Tam´asHolczer Privacyenhancingprotocolsforwirelessnetworks

(1)

Budapest University of Technology and Economics Department of Telecommunications

Privacy enhancing protocols for wireless networks

Ph.D. Dissertation of

Tam´ as Holczer

Supervisor:

Levente Butty´ an, Ph.D.

TO BE ON THE SAFE SIDE

Budapest, Hungary

2012

(2)

(3)

Alul´ırottHolczer Tamáskijelentem, hogy ezt a doktori értekezést magam kész´ıtettem

´

es abban csak a megadott forrásokat használtam fel. Minden olyan részt, amelyet szó sz- erint, vagy azonos tartalomban, de átfogalmazva más forrásból átvettem, egyértelm˝uen, a forrás megadásával megjelöltem.

I, the undersignedTam´as Holczerhereby declare, that this Ph.D. dissertation was made by myself, and I only used the sources given at the end. Every part that was quoted word-for-word, or was taken over with the same content, I noted explicitly by giving the reference of the source.

A dolgozat b´ırálatai és a védésr˝ol készült jegyz˝okönyv a Budapesti M˝uszaki és Gazdaságtudományi Egyetem Villamosmérnöki és Informatikai Karának dékáni hi- vatalában elérhet˝oek.

The reviews of the dissertation and the report of the thesis discussion are available at the Dean’s Oﬃce of the Faculty of Electrical Engineering and Informatics of the Budapest University of Technology and Economics.

Budapest,. . . .

Holczer Tam´as

(4)

(5)

Abstract

Wireless networks are used in our everyday life. We use wireless networks to call each other, to download our emails at home, or to enter a building with a proximity card. In the near future wireless networks will be used in many new ﬁelds such as vehicular ad hoc networks, or critical infrastructure protection.

The use of wireless networks instead of wired networks opens up new research challenges. These challenges include mobility, coping with unreliable links, resource constraints, and the security and privacy aspects of the wireless networks. In this thesis some privacy aspects of diﬀerent wireless networks are investigated.

In chapter 2, private authentication methods are proposed and analyzed for radio frequency identification (RFID) systems. A typical example for such an application is a Radio Frequency Identification System (RFID) system, where the provers are low-cost RFID tags, and the number of the tags can potentially be very large. I study the problem of private authentication in RFID systems. More specifically I propose two methods, that are the privacy efficient key-tree based authentication, and the group based authentication.

The ﬁrst key-tree based private authentication protocol has been proposed by Molnar and Wagner as a neat way to eﬃciently solve the problem of privacy preserving authentication based on symmetric key cryptography. However, in the key-tree based approach, the level of privacy provided by the system to its members may decrease considerably if some members are compromised. In this thesis, I analyze this problem, and show that careful design of the tree can help to minimize this loss of privacy. First, I introduce a benchmark metric for measuring the resistance of the system to a single compromised member. This metric is based on the well-known concept of anonymity sets. Then, I show how the parameters of the key-tree should be chosen in order to maximize the system’s resistance to single member compromise under some constraints on the authentication delay. In the general case, when any member can be compromised, I give a lower bound on the level of privacy provided by the system. I also present some simulation results that show that this lower bound is quite sharp. The results of Chapter 2 can be directly used by system designers to construct optimal key-trees in practice.

In the second part of chapter 2, I propose a novel group based authentication scheme similar to the key-tree based method. This scheme is also based on symmetric-key cryptography, and therefore, it is well-suited to resource constrained applications in large scale environments. I analyze the proposed scheme and show that it is superior to the previous key-tree based approach for private authentication both in terms of privacy and eﬃciency.

In chapter 3, I analyze the privacy consequences of inter vehicular communication. The promise of vehicular communications is to make road traffic safer and more efficient. However, besides the expected benefits, vehicular communications also introduce some privacy risk by making it easier to track the physical location of vehicles. One approach to solve this problem is that the vehicles use pseudonyms that they change with some frequency. In this chapter, I study the effectiveness of this approach. I define a model based on the concept of mix zone, characterize the tracking strategy of the adversary in this model, and introduce a metric to quantify the level of privacy enjoyed

(6)

a rather complex road map, generated traﬃc with realistic parameters, and varied the strength of the adversary by varying the number of her monitoring points. My simulation results provide information about the relationship between the strength of the adversary and the level of privacy achieved by changing pseudonyms.

From the first half of Chapter 3, it can be seen that untraceability of vehicles is an important requirement in future vehicle communications systems. Unfortunately, heartbeat messages used by many safety applications provide a constant stream of location data, and without any protection measures, they make tracking of vehicles easy even for a passive eavesdropper. However, considering a global attacker, this approach is effective only if some silent period is kept during the pseudonym change and several vehicles change their pseudonyms nearly at the same time and at the same location. Unlike other works that proposed explicit synchronization between a group of vehicles and/or required pseudonym change in a designated physical area (i.e., a static mix zone), I propose a much simpler approach that does not need any explicit cooperation between vehicles and any infrastructure support. My basic idea is that vehicles should not transmit heartbeat messages when their speed drops below a given threshold, and they should change pseudonym during each such silent period. This ensures that vehicles stopping at traffic lights or moving slowly in a traffic jam will all refrain from transmitting heartbeats and change their pseudonyms nearly at the same time and location. Thus, my scheme ensures both silent periods and synchronized pseudonym change in time and space, but it does so in an implicit way. I also argue that the risk of a fatal accident at a slow speed is low, and therefore, my scheme does not seriously impact safety-of-life. In addition, refraining from sending heartbeat messages when moving at low speed also relieves vehicles of the burden of verifying a potentially large amount of digital signatures, and thus, makes it possible to implement vehicle communications with less expensive equipments.

In chapter 4, I propose protocols that increase the dependability of wireless sensor networks, which are potentially useful building blocks in cyber-physical systems. Wireless sensor networks can be used in many critical applications such as martial or critical infrastructure protection scenarios. In such a critical scenario, the dependability of the monitoring sensor network can be crucial. One interesting part of the dependability of a network, is how the network can hide its nodes with speciﬁc roles from an eavesdropping or active attacker.

In this problem ﬁeld, I propose protocols which can hide some important nodes of the network.

More speciﬁcally, I propose two privacy preserving aggregator node election protocols, a privacy preserving data aggregation protocol, and a corresponding privacy preserving query protocol for sensor networks that allow for secure in-network data aggregation by making it diﬃcult for an adversary to identify and then physically disable the designated aggregator nodes. The basic protocol can withstand a passive attacker, while my advanced protocols resist strong adversaries that can physically compromise some nodes. The privacy preserving aggregator protocol allows electing aggregator nodes within the network without leaking any information about the identity of the elected node. The privacy preserving aggregation protocol helps collecting data by the elected aggregator nodes without leaking the information, who is actually collecting the data. The privacy preserving query protocol enables an operator to collect the aggregated data from the unknown and anonymous aggregators without leaking the identity of the aggregating nodes.

