improvements to tesla using secret sharing scheme ece 646: cryptography and network security...
TRANSCRIPT
Improvements to TESLAUsing Secret Sharing Scheme
ECE 646: Cryptography and Network SecurityProfessor: Dr. Jens-Peter Kaps
Project TeamKrishna Chaitanya Thirumalasetty
KamalEldin MohamedLieyong Yang
Nick Ton
December 19, 2006
Agenda
Overview & MotivationTESLA Protocol
• Protocol Overview• Sender Setup • Receiver Authentication• DoS Attack
Improving DoS Attack• Instant Key Disclosure (TIK)• Staggered TESLA• Public Key Cryptography (PKC)
Group Multicast Authentication (GMA)• Shamir’s Secret Sharing• Analytical Approach• Experimental Approach• Design & Implementation• Results
Conclusion References
Research Motivation
• Our Observation:• TELSA protocol are weak against Denial-of-Service (DoS)
attacks
• Our Goal:• Analyze and implement improvements to TESLA
• Our Approach:• Group Multicast Authentication (GMA) using Shamir
Threshold Scheme
TESLA – Overview
Timed Efficient Stream Loss-Tolerant Authentication• Broadcast authentication protocol for message authenticating
• Published in IEEE Security and Privacy 2000, NDSS 2001 [PCST]
• Uses symmetric key cryptography• Asymmetric key cryptography via time• Based on initial loose time synchronization• MAC is attached to each packet• Delayed-disclosure of keys
MAC (Ki , M)
M
timeti-1 ti ti+1
F(Ki)Authentic
Commitment
Ki
is disclosed
1- Verify Ki
2- Verify MAC3- M is authentic
TESLA – Sender Setup
time
interval i -1 interval i interval i +1 interval N
Ki+1KiKi-1 KN
K’i+1K’iK’i-1 K’N
F’ F’ F’ F’
• Break time in intervals of same duration
• Determine key chain length N, picks the last key KN randomly
• Using a One Way Pseudo Random Function F compute Ki = F(Ki+1), assign one key to each interval
• Use F' to derive the key to compute MAC K’i= F’(K’i)
Key generation
Key disclosure
TESLA – Receiver Authentication
Ki+1KiKi-1
K’i+1K’iK’i-1
F’ F’ F’
Mi-1, Ki-2 MAC(K’i-1, Di-1)
Di-1
Mi , Ki-1 MAC(K’i, Di)
Di
Mi+1, Ki MAC(K’i+1, Di+1)
Di+1
Pi-1 Pi Pi+1
authenticated authenticated after reception of Pi+1
not yet authenticated
• When the receiver gets packet Pi,it can not verify the MAC since it does not yet know Ki from which it can compute K’i
• Packet Pi+1 discloses Ki and allows the receiver to:
verify that Ki is correct, e.g., F(Ki) = Ki-1
compute K’i and check the authenticity of packet Pi by verifying the MAC of Pi
TESLA DoS Attack – Receiver Side
Sender• Delayed release of authentication keys
Receiver• Limited buffer size• Delayed Authentication
Attacker• Flood the multicast group with bogus
traffic!
…Serious DoS Attack…
Existing Solutions
Exiting Solutions Towards Tesla DoS Attack
• Key Disclosure Delay Invites DoS Attack
• TESLA with Instant Key Disclosure (TIK)• Eliminate the authentication delay• Rely on precise synchronization
• Staggered TESLA • Shorten the key delay• Multiple, staggered authentication keys
• Efficient Multi-Chained Stream Signature (EMSS)
New Public Key Solution Coming
• New Emerging Algorithms• Elliptic Curve Cryptography (ECC)
– ECC 163 signature verification takes 480 ms on custom designed hardware nodes
• NTRUEncrypt and NTRUSign– NTRU 251 Vs RSA 1024 on Palm (Encrypt 42:1 Decrypt 333:1)– NTRU 251 Vs ECC 163 on Palm (Encrypt 52.5:1 Decrypt 9:1)
• Faster & Smaller Chips – Moore’s Law
• Sensor Nodes Harvest Energy From Environment
Group MAC Authentication (GMA)
• Group MAC of each packet MACKg (Pj)
• Original Tesla Packet Pj = {M j || i || MACK’i(Mj) || K{i-d}}
• New Packet Pj’ = Pj|| MACKg(Pj)
GMA MAC
TESLA MAC Message||Key||ID
Pj
Pj’
MACKg (Pj) MACK’i(Mj)
Our Solution
Group Multicast Authentication
(GMA)
Shamir’s Secret Sharing
Secret Sharing Scheme• Secret is shared by a trust group – everyone has responsibility • Address the problem of key distribution• Allows multiple users to recover secret
Secret Sharing Scheme has two phase:• Dealer Phase where secret shares are generated• Reconstruction Phase where secrets are combined to reconstruct the
original secret
Secret S is shared by n users, each one has Si, 1< i ≤ n• Iff any member in a group knows T or more shares
– can reconstruct the secret S
• Else– Secret is not recoverable
Shamir Threshold SchemeDealer Phase:
1.Choose a very large prime number p, where p > max(S,n)2.Let a0 = S, where S is the secret3.Pick a coefficient of a polynomial function ai = [0,p)
• a1, ….,at-1, 0<aj <p-1
4.Compute the polynomial function to get S(i) Reconstruction Phase
• Must have sufficient number of shares (ai)
S (i) = a0+ a1i1 + a2i2 +…+ at-1it-1
S (0) =a0=SS (1) = a0+ a111 + a212 +…+ at-11t-1
S (2) = a0+ a121 + a222 +…+ at-12t-1
……
S(t-1) = a0+ a1(t-1)1 + a2(t-1)2 +…+ at-1(t-1)t-1
• t-1 functions can not solve for secret S
• Lagrange interpolation formula to Reconstruct the secret Key a0=S
GMA Protocol: Setup
• Each node is pre-configured with a routing table• Only knows neighboring node
• Upstream nodes generate session keys for downstream nodes
• Each node is seeded with a secret share Si
• Si is created from secret S
• Each node is initialized with a threshold t ≤ N• N is the total number of secrets shares
