TESLA Certificates: An Authentication Tool for Networks of Compute-Constrained Devices Mathias Bohge
|
|
- Geraldine Scott
- 5 years ago
- Views:
Transcription
1 TESLA Certificates: An Authentication Tool for Networks of Compute-Constrained Devices Mathias Bohge Wade Trappe Telecommunication Networks Group Wireless Information Network Laboratory Technical University of Berlin Rutgers University Sekr T5-2, Einsteinufer 25, Berlin, Germany 73 Brett Rd., Piscataway, NJ USA Abstract In the near future wireless networks will consist of lowpowered, compute-constrained devices. These devices will have limited ability to perform the expensive computational operations associated with public key cryptography. This will limit the usefulness of conventional authentication mechanisms based on public key certificates in these domains. In this paper we introduce an alternative to conventional public key certificates that is based upon symmetric key cryptography and the principles of delayed key disclosure. The work formalizes concepts presented in earlier work on a broadcast authentication protocol, known as TESLA. TESLA certificates rely upon a tradeoff between computation and authentication delay in order to achieve a certificate infrastructure that reduces computational complexity associated with certificate verification when compared with traditional public key infrastructure certificates. urther, we introduce a modification to the TESLA protocol that provides partial authentication of multicast data, which allows for partial authentication in our TESLA certificate framework. As an application, we apply TESLA certificates to the problem of maintaining authentication during handoff in a generic mobile network. INTRODUCTION We are rapidly approaching an era of pervasive computing and communication, where low-powered wireless devices will be deployed everywhere. These devices will serve many different purposes, from allowing us to communicate while we are mobile, to performing measurements for remote sensing applications for environmental monitoring or healthcare services. As these devices become integrated into our daily lives, it will become increasingly critical to secure their operation. These devices, however, will not have the same amount of resources available as their wired counterparts. In fact, due to their resource constraints, full-fledged security solutions are not appropriate, and it is important that resource-efficient alternatives are developed. Entity authentication is an essential security function for any system. Traditional authentication methods that are based on public key cryptography are not suitable for networks of low-powered devices since public key cryptography involves intensive computation. Therefore, use of public key certificates is restricted in future wireless environments. In this paper, we will develop a method for entity authentication that is an alternative to public key certificates. Our approach is motivated by work of Perrig et al. [1, 2, 3]. The work presented in [2] introduced guidelines for building a public key infrastructure using a broadcast authentication protocol known as TESLA. The work presented here extends their results to describe a specific certificate structure based upon TESLA. The resulting certificate framework, which we call TESLA certificates, replaces public key operations with more efficient symmetric cryptography operations, such as using message authentication codes. urther, we also introduce a mechanism for achieving partial authentication using TESLA that allows for partial authentication of TESLA certificates. TESLA AND TESLA CERTIICATES The task of certificates is to certify identity. Today, the most widely used certification systems are PGP [4] and X.509 [5]. Both rely on public key cryptography, which makes them unsuitable for low-powered, computationallyconstrained devices. These devices should not have to verify an RSA-signature associated with a public key certificate. Therefore, if we wish to have a certificate-based authentication system for these low-powered devices, we need a certificate that does not employ public key cryptography. TESLA [1, 3] is a broadcast authentication technique that achieves asymmetric properties, in spite of using purely symmetric cryptographic functions (MAC functions). Due to the use of MACs, TESLA enables low-powered nodes to perform source authentication. TESLA is based upon the principle of delayed key disclosure, which has found application in several works on authentication for network communication[6, 7]. We now briefly review TESLA. To begin, TESLA divides time into intervals of equal duration. Time slot n is assigned a corresponding key tk n. or each packet generated during time interval n, the sender appends a MAC that is created using the secret key tk n. Each receiver buffers the packets, without being able to authenticate them, until the sender discloses the key tk n by broadcasting the corresponding key-seed s n. Once s n is disclosed, anyone with s n can calculate tk n and can pretend to be the sender by forging MACs. Therefore, the use of tk n for creating MACs is
2 igure 1. The steps involved in using TESLA certificates. limited to time interval n, and future time intervals use future keys. urther, s n isn t disclosed until d time slots later, where d is governed by an estimate of the maximum network delay for all recipients. The keys tk n are derived from the key-seeds using a publicly available one-way function. The key-seeds are related to each other via a reverse-time chain of one-way functions. To create the chain of key-seeds, the sender chooses a terminal seed s l, and generates the previous seed s l 1 using a one-way function. Similarly, the remaining seeds {s 0, s 1,, s l } are derived via s l sl 1 sl 2... s1 s0. (1) The sender uses the seed-chain in the opposite direction (starting with seed s 0 ) to derive the TESLA keys by applying the one-way function via s n tk n. (2) When a user receives a packet, he first checks whether the packet is fresh (i.e. it was sent