(7)

Kivonat

Vezeték nélküli hálózatok a mindennapi élet részét képezik. Ilyen hálózatokat használhatunk például telefonálásra, Interneten elérhet˝o szolgáltatások igénybe vételére, vagy kontaktus mentes kártyás beléptet˝o rendszerekben. A közeljöv˝oben a felhasználási területek jelent˝os mértékben ki fognak b˝ovülni, többek között a gépjárm˝uvek is ´ıgy fognak kommunikálni egymással, vagy szerepet fog kapni a kritikus infrastruktúra védelmében is.

A vezeték nélküli hálózatok széleskör˝u használata új kutatási problémákat vet fel. Ilyen új problémakör a mobilitás, megb´ızhatatlan kapcsolatok kezelése, sz˝ukös er˝oforrásokból származó problémák és kih´ıvások vagy az adatvédelmi és adatbiztonsági kérdések kutatása. Ebben a dissz- ertációban különböz˝o vezeték nélküli hálózatok adatvédelmi kérdéseit vizsgálom.

A disszertáció els˝o fejezetében privát hiteles´ıtési módszereket vizsgálok rádiófrekvenciás azonos´ıtási problémák kezelésére. Tipikus alkalmazási terület az RFID rendszerek, ahol potenciálisan rengeteg felhasználó olcsó RFID kártyák seg´ıtségével hiteles´ıtik magukat egy olvasó felé. A két hiteles´ıtési mód a kulcsfa alapú illetve a csoport alapú azonos´ıtás.

Az els˝o kulcsfa alapú privát hiteles´ıtési protokollt Molnar és Wagner javasolta. Ez a módszer egy hatékony szimmetrikus kulcs alapú privát hiteles´ıt˝o protokoll volt. Ez a módszer nagyon jól m˝uködik mindaddig, am´ıg nem kompromittálódik valamelyik felhasználó titkos kulcsai. Ekkor nemcsak a kompromittálódott felhasználó élvez kisebb anonimitást, de az összes többi felhasználó anonimitása is sérül.

A disszertáció 2. fejezetében azt elemzem, hogy a fa paramétereinek gondos megválasztása hogyan tudja minimalizálni az elveszett anonimitást. El˝oször is, definiálok egy mértéket, ami azt méri, hogy milyen hatása van annak, ha egy felhasználó kompromittálódik a rendszerben.

Ez a mérték az anonimitási halmaz jól ismert fogalmára épül. Ezután megmutatom, hogy kell a kulcsfa paramétereit megválasztani úgy, hogy az el˝obb definiált mértékben minimális legyen a kompromittálódásból származó veszteség bizonyos küls˝o kényszerek teljesülése mellett. Általános esetben, ahol nem csak egy felhasználó kompromittálódhat hanem több is, alsó becslést adok a rendszer által biztos´ıtott anonimitási szintre. Szimulációkkal megmutatom, hogy ez az alsó becslés jellemz˝oen pontos becslés. A fejezet eredményei közvetlenül felhasználhatók rendszer tervezéskor, amikor meg kell találni a feladatnak legjobban megfelel˝o kulcsfát.

2. fejezet második részében egy új csoport alapú privát hiteles´ıtési módszert javaslok. Ez a módszer is szimmetrikus kulcsokon alapul, ´ıgy jól alkalmazható er˝oforrás korlátozott eszközök esetén is. A fejezetben elemzem a javasolt megoldást, és megmutatom, hogy bizonyos tipikus esetekben jobban m˝uködik, mint a fejezet elején bevezetett kulcsfa alapú módszer.

A 3. fejezetben a járm˝uközi kommunikáció adatvédelmi következményeit elemzem. A közeljöv˝oben megvalósuló járm˝uközi kommunikáció biztonságosabb és hatékonyabb közlekedést tesz lehet˝ové, de ugyanakkor egyszer˝ubbé teszi a járm˝uvek követhet˝oségét is, ami jelent˝osen sértheti a járm˝uvezet˝ok privát szféráját. Egy lehetséges megoldás a problémára, ha a járm˝uvek nem állandó azonos´ıtókat használnak a kommunikációjuk során, hanem álneveket, amiket gyakran le tudnak cserélni. Ebben a fejezetben ennek a megoldásnak a hatékonyságát elemzem. El˝oször is egy mix zóna alapú modellt alkotok. Ebben a modellben definiálom a támadó követési stratégiáját, és definiálom a mértéket,

(8)

járm˝uvek, és vizsgálom a forgalom és a támadó er˝osségének hatását a követhet˝oségre.

Ahogy ez a 3. fejezet els˝o részéb˝ol látszik, a járm˝uvek követhet˝osége fontos szempont a járm˝uközi kommunikációban. Sajnálatos módon, ahogy láttuk, a folytonosan adott helyzetje- lentések könnyen követhet˝ové teszik a járm˝uveket. Általános megoldás a problémára, ha a járm˝uvek váltogatják az azonos´ıtójukat. Ez a váltás, persze csak akkor tud hatékony lenni, ha a két különböz˝o azonos´ıtó használata között eltelik legalább egy kis id˝o, amikor a járm˝u nem ad sem- mit, és egyszerre több egymás közelében lév˝o járm˝u vált azonos´ıtót. M´ıg a legtöbb megoldás bonyolult szinkronizációt ´ır el˝o, vagy csak statikusan kijelölt helyeken engedi a cserét, addig az én megoldásom ennél sokkal egyszer˝ubb. Ebben a megoldásban nincs szükség explicit kooperációra vagy küls˝o infrastruktúrára, hanem egyszer˝uen a járm˝uvek abbahagyják az adást egy bizonyos sebesség alatt, majd amikor átlépik ezt a küszöb sebességet, akkor újra elkezdenek adni de már az

´

uj azonos´ıtóval. Ezáltal közlekedési lámpánál várakozó, vagy dugóban araszoló járm˝uvek egyszerre maradnak csöndben és cserélnek azonos´ıtót. Ezáltal ez a módszer egyszer˝uen garantálja a szükséges csöndes periódust, és a helyileg és id˝oben szinkronizált cserét valósit meg szinkronizáció nélkül. Ez a módszer egyrészt azért szerencsés, mivel alacsony sebességnél kicsi az esély súlyos balesetre, tehát

´

epp akkor nem ad jeleket a járm˝u, amikor nincs is szükség rá, másrészt az egymáshoz közel araszoló járm˝uvek nagyon nagy mennyiség˝u feldolgozandó adatot generálnak, ami ´ıgy szintén elkerülhet˝o.

A disszertáció 4. fejezetében protokollokat javaslok, amik növelni tudják egy vezeték nélküli szenzorhálózat megb´ızhatóságát. Vezeték nélküli szenzorhálózatokat fel lehet használni kritikus feladatokra is mint például hadászati vagy kritikus infrastruktúra védelem. Ilyen kritikus felada- tokban, nagyon fontos lehet a kiemelt szerep˝u node-ok védelme illetve elrejtése támadók el˝ol.