GMA Protocol: Secret Share Transmission
1. Node 1 Initiates• Creates session keys K12 and K13
• Send secret share S1
2. Node 2 and Node 3 Initiates• Uses K12 and K13 to send S2 and S3
• Create session keys K24 and K35
• Node 2 sends S1, S2
• Node 3 sends S1, S3
3. Node 4 and Node 5 Responds• Uses K24 and K35 to send S4 and S5
4. Node 2 and Node 3 Responds• Retransmit S4 and S5 to Node 1
1
32
4 5
Nodes send/receive until threshold is reached
GMA Protocol: Broadcast Authentication
1. Once a node has reached threshold• Each node calculates secret S
• Use the secret to broadcast
2. Sender Message Encryption• MAC(x) = MACS(H(x))
• y = ES(x)||MACS(x)
3. Receiver Message Decryption• x = Ds(y)
• Compare MAC(Ds(y)) = MAC(x)
1
32
4 5
Analytical Approach
Manually simulated secret share exchange
• Analyzed for 10 node hierarchical network
• Analyzed 3 types of topology
• Observed the following:
– Node 0 (broadcast node) is first to achieve threshold
– Leaf nodes are last to receive all shares
– Independent of topology
– Each node on average re-broadcast (t-1)n
Experimental ApproachJustification
• Provide evidence to support or reject analytical observations
• Determine performance and efficiency metrics– Timing data (convergence time, round-trip time)
Methodology• Develop GMA protocol in the NS2 • Other simulation framework were available
(omnet++, simlink, …etc.)
Implementation Design
Risk Reduction Strategies• Simplify protocol
– Identify essential operations within the GMA protocol
• Divide Conquer– Divided the GMA protocol into:
• Secret Share Exchange
• Multicast Authentication
Testing Strategies• Automate test scenarios with python/shell scripts
Protocol Implementation
class GMA_Agent : public Agent {public:GMA_Agent() : GMA_Agent(“Agent/GMA_Agent”) {}recv( Packet *, Handler *);}
Class GB_Agent….
TclObject
Agent
Agent/TCP
TclObject
Agent
GMA_Agent
NsObject
OTclC++ Class mirror
Additional Integration Steps
Define new packetGMA_Packet
Add new packet protocol ID
into packet.h
Add new packettype into
ns-default.tcl
Add an entry fornew packet type
ns-packet.tcl
Modify ns2Makefile
header
dataip header
GMA header
GB header
cmn headerseqno_
scr_addr_
data_
qLength_
ack_
Packet Implementation
Additional modifications to NS2
Experimental Results
Performed simulation• Random topology for:
– 50, 100, 200 nodes
• Bandwidth 10 kbps
• Share size 128 bits
• Collect convergence time for secret share exchange
• Collect round-trip time for Node-0 acknowledgement
Conclusion• Share size is dependent upon
network size and bandwidth
• Round-trip broadcast authentication is exponentially proportional to the network size
Secret Share Exchange Convergence Time Size
Round Trip time
ConclusionGMA Protocol
• Can be viable augmentation to TELSA protocol• Does provide protection against DoS attack
– Instant authentication of packets• Performance degrades exponentially for large network
topology
Further Research & Development• Further analysis of the protocol setup• Secrecy of key exchange using AVISPA
– Automated Validation of Internet Security Protocols and Applications
• Solving the scalability problem through better implementation of the GMA protocol
• Improvements to group key management
References • A. Perrig, R. Canetti, J. Tygar, and D. Song, “The TESLA broadcast authentication protocol”, RSA
CryptoBytes, 2002.• R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicast security: A
taxonomy and some efficient constructions”, in INFOCOMM’99, 1999.• S. Cheung, “An efficient message authentication scheme for link state routing”, in Proceedings of
the 13th Annual Computer Security Applications Conference, December 1997, pp. 90–98.• F. Bergadano, D. Cavagnino, and B. Crispo, “Chained stream authentication”, in Proceedings of the
7th Annual Workshop on Selected Areas in Cryptography, August 2000, pp. 144–157.• B. Briscoe, “FLAMeS: Fast, loss-tolerant authentication of multicast streams,” Technical report, BT
Research, 2000.• A. Perrig, J. Tygar, “Secure Broadcast Communication in Wired and Wireless”, Kluwer Academic
Publishers, Norwell, MA 2003.• A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficient and secure source authentication for
multicast”, in Proceedings of Network and Distributed System Security Symposium, February 2001.• Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J. D. Tygar, “SPINS: Security Protocols
for Sensor Networks”, in Proceedings of Seventh Annual International Conference on Mobile Computing and Network, July 2001
• Donggang Liu, Peng Ning, “Multi-Level µTESLA: A Broadcast Authentication System for Distributed Sensor Networks”, ACM Transactions on Embedded Computing Systems (TECS), Vol. 3, No. 4, pages 800--836, November 2004
• Kui Ren, Kai Zeng, Wenjing Lou, and Patrick J. Moran, "On broadcast authentication in wireless sensor networks", Lecture Notes in Computer Science, vol. 4138, pp. 502-514. International Conference on Wireless Algorithms, Systems, and Applications (WASA 2006), Xi'an, China, August 15-18, 2006
Questions?