of shares are available for reconstruction [10,11]. Entities make use of keyless techniques in [12] to create secret share separately on their own, which otherwise would require collaboration or shared key cryptography for the complete reconstruction of the secret. Infact, the proposed technique is not keyless because it employs cryptographic keys for encryption of the individual shares before being transmitted to the base station. Visual Sensor Networks (VSNs) also seem to benefit from keyless schemes, where some of the visual devices, i.e. cameras, do not share keys with the sink. In that case, keyless techniques based on principle of source coding, where correlated data maybe compressed separately yet optimally, have been used to achieve privacy [13]. Keyless approaches have been increasingly employed in automobile systems for confidentiality and protection of the messages through usage of Remote keyless entry (RKE) systems. Importantly, these approaches are not keyless because of being mostly based on KEELOQ encryption technology, the core of which is private key algorithm found on 64 bit encryption key [14,15]. On the same lines, Dual Core Security (DCS) uses Advanced Encryption Standard (AES) and mutual authentication with derived key to secure the transponder card and the ignition key in automobile systems [16,17]. A passive keyless entry system (PKES) uses wireless channel to exchange challenge and response messages and thus is susceptible to attacker who can eavesdrop and the shared key can be estimated with the application of reported attacks. A new PKES is presented in [18] which has shared key update scheme where RedTacton [19] has been adopted for communication between the vehicle and key fob to prevent eavesdropping. Keyless schemes have also found their application in images encryption.

123

Keyless Security in Wireless Networks

1715

A technique is proposed in [20] which involve sieving, division and shuffling processes to split the image in multiple shares. The shares so generated reveal no information about the original secret image and to retrieve the image all the shares are needed. Steganography is one of the most powerful tools for information hiding; it has been achieved by keyless techniques described in [21,22]. Importantly the proposed techniques still make use of keys and data encryption algorithms before the encrypted data is embedded for information hiding. Keyless public watermarking techniques for intellectual property authentication makes use of cryptographic techniques to protect the public watermark from forgery [23]. Keyless user defined optimal security (KUDOS) algorithm makes use of sequence counters acting as temporary keys to perform cryptographic functions [24]. The algorithm does not employ the traditional usage of an encryption key, rather defines the series of sequence counters for encoding. Actually, KUDOS is not keyless because the users can select the start of the sequence, thus any previously known key sequences result in building of an agreement and acts like key between users. Despite the name ‘Keyless’, all the above mentioned techniques are not truly keyless because of being based on the concept of Shannon. Taking into account the limitations of the mentioned schemes, in this paper a novel keyless cryptographic scheme, known as Reaction Automata Direct Graph (RADG), is presented. While using RADG, the same plain text can have more than one differing cipher text. RADG scheme is based on automata, thus unlike KUDOS, it is auto random start without agreement between users. RADG minimizes the statistical attacks by employing no keys; subsequently it provides foolproof confidentiality against eavesdroppers because ciphers produced using RADG is completely different from each other. The rest of the paper is organized as follows: Sect. 2 gives the mathematical model of RADG whereas Sect. 3 provides an application scenario to show how two wireless nodes can securely communicate using RADG scheme. Section 4 subsequently looks into implementation details for RADG and Sect. 5 provides security and performance analysis for an example implementation before paper is concluded in Sect. 6.

2 Mathematical Model Mathematical modeling of RADG is influenced by graph theory, where ADG is the main states for automata encryption and R (reaction states) is to forward, increase and reduce the random expectation. RADG can be represented by a sextuple as {Q, R, ,,J, T}, such that Q represents non-empty finite set of standard states, R represent non-empty finite set of reaction states,  represent non-empty finite set of input data,  represent non-empty finite set of output transitions, J represents non-empty finite set (which is subset of Q called jump states) and T represent transition Function. 2.1 Transition Function If x represents a random state where x ∈ Q, and a ∈ , the transition function T is defined by:  (q, b) if x ∈ / J, x ∈ Q/J, q ∈ Q, and b ∈ ψ T(x, a) = T(r, b) = (q, c) if x ∈ J, r ∈ R, q ∈ Q, and b, c ∈ ψ In order to design above, we divide it in to two parts: First part is a basic design which consists of a set of states Q, with |Q| ≥ 2. This also includes a subset J called jump states,