Ezen probématerületen belül javaslok protokollokat, melyek el tudják rejteni a kulcsfontosságú eszközök kilétét. Pontosabban, két privát aggregátor választó protokollt egy privát aggregáló és egy privát lekérdez˝o protokollt javaslok, amelyek használata esetén szenzor hálózatban támadók nem tudják azonos´ıtani az aggregátor eszközöket. A két megoldás közül az egyszer˝ubb protokoll passz´ıv lehallgatás ellen nyújt biztonságot, m´ıg a komplexebb protokoll akt´ıv támadások ellen is védelmet nyújt.

(9)

Acknowledgement

First of all, I would like to express my gratitude to my supervisor, Professor Levente Butty´an, Ph.D., Departement of Telecommunication, Budapest University of Technology and Economics.

He gave me guidance in selecting problems to work on, helped in elaborating the problems, and pushed me to publish the results. All these three steps were needed to ﬁnish this thesis.

I am also grateful to the current and former members of the CrySyS Laboratory: Boldizsár Bencsáth, László Czap, László Cs´ık, László Dóra, Amit Dvir, Gergely Kótyuk, Áron Lászka, Gábor Pék, Péter Schaffer, Vinh Thong Ta, and István Vajda for the illuminating discussions on different technical problems that I encountered during my research. They also provided a pleasant atmosphere which was a pleasure to work in.

I would also like to thank for our joint efforts and publications to Petra Ardelean, Naim Asaj, Gildas Avoine, Danny De Cock, Stefano Cosenza, Amit Dvir, László Dóra, Julien Freudiger, Albert Held, Jean-Pierre Hubaux, Frank Kargl, Antonio Kung, Zhendong Ma, Michael Müter, Panagiotis Papadimitratos, Maxim Raya, Péter Schaffer, Elmar Schoch, István Vajda, Andre Weimerskirch, William Whyte, and Björn Wiedersheim.

The ﬁnancial support of the Mobile Innovation Centre (MIK) and the support of the SEVECOM (FP6-027795) and WSAN4CIP (FP7-225186) EU projects are gratefully acknowledged.

And last but not least my thanks go to my wife N´ora, who accepted me as being a PhD student.

I know sometimes it was not easy.

(10)

(11)

List of Figures

2.1 Illustration of a key-tree . . . 10

2.2 Illustration of single member compromise . . . 12

2.3 Illustration of several members compromise . . . 20

2.4 Simulation results for branching factor vectors . . . 22

2.5 system comparison based on approximation . . . 23

2.6 Operation of the group-based private authentication scheme . . . 24

2.7 Tree and group based authentication . . . 24

2.8 Simulation results . . . 27

3.1 Mix and observed zone . . . 31

3.2 Simpliﬁed map of Budapest generated for the simulation. . . 35

3.3 Success probabilities of the adversary . . . 36

3.4 Results of the simulation . . . 37

3.5 Success rate of a tracking attacker . . . 40

3.6 Example intersection . . . 42

3.7 Success rate of the simple attacker . . . 43

3.8 Success rate of the simple attacker . . . 43

3.9 Number of signatures to be veriﬁed . . . 45

4.1 Result of aggregator election protocol . . . 51

4.2 Probability of being cluster aggregator . . . 57

4.3 Probability of being cluster aggregator . . . 58

4.4 Result of balancing . . . 58

4.5 Entropy of the attacker . . . 59

4.6 Connected dominating set . . . 63

4.7 Aggregation example . . . 66

4.8 Query example . . . 68

4.9 Graphical representation of the suitable intervals . . . 69

4.10 Misbehavior detection algorithm for the query protocol. . . 71

(14)

(15)

List of Tables

2.1 Illustration of the operation of the recursive functionf . . . 19

3.1 Notation in SLOW . . . 41

4.1 Estimated time of the building blocks on a Crossbow MICAz mote . . . 55

4.2 Optimalγvalues . . . 60

4.3 Summary of complexity of the advanced protocol . . . 61

(16)

(17)

List of Algorithms

1 Optimal branching factor generating algorithm . . . 19 2 Basic private cluster aggregator election algorithm . . . 54

(18)

(19)

Chapter 1 Introduction

In this dissertation privacy enhancing protocols for wireless networks are proposed. In this chapter, a brief overview is given on those wireless networks to which the work presented in this dissertation is related, namely on Radio Frequency Identiﬁcation systems (RFID systems), Vehicular Ad Hoc Networks (VANETs), and Wireless Sensor Networks (WSNs). The privacy consequences of the usage of such networks and some related problems are sketched. The main reason for choosing these networks is that they are or will potentially be used by billions of users, so solving a problem related to these networks can have an eﬀect on an extremely large amount of user’s privacy.

Wireless technology is a truly revolutionary paradigm shift, enabling multimedia communications between people and devices from any location. It also enables exciting applications such as sensor networks, smart homes, telemedicine, and automated highways. Comprehen- sive introductions to wireless networks can be found in [Goldsmith, 2005; Rappaport, 2001].

The security and privacy problems of wireless networks is a well studied ﬁeld, however there are a lot of open question worth to work on. Overviews of security and privacy in wireless networks can be found in [Butty´an and Hubaux, 2008; Juels, 2006; Raya and Hubaux, 2007;

Akyildizet al., 2002].

A wireless network consists of nodes that can communicate through wireless channels. Those channels include Infra Red (IR) or Radio Frequency (RF) channels. From the security point of view, the main diﬀerence between wireless and traditional wired networks is that a passive attacker can easily eavesdrop the wireless channel without detection, while it can be harder with wired networks.

Harder actually means here that those attacks require physical access to the network (cables or network elements), and the lack of physical protection in case of wireless networks makes these attacks easier to carry out. An active attacker can inject, modify, and delete messages in the air with some knowledge of the network and wireless technologies, while again it is harder for a traditional wired network.

In information technology, privacy is deﬁned as the right of an entity to choose which information is revealed about the entity, what information is collected and stored, how that information is used, shared or published, and also the right to keep control on that information (e.g., the right to delete data from a database if the user wishes to do so). Privacy has actually two facets:

data control and data protection. One way to keep control is to keep data secret, e.g., to remain anonymous. According to [Pfitzmann and Köhntopp, 2001], anonymity is the state of being not identifiable within a set of subjects, the anonymity set. In the remaining part of the dissertation, I will use privacy with this information centric meaning, and decisional privacy¹ or intentional privacy² will not be discussed.

1 This conception of privacy addresses issues related to an individual’s authority to make decisions that aﬀect the individual’s life and body and that of the individual’s family members such as end of life issues. [ITLaw] ² This conception of privacy addresses issues related to intimate activities or characteristics that are publicly visible.

[ITLaw]

(20)

In the remainder part of this chapter, the three wireless networks I worked with within this dissertation are introduced.

1.1 Introduction to RFID systems

The following description of RFID systems and its security and privacy problems is based on [Juels, 2006; Langheinrich, 2009; Peris-Lopezet al., 2006]. The interested reader can get a broader view and deeper understanding on RFID systems by reading the cited papers instead of only relying on this short introduction.

