donggang liu and peng ning department of computer science nc state university
Post on 03-Jan-2016
11 Views
Preview:
DESCRIPTION
TRANSCRIPT
CSC 774 Adv. Net. Security 1
Computer Science
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in
Distributed Sensor Networks
Donggang Liu and Peng Ning
Department of Computer Science
NC State University
CSC 774 Adv. Net. Security 2Computer Science
Background
• Sensor Networks– One or a few more powerful base stations and a pot
entially large number of sensor nodes• Inexpensive
• Limited resources (computational power, memory space, energy, etc.)
– When security is a concern, it is necessary for the sensors to authenticate messages received from base stations.
CSC 774 Adv. Net. Security 3Computer Science
Time
K1 K2 Kn-2Key Disclosure
TESLA
• A variation of TESLA– Based on symmetric cryptography
– Provide broadcast source authentication by delayed disclosure of authentication keys
– Authentication of messages depends on the authenticity of the key chain commits K0.
Ki=F(Ki+1), F: pseudo random function
…
Authentication Keys
K4FK3
FK2FK1
FK0F Kn= RF
commitment
CSC 774 Adv. Net. Security 4Computer Science
Distribution of Key Chain Commits
• TESLA– Digital signatures: Too expensive for sensors– Use the current keys to authenticate the
commitment of the next key chain.• Attractive targets for attackers.• Loss of commitment distribution messages loss of the
next key chain bootstrap again.
Old key chain New key chain
New commit K0’ Old key Kn
CSC 774 Adv. Net. Security 5Computer Science
Distribution of Key Chain Commits (Cont’d)
TESLA– Unicast-based secure communication with the base
station.– Do not scale to large networks
CSC 774 Adv. Net. Security 6Computer Science
Techniques
• Multi-level TESLA– Predetermination and broadcast instead of unicast.– Use high-level key chain to authenticate commitments of
low-level key chains.– Tolerate communication failures and malicious attacks.
• Five Schemes– Each later scheme improves over the previous one by
addressing its limitations.– The final scheme
• Low overhead• Tolerate message losses• Scalable to large networks• Resistant to replay attacks and DOS attacks.
CSC 774 Adv. Net. Security 7Computer Science
Scheme I: Predetermined Key Chain Commitment• Predetermine the TESLA parameters along w
ith the master key distribution– commitment– start time– other parameters
• Shortcomings– Long key chain or large time interval?– Difficulties in setting up start time
CSC 774 Adv. Net. Security 8Computer Science
Scheme II: Naïve Two-Level Key Chains
• Two-level key chains– One high-level key chain and multiple low-level
key chains– High-level key chain
• Authenticate commitments of low-level key chains
• Done through broadcast of Commit Distribution Messages (CDM)
– Low-level key chains• Authenticate actual data messages
CSC 774 Adv. Net. Security 9Computer Science
Scheme II (Cont’d)
Ki-1 Ki
...Ki-1,1 Ki-1,2 Ki-1,m Ki,1 Ki,2 Ki,m Ki+1,1 Ki+1,2...Ki-2,m
F0 F0F0
F1 F1 F1 F1 F1 F1 F1
......
Time
Ki-1,0 Ki,0 Ki+1,0
F1F1 F1
CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1
• The two-levels of key chains
CDMi-1=i|Ki,0|H(Ki+1, 0)|MACK’i-1(i|Ki, 0|H(Ki+1, 0 ))|K i-2
CSC 774 Adv. Net. Security 10Computer Science
Scheme II (Cont’d)
Ii,1 Ii,2 Ii,m Ii+1,1 Ii+1,2 Ii+1,m... ...
...
...
Ii Ii+1
Ki+1,0 Ki+2,0
Ki-1,m-d+1...
...
Ki-1,m-d+2 Ki,m-d Ki,m-d+1 Ki,m-d+2 Ki+1,m-d
TimeDisclosure oflow-level keys
Disclosure ofhigh-level keys
Distribution oflow-level
commitments
Ki-1 Ki
• Key disclosure schedule
CSC 774 Adv. Net. Security 11Computer Science
Scheme II (cont’d)
• Limitations– Loss of CDM message during high-level interval Ii
• unable to authenticate during Ii+1
– Loss of the last several low-level keys
• unable to authenticate the corresponding messages.
Ki-1 Ki
...Ki-1,1 Ki-1,2 Ki-1,m Ki,1 Ki,2 Ki,m Ki+1,1 Ki+1,2...Ki-2,m
F0 F0F0
F1 F1 F1 F1 F1 F1 F1
......