123

1716

S. A. Albermany, G. A. Safdar

with J ⊂ Q, such that |J| ≤ |Q| / 2. Each state in Q (set of standard states) and R (set of reaction states) have λ values belonging to the set  (non empty set of output transitions), except set J (jump states) which has not got any output transitions. We describe the edge between two states classified into external (output) and internal (input) edges, where the external edges is a value from one state to another state in the set Q. Importantly each state consists of fixed number of external edges denoted by λ, where λ > 1. The second part includes set of reaction states, R, which have only external edges from any state in the set R to another state in the set Q. An example implementation of transition function is provided in Sect. 2.4 below. 2.2 Degree of Transitions In this paper, the number of external transitions from the state (e.g. state p) is denoted by ←−− deg (p) , where p ∈ QR, QR = Q ∪ R, and Q ∩ R = ϕ. The conditions for external transitions are given below. ←− deg (p) =



λ where p ∈ QR/J 0 where p ∈ J

where QR /J = (Q ∪ R) / J. Each state in QR / J have λ distinct data values from the set  and the number of these values in  is denoted by |k| with k being size of non-empty set J. The set  presents the output encrypted data and is calculated as given below. |ψk | =

 ←− deg(p) = λ (n + m − k) , where n = |Q| , m = |R| , and k = |J| p∈QR

−→ We denote the number of internal transition in state p by deg(p), where p ∈ QR. Similarly the conditions for the internal transition are defined below. −→ deg (p) ≥ 1, where p ∈ J , −→ deg (p) ≥ 0, where p ∈ Q/J , −→ deg (p) = 0, where p ∈ R 2.3 Design (Q, R, , , J, T) Possibilities There are several probable cases for the RADG design, i.e. possible values for the Q, R, , , J, and T respectively. We define the function F (n, m, λ) to calculate the number of cases which consist of design for values Q, R, , , J, and T, where |Q| = n, and |R| = m. The function F (n, m, λ) is given below. n

F(n, m, λ) =

2 

FR (n, m, λ) ∗ FQ (n, m, λ) ∗ |ψk |!

(1)

k=1

FQ (n, λ) above is the number of cases which consist of design of the set Q (excluding jump   states). For each of the possible cases, the jump states in Q is represented with |J| ≤ n2 ,

123

Keyless Security in Wireless Networks

3

1717

0

Case 1

3

0

1

1

2 Jump

2 Jump

Case 2

Fig. 1 FR : n = 3, m = 1, λ = 2

  where k = 1,…, n2 . Notably, FR (n, m, λ) includes all the possible cases of reaction set having only external transitions to states of set Q with degree λ. It is clearly noticed that m  n (n − k)! FR (n, m, λ) = , (n − k) ≥ λ , where k = 1, . . . , (n − k − λ)! 2 n , (n − k) ≥ λ FQ (n, λ) ≤ n(n−k) (λ−1) (n − 1)(n−k) , where k = 1, . . . , 2 The design possibilities for different values of n, m and λ are described below in two different examples. Example: n = 3, m=1, λ = 2 Calculation of FR:   To calculate F (3, 1, 2), since n-k ≥ λ for every value of k and the set J = ϕ, 0 < |J| ≤ n2 . ∗ In this case, since n = 3 then 0 < k ≤ 1, and for k = 1, |1| = 2 (3 + 1 − 1) = 6.

1

n−k)! m , then F (3, 1, 2) = 2! Since FR (n, m, λ) = (n(− = 2 , because R (3−1−2)! k−λ)! every state of set R has only two external transitions to any other states in the Q set (Jump state has no external transitions, Fig. 1). Calculation of FQ : Since |Q/J| = 2, there exist thirty eight cases as shown in Fig. 2. FQ (3, 2) = 15+7+7+3+3+3 = 38 Finally, using Eq. (1), the total design possibilities can be calculated as follows: F (3, 1, 2) = FQ(3, 2) * FR(3,1, 2) * 6! = 38 * 2 * 720 = 54720 Similarly, if n =3, m=2, λ = 2, and k=1, then |ψ1 | = 8, FR (3, 2, 2) = 4, FQ (3, 2) = 38, and total design possibilities are (using Eq. 1) F (3, 2, 2) = 4 * 38 * 8! = 6128640 Clearly the design possibilities for these values increase subsequently a lot for a slight increase in the values of n, m and λ, thus making it nearly impossible to penetrate the RADG