RFID (Radio-Frequency IDentification) is a technology for automated identification of objects or people. An RFID system consist of simple Tags, Readers, and Backend servers. The tags carry unique identifiers. These unique identifiers are read by nearby Readers by radio communication.

The Readers send the obtained identiﬁers to Backend Servers. The goal of an RFID system is the unique identiﬁcation of the holders of the Tags.

Example applications of RFID systems include smart appliances, shopping, interactive objects, or medication compliance. This list can be expanded to hundreds of scenarios [Wuet al., 2009;

RFID, 2012].

The main threats to privacy in RFID systems are tracking and inventorying. A tracking attacker can eavesdrop message exchanges in different parts of the network. If the system is not defended against such attacks, the attacker can link different message exchanges of the same user, hence can track the user. This is a very important concern in RFID systems, that is why this problem is discussed in Chapter 2 (the problem of tracking is actually not unique to RFID systems, and I will study it in a different context in Chapter 3, namely in vehicular networks).

Inventorying is a speciﬁc attack against RFID systems. It relies on the assumption that in the near future, most of our objects will be tagged with distant readable RFID tags. An attacker carrying out an inventorying attack can get know exactly what a user wears, has in her pockets or bag without the consent of the user.

In Chapter 2, two private authentication methods are given, which make it diﬃcult for an attacker to carry out tracking and inventorying attacks.

Another important ﬁeld of security problems regarding RFID is the authenticity of the tags. In short, the privacy problem is related to malicious readers, while the authenticity problem is related to malicious tags. The main problem is that illegitimate tags can be counterfeited to obtain the same rights as the legitimate tag holds. In the following, I will assume the presence of malicious readers, but no malicious tags is considered.

When considering the RFID tags capabilities, the tags on the market can be classiﬁed into two main categories: basic tags with no real cryptographic capabilities and advanced tags with some symmetric key cryptography capabilities.

Basic tags

Basic RFID tags lack the resources to perform true cryptographic operations. The lack of cryptography in basic RFID tags is a big impediment to security design; cryptography, after all, is the main building block of data security. The main approaches to provide privacy to basic tags are the following: killing, sleeping, renaming, proxying, distance measurement, blocking, and legislation.

Killing and sleeping are very similar approaches. The basic idea is that an authenticated command can reversibly or permanently switch oﬀ the tag.

Another approach is to divide the identiﬁer space into two separate parts by a modiﬁable privacy bit [Juelset al., 2003; Juels and Brainard, 2004]. The two parts are the private and the public parts. A blocker device can make the scanning of private tags infeasible, and the tags can be moved between the public and private zone on demand. Another device based solution is the proxying, where the holder of the tag can use some equipments (like a mobile phone)to enforce privacy [Floerkemeieret al., 2005; Juelset al., 2006; Riebacket al., 2005].

(21)

1.2. Introduction to Vehicular Ad Hoc Networks

The tracking problem is based on the fact, that tags use static identiﬁers. Some proposals suggest to rename the tags by readers [Instruments, 2005], or the tag itself can rotate pseudonyms [Juels, 2005a] to make tracking harder. In distance measurement the tags can roughly measure their distance to the reader by measuring the signal-to-noise ratio of the channel [Fishkin et al., 2005]. This can be used to avoid distant aggressive scanning.

A non technical approach is legislation: There are some efforts to regulate the usage of RFID tags from the privacy point of view [Kelly and Erickson, 2005], but these efforts are far from efficient completion. Ultimately, this approach may be more effective and cost efficient than any other (e.g. from an economic aspect, it is not worth to track if the tracker can go to jail by doing so). The authentication of basic tags is as hard as providing privacy to them. There are some work [Juels, 2005b], how the kill PIN can be used to authenticate the tags.

Advanced tags

Advanced tags are capable of simple symmetric key operations. However weak cryptographic algorithms are targets of successfull attacks [Bono et al., 2005]. Another attack type against cryptographically enabled tags are the man-in-the-middle attacks. In a MiM attack the attacker is relaying messages between the tag and the reader and by doing so, he can modify, delete, and inject messages in their communication. This can also be done if the tag and the reader are not in vicinity [Hancke, 2005; Kﬁr and Wool, 2005].

The privacy of advanced tags is deeply analyzed in Chapter 2. In short, the problem is that the tag is not allowed to send its identiﬁer in order to avoid tracking, therefore the reader needs a lot of trials to ﬁnd the right decryption key.

The computational burden on the reader can be partly alleviated with key-trees [Molnar and Wagner, 2004], synchronization [Ohkubo et al., 2004], or time-memory tradeoffs [Avoine et al., 2005; Avoine and Oechslin, 2005]. However, all known mitigation techniques lead to degradation of privacy or efficiency. The degradation of privacy is analyzed in Chapter 2, where efficient solutions are also proposed.

1.2 Introduction to Vehicular Ad Hoc Networks

The following description of Vehicular Ad Hoc Networks and their security and privacy properties is based on [Raya and Hubaux, 2005; Raya and Hubaux, 2007; Linet al., 2008; Blumet al., 2004b;

D¨otzer, 2006]. The interested reader can get a broader view and deeper understanding on VANETs by reading the cited papers instead of only relying on this short introduction.

The main motivation to use VANETs is to enhance traffic safety, traffic efficiency, give assistance to drivers, and the possibility of infotainment applications. A VANET consist of vehicles equipped with On Board Units (OBUs) and wireless communication equipment, Road Side Units (RSUs), and backend infrastructure. The vehicles exchange messages regularly with each other and with the infrastructure using wireless communication to achieve the main goals such as safer roads.

The main vulnerabilities in VANETs come from the wireless nature of the communication, and the sensitive information, such as location of users, used by the network. One major vulnerability comes from the the wireless nature of the system: the communication can be jammed easily, the messages can be forged. Another problem related to the wireless communication is that while the nodes are relaying messages, they can modify them. This is called In-Transit Traﬃc Tampering.

Another kind of problem, that the vehicles can impersonate other vehicles with higher privileges such as emergency vehicles to gain extra privileges. The most relevant problem to this dissertation is that the privacy of the drivers of the vehicles can be violated. This vulnerability is analyzed in Chapter 3. In general an attacker can achieve her goals by tampering the OBU, an RSU, sensor readings, or the wireless channel.

Traditional mechanisms cannot deal with the vulnerabilities discussed above because of the new challenges in VANETs. Such challenge is the high network volatility caused by the highly mobile very large scale network. Another challenge is that the network must oﬀer liability and

(22)

privacy at the same time in an efficient way, as the applications are delay sensitive. To make things even worse, the network is very heterogenous, different vehicles can have different equipment and abilities, so no unique solution can solve every problem.