Time
Ki-1,0 Ki,0 Ki+1,0
F1F1 F1
CSC 774 Adv. Net. Security 12Computer Science
Scheme III: Fault Tolerant Two-Level Key Chains• Tolerate CDM message loss:
– Periodically broadcast CDM messages
– Assume • Probability that a receiver lose a CDM message: pf
• Broadcast frequency: F,
• Duration of a high-level interval: 0
– Reduce loss rate to
– Increase overhead by F0 times
• Tolerate normal message loss: – Connect the low-level key chains and the high-level key
chain
p fF 0
CSC 774 Adv. Net. Security 13Computer Science
Scheme III (Cont’d)
Ki-1 Ki
...Ki-1,1 Ki-1,2 Ki-1,m Ki,1 Ki,2 Ki,m Ki+1,1...Ki-2,m
F01 F01 F01
F1 F1 F1 F1 F1 F1 F1
......
Time
Ki-1,0 Ki,0 Ki+1,0
F1F1 F1
CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1
CSC 774 Adv. Net. Security 14Computer Science
DOS attacks
• CDM messages are more attractive to attackers• DOS attacks against CDM messages
– Selective jamming– Smart attacks: only change certain fields in CDM
messages • A receiver cannot discard the messages until it gets the
corresponding disclosed key
CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1
Low-level Key Chain Commitment for Ii+1
Image ofLow-level Key Chain Commitment for Ii+1
Disclosed High-level Key for Ii-1
MAC
CSC 774 Adv. Net. Security 15Computer Science
Scheme IV: (Final) Two-Level Key Chains
• Randomize CDM distribution to mitigate selective jamming attacks– We assume there are other methods to deal with
constant jamming.
• Random selection strategy to mitigate smart DOS attacks– Single buffer random selection– Multiple buffer random selection
CSC 774 Adv. Net. Security 16Computer Science
Scheme IV (Cont’d)
• Single buffer random selection– Assume each sensor has one buffer for CDM– Initial verification to discard forged CDMi
• Authenticate disclosed high-level key.• Authenticate Ki+1,0 if CDMi-1 is authenticated.
– For the k-th copy of CDMi that passes the initial verification
• Save it in the buffer with probability 1/k.• All such copies have equal probability to be saved.
– The probability that a sensor has an authentic CDM
• P(CDMi) = 1 p, where
p# forged copies
# total copies
CSC 774 Adv. Net. Security 17Computer Science
Scheme IV (Cont’d)
• Multiple buffer random selection– Assume each sensor has m buffers for CDM– Initial verification to discard forged CDMi
• Same as before.
– For the k-th copy of a CDMi that passes the initial verification
• k m save it in one available buffer.• k > m save it in a randomly selected buffer with
probability m/k; • All such copies have equal probability to be saved.
– The probability that the sensor has an authentic CDM
• P(CDMi) = 1 pm, where
p# forged copies
# total copies
CSC 774 Adv. Net. Security 18Computer Science
Scheme V: Multi-Level Key Chains
• m levels of key chains, arranged from level 0 to level m-1 from top down.– Keys in level m-1 are used for authenticating data– Each higher-level key chain is used to authenticate
the commitments for its immediately lower-level key chains.
– Every two adjacent levels work in the same way as in Scheme IV.
CSC 774 Adv. Net. Security 19Computer Science
Simulation Study
• Network model– Emulate broadcast channel over IP multicast
– One base station
– One attacker
– Multiple sensor nodes
– Sensors are one-hop neighbors of the base station and the attacker
• Parameters– Channel loss rate
– Percentage of forged CDM packets
– Buffer size at sensors (data packets and CDM packets)
CSC 774 Adv. Net. Security 20Computer Science
Simulation Study (Cont’d)
• Metrics– %authenticated data packets at a sensor node
(#authenticated data packets/received data packets)– Average data authentication delay (the average
time between the receipt and the authentication of a data packet).
CSC 774 Adv. Net. Security 21Computer Science
Experimental Results
• Buffer allocation schemes
1 CDM buffers
1 CDM buffers
95% forged CDM
CSC 774 Adv. Net. Security 22Computer Science
Experimental Results (Cont’d)
• %authenticated data packets
95% forgedCDM
39 CDM buffers3 data buffers
CSC 774 Adv. Net. Security 23Computer Science
Experimental Results (Cont’d)
• Average data packet authentication delay39 CDM buffers3 data buffers
CSC 774 Adv. Net. Security 24Computer Science
Conclusion
• Developed a multi-level key chain scheme to efficiently distribute commitments for TESLA– Low overhead
– Tolerance of message loss
– Scalable to large networks
– Resistant to replay attacks and DOS attacks
• Future work– Reduction of the long delay after complete loss of CDM
– Broadcast authentication involving multiple base stations
– Adaptive approach to dealing with the DOS attacks
CSC 774 Adv. Net. Security 25Computer Science
Thank You!
top related