123

1718

S. A. Albermany, G. A. Safdar

0

1

0

1

2 Jump

2 Jump

8+4+2+1=15 cases

0

4+2+1=7 cases

1

0

2 Jump

2 Jump

4+2+1=7 cases

0

1

2+1=3 cases

1

2 Jump

2+1=3 cases

0

1

2 Jump

2+1=3 cases

Fig. 2 FQ : n = 3, m = 1, λ = 2

scheme. Figure 3 plots how quickly the function F(n, m, λ) grows for different values of n, m with the λ value kept at 2. 2.4 Transition Function Implementation This section aims to provide an example to facilitate clear understanding of the transition function in RADG. As shown in Fig. 4 below, λ = 2, then  = {0, 1}, and  = {11, 12, 13.14, 15, 16, 17, 18, 19, 20}. In this example, for sake of simplicity other parameters are set as R = {5}, and J = {4}, then m = k = 1, with n = 4 and Q = {0,1,2,3}.

123

Keyless Security in Wireless Networks

1719

Fig. 3 F(n, m, λ) for above mentioned examples

0 13 14

5 19 20

1 11 12

3 15 16

2 17 18

4 Jump

Fig. 4 Example implementation of transition function

Suppose the original message to be encrypted using RADG is 0110. Thus we have: T (0, 0) = (3, 13), T (3, 1) = (2, 16), T (2, 1) = (1, 18), and T (1, 0) = (3, 11). The corresponding output is 13, 16, 18, and 11 respectively (Fig. 4).

3 Application: Secure Communication Between Two Wireless Nodes Key exchange and related protocols add significant overhead and can result into compromise of security in wireless communication. RADG, due to its keyless nature provides fool proof security against possible attacks and can effectively be applied to achieve secure wireless

123

1720

S. A. Albermany, G. A. Safdar

C iid1 Node 1

Node 2 C jid2

Fig. 5 Secure wireless communication using RADG

communication between any pair of communicating nodes. An example scenario is described below and illustrated in Fig. 5. The two nodes with IDs, id1 and id2, can securely exchange messages using RADG. If Miid1 is the original message of node 1 (id1), then the corresponding encrypted message using RADG is denoted by Ciid1 and can be computed as follows. Ciid1 = RADG(Miid1 ) Where Miid1 is a message number i of node 1 (id1). Similarly for the node 2 (id2), j

j

Cid2 = RADG(Mid2 ) j

Where Mid2 is a message number j of node 2 (id2). If X is event random variable of Ciid1 = Ctid1 , and t = i, then 1 m

|M| 2 −1

+ (n − k)

≤ P(X) ≤

1 (n − k)

(2)

In Eq. (2) above, both the left and right hand side represents the worst and best cases respectively. The best case exists with no jump state(s) being involved. During the reading of the original message to be encrypted, the first bit to be read starts in Q/J while there exists n-k cases in total. Unlike the best case, the worst case involves number of jump states with transitions between R and Q/J; and the maximum number to reach jump state being (|M|/2)-1. With each |M| jump state there exist m cases and the total number of cases calculated as m 2 −1 + n − k. Referring to (2) above, P (X) ∼ 0 when n and m are large numbers thus limn,m→∞ P(X) = 0 which proves the confidentiality of the data encrypted using RADG scheme because even the same set of data encrypted twice would yield two different cipher texts thus giving absolutely no information about the original contents of data. It is important to note that since RADG encryption/decryption is message oriented and does not involve a key, any effort in the shape of man in the middle attack to enforce change in the encrypted data could be easily recognised which ensures integrity of the encrypted data. Both Confidentiality and integrity are further explained and proven in Sect. 5 below, RADG security and performance analysis.

4 Implementation This section provides data encryption / decryption using RADG scheme. Both encryption and decryption employs the notations outlined in Table 1.

123

Keyless Security in Wireless Networks

1721

4.1 Encryption Input: Message is a sequence {m 0, m1,.. m|M| } Output: The sequence C

{C0, C1, ...,}

rand1;

Step 1: L 0; qold

C

φ;

Step 2: If (L> |M|) then goto step 5 T(qold, mL)

(qnew, CL)

Step 3: If (qnew∈ J && L!=|M|) qold

rand2

goto step 2 else qold Step 4: Add(C,CL); L

new

L+1

goto step 2 Step 5: if (qold

J ) then goto step 6 SP

ShortPath(qold

M'

a1a2...a|SP|;

for(i=1;i