When defining the key vulnerabilities and challenges of vehicular ad hoc networks, it is crucial to first define and characterize the possible attackers. In many papers [Raya and Hubaux, 2007;

Huet al., 2005] the attacker can be characterized as follows:

Insider vs. Outsider: The key diﬀerence between an insider and an outsider attacker is that an insider poses legitimate and valid cryptographic credentials, while an outsider does not have any valid credentials. It is obvious that an insider attacker can mount stronger attacks, then an outsider.

Malicious vs. Rational: The main goal of a malicious attacker is to disrupt the normal operation of the network without any further goal, while a rational attacker wants to make some proﬁt with his attack. In general, it is easier to handle a rational attacker, because his steps can be foreseen easier.

Active vs. Passive: A passive attacker only eavesdrops the messages of the vehicles, while an active attacker can send, modify, or delete messages.

Local vs. Global: A local attacker mounts his attack on a small area (or on some non continuous small areas), while a global attacker has inﬂuence on broader areas.

In the following, some basic and sophisticated attacks are presented to give the reader an idea about the threats in vehicular ad hoc networks.

An insider attacker can diffuse bogus information to affect the behavior of other drivers. The source of the information can be a cheated sensor reading or a modified location data.

In wireless networking, the wormhole attack [Hu et al., 2006] consists in tunneling packets between two remote nodes. Similarly, in VANETs, an attacker that controls at least two entities remote from each other and a high speed communication link between them can tunnel packets broadcasted in one location to another, thus disseminating erroneous (but correctly signed) messages in the destination area.

According to [Kroh et al., 2006] the following security concepts must be used in a vehicular ad hoc network to handle most of the possible attacks: identiﬁcation and authentication concepts, privacy concepts, integrity concepts, access control and authorization concepts. The concepts are introduced in Section 3.8 with a special attention on providing privacy to the users of the system.

In Chapter 3, the privacy of VANETs is analyzed, especially the privacy provided by pseudonyms considering outsider rational passive local attackers. A pseudonym change algorithm is provided as well considering an outsider rational passive global attacker.

1.3 Introduction to Wireless Sensor Networks

The following description of Wireless Sensor Networks (WSNs) and the related security problems is based on [Akyildiz et al., 2002; Chan and Perrig, 2003; Li et al., 2009; Lopez, 2008; Perriget al., 2004; Sharmaet al., 2012; Yicket al., 2008]. The interested reader can get a broader view and deeper understanding on WSNs by reading the cited papers instead of only relying on this short introduction.

A sensor network is composed of a large number of sensor nodes, which are typically densely deployed. One sensor node consists of some sensor circuits which can measure some environmental variable, central processing unit which is typically a microcontroller, and radio circuit which enables the communication with other nearby nodes. The goal of a wireless sensor network can be one of many applications: military applications (e.g. battleﬁeld surveillance), environmental applications (e.g. forest ﬁre detection), critical infrastructure protection (e.g. surveillance of water pipes), health applications (e.g. drug administration in hospitals), home applications (e.g. smart environment).

(23)

1.3. Introduction to Wireless Sensor Networks

Some important security challenges in WSNs are: secure routing, secure key management, eﬃ- cient (broadcast) authentication, secure localization, secure data aggregation. A good introduction to these problems and some countermeasures can be found in [Lopez, 2008].

The privacy related challenges can be categorized into two main groups [Liet al., 2009]: data- oriented and context oriented challenges. In data-oriented protection, the conﬁdentiality of the measured data must be preserved. Context oriented protection covers the location privacy of the source and some signiﬁcant nodes such as the base station or aggregator nodes:

Data-oriented privacy protection: Data-oriented privacy protection focuses on protecting the privacy of data content. Here ”data” refer to not only sensed data collected within a WSN but also queries posed to a WSN by users.

– Privacy protection during data aggregation: Data aggregation is designed to substantially reduce the volume of traﬃc being transmitted in a WSN by fusing or compressing data in the intermediate sensor nodes (called aggregators). It is an important technique for preserving resources (e.g., energy consumption) in a WSN. In- terestingly, it is also a common and eﬀective method to preserve private data against an external adversary, because the process compresses large inputs to small outputs at the intermediate sensor nodes. On the other hand, a malicious aggregator can modify the measurements of many nodes with one step, or can learn the individual measurements of individual nodes. Some countermeasure are proposed in [He et al., 2007;

Zhanget al., 2008].

* Cluster-based privacy data aggregation (CPDA): The basic idea of CPDA [He et al., 2007] is to introduce noise to the raw data sensed from a WSN, such that although an aggregator can obtain accurate aggregated information but not individual data points.

* Slice-mixed aggregation (SMART):The main idea of SMART [Heet al., 2007]

is to slice original data into pieces and recombine them randomly. This is done in three phases: slicing, mixing, and aggregation.

* Generic privacy-preservation solutions for approximate aggregation (GP²S):

The basic idea ofGP²S[Zhanget al., 2008] is to generalize the values of data transmitted in a WSN, such that although individual data content cannot be decrypted, the aggregator can still obtain an accurate estimate of the histogram of data dis- tribution, and thereby approximate the aggregates.

– Private date query: The query issued to a WSN (to retrieve the collected data) is often also of critical privacy concerns. To address this challenge, a target-region transformation technique was proposed in [Carbunar et al., 2007] to fuzzy the target region of the query according to predeﬁned transformation functions.

Context-oriented privacy protection: Context-oriented privacy protection focuses on protecting contextual information, such as the location and timing information of traﬃc transmitted in a WSN. Location privacy concerns may arise for such special sensor nodes as the data source and the base station. Timing privacy, on the other hand, concerns the time when sensitive data is created at a data source, collected by a sensor node and transmitted to the base station.

– Location privacy: A major challenge for context-oriented privacy protection is that an adversary may be able to compromise private information even without the ability of decrypting the transmitted data. In particular, since hop-by-hop transmission is required to address the limited transmission range of sensor nodes, an adversary may derive the locations of important nodes and data sources by observing and analyzing the traﬃc patterns between diﬀerent hops.

* Location privacy of data source: In event driven networks, an event is generated if something interesting happens in the vicinity of the node. In some networks, the

(24)

only data sent to the base station is the occurrence of the event. Thus the presence of communication reveals the location of the event. In some situations, it must be hidden from an attacker. Some approaches are described in the following:

· Baseline and probabilistic flooding mechanisms: The basic idea of baseline ﬂooding is for each sensor to broadcast the data it receives from one neighbor to all of its other neighbors. The premise of this approach is that all sensors participate in the data transmission so that it is unlikely for an attacker to track a path of transmission back to the data source [Kamatet al., 2005]. This can be further optimized if not every node rebroadcasts the message, only a probabilistic set of them.

· Random walk mechanisms: According to [Kamat et al., 2005], a random walk can be performed before the probabilistic ﬂooding to further increase the uncertainty of the attacker. To improve simple random walk, a two-way greedy random walk(GROW) scheme was proposed in [Xiet al., 2006].

· Dummy data mechanism: To further protect the location of the data source, fake data packets can be introduced to perturb the traﬃc patterns observed by the adversary. In particular, a simple scheme called Short-lived Fake Source Routing was proposed in [Kamatet al., 2005] for each sensor to send out a fake packet with a pre-determined probability.

· Fake data sources mechanism: The basic idea of fake data source is to choose one or more sensor node to simulate the behavior of a real data source in order to confuse the adversaries [Mehtaet al., 2007].

* Location privacy of base station: In a WSN, a base station is not only in charge of collecting and analyzing data, but also used as the gateway connecting the WSN with outside wireless or wired network. Consequently, destroying or isolating the base station may lead to the malfunction of the entire network. This can be circumvented if the location of the base station is unknown to the adversary.

· Defense against local adversaries: The location information or identiﬁer of the base station is sent in clear in many protocols. These information must be hidden from an eavesdropper, which can be done by traditional cryptographic techniques (encryption). Another problem can be if the attacker can follow the way of packets from the source towards the base station. This can be mitigated by changing data appearance by re-encryption [Denget al., 2006a;

Dingledineet al., 2004], routing with multiple parents [Denget al., 2005; Denget al., 2006a], routing with random walk [Jianet al., 2007], or decorrelating parent- child relationship by randomly selecting sending time [Denget al., 2006a].

· Defense against global adversaries: The techniques discussed above are inefficient against a global attacker. To fight against a global attacker the traffic patterns of the whole network must be modified. This can be done by hiding traffic pattern by controlling transmission rate [Denget al., 2006a], or by propagating dummy data [Denget al., 2005; Denget al., 2006a].

– Temporal privacy problem: When an adversary eavesdrops a message, it can deduce the sending time of the message from the time it eavesdropped and the TTL value. In some applications this information must be hidden. It can be done by randomly delaying the messages by the relaying nodes [Kamatet al., 2007].

As it can be seen from the discussion above, a considerable amount of work has been done in the ﬁeld of privacy in wireless sensor networks. However, the particular problem of location privacy of aggregator nodes received less attention. Therefore, in Chapter 4, I study this problem and propose two anonym aggregator election protocols, which can hide the identity of the aggregator nodes.

(25)

1.3. Introduction to Wireless Sensor Networks

The remainder of the dissertation is organized as follows: In Chapter 2, I propose two private authentication schemes for resource limited systems, such as RFID systems. The results presented in Chapter 2 have been published in [Buttyan et al., 2006a; Buttyan et al., 2006b; Avoine et al., 2007]. In Chapter 3, I analyze the privacy achieved by pseudonym changing techniques in vehicular ad hoc networks, and propose a pseudonym changing algorithm for VANETs. All results of Chapter 3 have been published in [Buttyan et al., 2007; Papadimitratoset al., 2008; Holczeret al., 2009; Buttyanet al., 2009]. In Chapter 4, I analyze how an aggregator node can be elected and used in wireless sensor networks without revealing its identity. All results of Chapter 4 have been published in [Buttyán and Holczer, 2009; Buttyán and Holczer, 2010; Holczer and Buttyán, 2011;

Schaﬀeret al., 2012]. The possible application of the new results can be found in Chapter 5, while Chapter 6 concludes the dissertation.

(26)

(27)

Chapter 2 Private Authentication in Resource Constrained Environments

2.1 Introduction to private authentication

Entity authentication is the process whereby a party (the prover) corroborates its identity to another party (the veriﬁer). Entity authentication is often based on authentication protocols in which the parties pass messages to each other. These protocols are engineered in such a way that they resist various types of impersonation and replay attacks [Boyd and Mathuria, 2003]. However, less attention is paid to the requirement of preserving the privacy of the parties (typically that of the prover) with respect to an eavesdropping third party. Indeed, in many of the well-known and widely used authentication protocols (e.g., [ISO, 2008; Kohl and Neuman, 1993]) the identity of the prover is sent in cleartext, and hence, it is revealed to an eavesdropper.

One approach to solve this problem is based on public key cryptography, and it consists of encrypting the identity information of the prover with the public key of the verifier so that no one but the verifier can learn the prover’s identity [Abadi and Fournet, 2004]. Another approach, also based on public key techniques, is that the parties first run an anonymous Diffie-Hellman key exchange and establish a confidential channel, through which the prover can send its identity and authentication information to the verifier in a second step. An example for this second approach is the main mode of the Internet Key Exchange (IKE and IKEv2) protocol [Harkins and Carrel, 1998;

Black and McGrew, 2008]. While it is possible to hide the identity of the prover by using the above mentioned approaches, they provide appropriate solution to the problem only if the parties can aﬀord public key cryptography. In many applications, such as low cost RFID tags and contactless smart card based automated fare collection systems in mass transportation, this is not the case, while at the same time, the provision of privacy (especially location privacy) in those systems is strongly desirable.

The problem of using symmetric key encryption to hide the identity of the prover is that the veriﬁer does not know which symmetric key it should use to decrypt the encrypted identity, because the appropriate key cannot be retrieved without the identity. The veriﬁer may try all possible keys in its key database until one of them properly decrypts the encrypted identity¹, but this would increase the authentication delay if the number of potential provers is large. Long authentication delays are usually not desirable, moreover, in some cases, they may not even be acceptable. As an example, let us consider again contactless smart card based electronic tickets in public transportation: the number of smart cards in the system (i.e., the number of potential provers) may be very large in big cities, while the time needed to authenticate a card should be short in order to ensure a high throughput of passengers and avoid long queues at entry points.

1 This of course requires redundancy in the encrypted message so that the veriﬁer can determine if the decryption was successful.

(28)

Some years ago, Molnar and Wagner proposed an elegant approach to privacy protecting authentication [Molnar and Wagner, 2004] that is based on symmetric key cryptography while still ensuring short authentication delays. More precisely, the complexity of the authentication proce- dure in the Molnar-Wagner scheme is logarithmic in the number of potential provers, in contrast with the linear complexity of the na¨ıve key search approach. The main idea of Molnar and Wagner is to use key-trees (see Figure 2.1 for illustration). A key-tree is a tree where a unique key is assigned to each edge. The leaves of the tree represent the potential provers, which is called members in the sequel. Each member possesses the keys assigned to the edges of the path starting from the root and ending in the leaf that corresponds to the given member. The verifier knows all keys in the tree. In order to authenticate itself, a member uses all of its keys, one after the other, starting from the first level of the tree and proceeding towards lower levels. The verifier first determines which first level key has been used. For this, it needs to search through the first level keys only.

Once the first key is identified, the verifier continues by determining which second level key has been used. However, for this, it needs to search through those second level keys only that reside below the already identified first level key in the tree. This process is continued until all keys are identified, which at the end, identify the authenticating member. The key point is that the verifier can reduce the search space considerably each time a key is identified, because it should consider only the subtree below the recently identified key.

k₁

k₁₁ k₁₁₁

Figure 2.1: Illustration of a key-tree. There is a unique key assigned to each edge. Each leaf represents a member of the system that possesses the keys assigned to the edges of the path starting from the root and ending in the given leaf. For instance, the member that belongs to the leftmost leaf in the ﬁgure possesses the keysk1, k11, andk111.

The problem of the above described tree-based approach is that upper level keys in the tree are used by many members, and therefore, if a member is compromised and its keys become known to the adversary, then the adversary gains partial knowledge of the key of other members too [Avoine et al., 2005]. This obviously reduces the privacy provided by the system to its members, since by observing the authentication of an uncompromised member, the adversary can recognize the usage of some compromised keys, and therefore its uncertainty regarding the identity of the authenticating member is reduced (it may be able to determine which subtree the member belongs to).

One interesting observation is that the na¨ıve, linear key search approach can be viewed as a special case of the key-tree based approach, where the key-tree has a single level and each member has a single key. Regarding the above described problem of compromised members, the na¨ıve approach is in fact optimal, because compromising a member does not reveal any key information of other members. At the same time, as described above, the authentication delay is the worst in this case. On the other hand, in case of a binary key-tree, it can be observed that the compromise of a single member strongly² aﬀects the privacy of the other members, while at the same time, the binary tree is very advantageous in terms of authentication delay. Thus, there seems to be a trade-oﬀ between the level of privacy provided by the system and the authentication delay, which depends on the parameters of the key-tree, but it is far from obvious to see how the optimal

2 The precise quantiﬁcation of this eﬀect is the topic of this chapter and will be presented later.

(29)

2.2. Resistance to single member compromise

key-tree should look like. In this chapter, I address this problem, and I show how to ﬁnd optimal key-trees.

In this chapter, after ﬁnding the optimal key-tree, I go further and I present a novel symmetric- key private authentication scheme that provides a higher level of privacy and achieves better eﬃciency than the key-tree based approach. This approach is called the group based approach.

More precisely, the complexity of the group based scheme for the reader can be set to beO(logN) (i.e., the same as in the key-tree based approach), while the complexity for the tags is always a constant (in contrast toO(logN) of the key-tree based approach). Hence, the group based scheme is better than the key-tree based scheme both in terms of privacy and eﬃciency, and therefore, it is a serious alternative to the key-tree based scheme to be considered by the RFID community.

More precisely, the main contributions are the following:

I propose a benchmark metric for measuring the resistance of the system to a single compromised member based on the concept of anonymity sets. To the best of my knowledge, anonymity sets have not been used in the context of private authentication yet. I prove that this simply defined metric is equivalent to a metric widely used in cryptography with a much more complex definition. The real contribution of the metric, is that its definition simplifies the usage of the metric without losing any details of the more complex metric.

I introduce the idea of using diﬀerent branching factors at diﬀerent levels of the key-tree;

the advantage is that the system’s resistance to single member compromise can be increased while still keeping the authentication delay short. To the best of my knowledge, key-trees with variable branching factors have not been proposed yet for private authentication.

I present an algorithm for determining the optimal parameters of the key-tree, where optimal means that resistance to single member compromise is maximized, while the authentication delay is kept below a predeﬁned threshold.

In the general case, when any member can be compromised, I give a lower bound on the level of privacy provided by the system, and present some simulation results that show that this lower bound is quite sharp. This allows me to compare diﬀerent systems based on their lower bounds.

I introduce a group based approach, which is superior to the tree-based approach in many properties.

In summary, I proposepractically usable techniques for designers of RFID based authentication systems.

The outline of the chapter is the following: in Section 2.2, I introduce my benchmark metric to measure the level of privacy provided by key-tree or group based authentication systems, and I illustrate, through an example, how this metric can be used to compare systems with different parameters. By the same token, I also show that key-trees with variable branching factors can be better than key-trees with a constant branching factor at every level. In Section 2.3, I formulate the problem of finding the best key-tree with respect to my benchmark metric as an optimization problem, and I present an algorithm that solves that optimization problem. In Section 2.4, I consider the general case, when any number of members can be compromised, and I derive a useful lower bound on the level of privacy provided by the system. After finding the optimal key-tree, I describe the operation of my group based scheme in Section 2.5, and I quantify the level of privacy that it provides in Section 2.6. I compare the group based scheme to the key-tree based approach in Section 2.7. Finally, in Section 2.8, I report on some related work, and in Section 2.9, I conclude the chapter.

2.2 Resistance to single member compromise

There are diﬀerent ways to measure the level of anonymity provided by a system [Diazet al., 2002;

Serjantov and Danezis, 2003]. Here the concept of anonymity sets [Chaum, 1988] is used. The

(30)

anonymity set of a member v is the set of members that are indistinguishable from v from the adversary’s point of view. The size of the anonymity set is a good measure of the level of privacy provided for v, because it is related to the level of uncertainty of the adversary, if all members of the set are equiprobably likely (otherwise an entropy based metric can be used). Clearly, the larger the anonymity set is, the higher the level of privacy is. The minimum size of the anonymity set is 1, and its maximum size is equal to the number of all members in the system. In order to make the privacy measure independent of the number of members, one can divide the anonymity set size by the total number of members, and obtain a normalized privacy measure between 0 and 1. Such normalization makes the comparison of diﬀerent systems easier.

Now, let us consider a key-tree withℓlevels and branching factorsb1, b2, . . . , bℓat the levels, and let us assume that exactly one member is compromised (see Figure 2.2 for illustration). Knowledge of the compromised keys allows the adversary to partition the members into subsetsP₀, P₁, P₂, . . ., where

P₀ contains the compromised member only,

P₁contains the members the parent of which is the same as that of the compromised member, and that are not in P₀,

P₂ contains the members the grandparent of which is the same as that of the compromised member, and that are not inP₀∪P₁,

etc.

Members of a given subset are indistinguishable for the adversary, while it can distinguish between members that belong to diﬀerent subsets. Hence, each subset is the anonymity set of its members.

k₁

k₁₁ k₁₁₁

P₀ P₁ P₂ P₃

Figure 2.2: Illustration of what happens when a single member is compromised. Without loss of generality, it is assumed that the member corresponding to the leftmost leaf in the figure is compromised. This means that the keys k₁, k₁₁, and k₁₁₁ become known to the adversary. This knowledge of the adversary partitions the set of members into anonymity setsP₀,P₁, . . . of different sizes. Members that belong to the same subset are indistinguishable to the adversary, while it can distinguish between members that belong to different subsets. For instance, the adversary can recognize a member in subsetP₁by observing the usage ofk₁ andk₁₁ but not that ofk₁₁₁, where each of these keys are known to the adversary. Members inP₃ are recognized by not being able to observe the usage of any of the keys known to the adversary.

The level of privacy provided by the system can be characterized by the level of privacy provided to a randomly selected member, or in other words, by the expected size of the anonymity set of a randomly selected member. By deﬁnition, the expected anonymity set size is:

S¯=

∑ℓ i=0

|Pi| N |Pi|=

∑ℓ i=0

|Pi|²

N (2.1)

(31)

2.2. Resistance to single member compromise

whereN is the total number of members, and|Pi|/N is the probability of selecting a member from subsetPi. Theresistance to single member compromise, denoted byR, is deﬁned as the normalized expected anonymity set size, which can be computed as follows:

R = S¯ N =

∑ℓ i=0

|P_i|² N²

= 1

N²

(1 + (b_ℓ−1)²+ ((b_ℓ₋₁−1)b_ℓ)²+. . .+ ((b₁−1)b₂b₃. . . b_ℓ)²)

= 1

N²



1 + (b_ℓ−1)²+

ℓ−1

∑

i=1

(b_i−1)²

∏ℓ j=i+1

b²_j



 (2.2)

where it is used that

|P₀| = 1

|P1| = bℓ−1

|P₂| = (b_ℓ₋₁−1)b_ℓ

|P3| = (bℓ−2−1)bℓ−1bℓ

. . . . . .

|Pℓ| = (b1−1)b2b3. . . bℓ

As its name indicates, R characterizes the loss of privacy due to the compromise of a single member of the system. IfRis close to 1, then the expected anonymity set size is close to the total number of members, and hence, the loss of privacy is small. On the other hand, if R is close to 0, then the loss of privacy is high, as the expected anonymity set size is small. R is used as a benchmark metric based on which diﬀerent systems can be compared.

This metric can be seen as being a little ad hoc, but actually the same metric is used in other papers like [Avoineet al., 2005] with a diﬀerent more complex deﬁnition:

Theorem 1. The expected anonymity set size based metric (R) is complement to the one tag tampering based metric (M) deﬁned in [Avoineet al., 2005].

Proof. The metricM used in [Avoineet al., 2005] is deﬁned in that paper as:

1. The attacker has one tagT0(e.g., her own) she can tamper with and thus obtain its complete secret. For the sake of calculation simplicity, we assume thatT₀is put back into circulation.

When the number of tags in the system is large, this does not signiﬁcantly aﬀect the results.

2. She then chooses a target tag T. She can query it as much as she wants but she cannot tamper with it.

3. Given two tagsT1 andT2 such that T ∈ {T1, T2}, we say that the attacker succeeds if she deﬁnitely knows which of T1 andT2 isT. We deﬁne the probability to traceT as being the probability that the attacker succeeds. To do that, the attacker can queryT1andT2as many times as she wants but, obviously, cannot tamper with them.

In the following P₁. . . P_k are the subsets of the tags after the compromise of some tags (∑k

i=1P_i=N).

In the third step, the attacker can be successful if (and only if) T1andT2 belongs to diﬀerent subsets.

The probability of the attacker’s success is the probability that two randomly chosen tags belongs to two diﬀerent subsets. This probability can be calculated as follows:

M = 1−Pr(T1, T2 are inP1)−. . .−Pr(T1, T2 are inPk) = 1−

∑k i=1

(Pi

N )2

This is the complement of the metricR (M +R= 1).

(32)

Obviously, a system with greaterRis better, and therefore, one would like to maximizeR(and at the same time minimizeM). However, there are some constraints. The maximum authentica- tion delay, denoted byD, is deﬁned as the number of basic operations needed to authenticate any member in the worst case. The maximum authentication delay in case of key-tree based authentication can be computed asD =∑ℓ

i=1bi. In most practical cases, there is an upper boundDmax

on the maximum authentication delay allowed in the system. For instance, in the speciﬁcation for electronic ticketing systems for public transport applications in Hungary [Berki, 2008], it is required that a ticket validation transaction should be completed in 250 ms. Taking into account the details of the ticket validation protocol, one can deriveDmax for electronic tickets from such speciﬁcations. Therefore, in practice, the designer’s task is to maximize R under the constraint thatD≤D_max. This problem is addressed in Section 2.3.

In the remainder of this section, I illustrate how the benchmark metric R can be used to compare diﬀerent systems. This exercise will also lead to an important revelation: key-trees with varying branching factors at diﬀerent levels could provide higher level of privacy than key-trees with a constant branching factor, while having the same or even a shorter authentication delay.

Example: Let us assume that the total numberN of members is 27000 and the upper boundDmax

on the maximum authentication delay is 90. Let us consider a key-tree with a constant branching factor vectorB= (30,30,30), and another key-tree with branching factor vectorB^′ = (60,10,9,5).

Both key-trees can serve the given population of members, since 30³ = 60·10·9·5 = 27000.

In addition, both key-trees ensure that the maximum authentication delay is not longer than Dmax: for the ﬁrst key-tree, we have D = 3·30 = 90, whereas for the second one, we get D= 60 + 10 + 9 + 5 = 84. Using (2.2), we can compute the resistance to single member compromise for both key-trees. For the ﬁrst tree, we get R ≈ 0.9355, while for the second tree we obtain R≈0.9672. Thus, we can arrive to the conclusion that the second key-tree with variable branching factors is better, as it provides a higher level of privacy, while ensuring a smaller authentication delay.

At this point, several questions arise naturally: Is there an even better branching factor vector thanB^′ forN = 27000 and D_max = 90? What is the best branching factor vector for this case?

How can we ﬁnd the best branching factor vector in general? I give the answers to these questions in the next section.

2.3 Optimal trees in case of single member compromise

The problem of ﬁnding the best branching factor vector can be described as an optimization problem as follows: Given the total number N of members and the upper bound D_max on the maximum authentication delay, ﬁnd a branching factor vector B = (b₁, b₂, . . . b_ℓ) such that R(B) is maximal subject to the following constraints:

∏ℓ i=1

b_i = N (2.3)

∑ℓ i=1

bi ≤ Dmax (2.4)

This optimization problem is analyzed through a series of lemmas that will lead to an algorithm that solves the problem. The ﬁrst lemma states that we can always improve a branching factor vector by ordering its elements in decreasing order, and hence, in the sequel only ordered vectors are considered:

Lemma 1. Let N and Dmax be the total number of members and the upper bound on the maximum authentication delay, respectively. Moreover, letB be a branching factor vector and let B^∗ be the vector that consists of the sorted permutation of the elements ofB in decreasing order.

If B satisfies the constraints of the optimization problem defined above, then B^∗ also satisfies them, andR(B^∗)≥R(B).

Tam´asHolczer Privacyenhancingprotocolsforwirelessnetworks

Privacy enhancing protocols for wireless networks

Ph.D. Dissertation of

Tam´ as Holczer

Supervisor:

Levente Butty´ an, Ph.D.

Budapest, Hungary

2012

Abstract

Kivonat

Acknowledgement

Contents

List of Figures

List of Tables

List of Algorithms

Chapter 1

Introduction

1.1 Introduction to RFID systems

Basic tags

Advanced tags

1.2 Introduction to Vehicular Ad Hoc Networks

1.3 Introduction to Wireless Sensor Networks

Chapter 2

Private Authentication in Resource Constrained Environments

2.1 Introduction to private authentication

2.2 Resistance to single member compromise

2.3 Optimal trees in case of single member compromise