in a timeslot whose TESLAkey hasn t been disclosed) or dated. The receiver discards all dated packets and buffers only the fresh ones. Once the user receives a TESLA-seed s n, he checks (s n ) = s n 1 to be sure of s n s authenticity. He derives tk n by tk n = (s n ), (3) and authenticates the packets that were sent in timeslot n. TESLA Certificates In [2], the authors described necessary conditions for achieving asymmetric properties with TESLA, and outlined the construction of a PKI based on TESLA. We now formalize the application of TESLA to form a TESLA-based PKI. Specifically, we introduce a new type of certificate that uses TESLA instead of public key cryptography. In ig. 1, we present the entities involved in TESLA certificates, and the steps involved in using TESLA certificates. Much like conventional public key certificates, we have a certificate authority CA, who is responsible for creating the certificates for entity B. A low-powered device, depicted by D, will contact B to use its service. Initially, the CA has established a key K CA,B that it shares with B. The steps involved in TESLA certificates are: 1. The CA periodically issues TESLA certificates for B. During time slot n, the certificate authority (CA) doesn t sign the TESLA-certificate with its private key, but uses the non-disclosed TESLA key tk CAn to create a MAC that is included in the certificate. The subject B s public key is replaced by the subject s authentication key ak Bn, which is encrypted by the CA using the same TESLA key tk CAn. Cert CAn (B) = (ID B, (4) {ak Bn } tkcan, n + d, MAC tkcan (...)) Here n + d indicates the TESLA certificate s expiration date. The certificate is sent to B along with the matching authentication key ak Bn : CA B : (5) (Cert CAn (B), {ak Bn } KCA,B, MAC KCA,B (...)). 2. Sometime between time n and n + d, D contacts B requesting to use B s service, D B : (request). (6) 3. ollowing the request in step 2, B must prove its identity to node D. B sends an authentication packet, which consists of the TESLA certificate and a MAC that was created using B s authentication key ak Bn : B D : (Cert CAn (B), MAC akb n (request)). Upon receiving the authentication packet, D measures the freshness of the certificate by checking the timestamp of Cert CAn (B) to make sure that it has arrived before time n + d, when the CA announces tk CAn. If Cert CAn (B) is fresh, D buffers the authentication packet. 4. The CA discloses its TESLA key tk CAn at time n + d. Upon receiving tk CAn, D checks the authenticity of the TESLA certificate by checking MAC tkca, then it decrypts n B s authentication key ak Bn and checks MAC. User akb n D is able to certify the identity of B as long as it receives the TESLA certificate Cert CAn (B) before time n+d, when the CA reveals the TESLA key T K CAn. The lifetime of a TESLA-certificate is short. It depends on the disclosure time of the TESLA key that the certificate authority used when creating the MAC and encrypting the subject s authentication key. Choosing a key that will be disclosed soon, lowers the delay in the authentication process at node D, but results in increased overhead when issuing new certificates. The tradeoff between delay and overhead is a critical issue for further study. AN APPLICATION O TESLA CERTIICATES We now apply TESLA certificates to the problem of maintaining authentication during handoff in a mobile network.
3 Algorithm: Mobile node handoff at time n Result : Authenticity and a shared secret K B,D between the senor node D and the new access point B 1 B D : (apho, Cert CAn (B ), MAC akb n (...)) 2 D B : (apho, Cert CA (D), MAC akap,d (...)) 3 B D : (hook, {K B,D} akap,d, MAC akb n (...)) Algorithm 1: Mobile Node Handoff. Consider a network of access points B, and low-powered nodes D. The access points provide the service of forwarding information from the low-powered nodes to an application connected to the Internet. urther, assume that there is a certificate authority CA that is able to communicate with all nodes on the network. Initially, D communicates securely with an access point B using a shared key K B,D. Suppose that the CA gives a conventional (public key) certificate to D of the form Cert CA (D) = (7) (ID D, {ak AP,D } gkap, T S A, SIGN KCA (...)). The certificate contains D s ID, a timestamp T S A and a symmetric authentication key ak AP,D that will allow D to communicate with any access point. The key ak AP,D is given to D via a secure channel during initialization. urther, ak AP,D is encrypted with a key, gk AP, which has been given to every access point of the network by the CA. The signature SIGN KCA (...) proves that this certificate is issued by the certificate authority. We emphasize that D never has to verify SIGN since this is his own certificate, and therefore D does not incur the computational complexity associated with public key signature verification. Now suppose that D moves and is no longer within range of B, but instead within range of B. Since D has moved to a new access point, it must certify the identity of B, as well as establish a new shared key K B,D. In order for D to authenticate B, it contacts B by sending a request for an access point handoff (apho). In response, B sends D its TESLA certificate Cert CAn (B ) for time n, and a MAC that will be used by D to verify the identity of B after the CA reveals the TESLA key. Next, D answers with its own certificate and a MAC that it creates using its authentication key ak AP,D. B will then send to D the new key K B,D that is encrypted using ak AP,D, which B had obtained from D s certificate Cert CA (D). Using ak AP,D, D can obtain the new key K B,D. However, before D can check B s identity, it has to wait until the CA publishes the TESLA key tk CAn during time slot n + d. Once D receives that key, D can check B s certificate and confirm the identity of B. Subsequently, D may resume sending its data to the application by securely sending its data to B using K B,D. PERORMANCE ISSUES There are two performance issues that we now discuss: computation and delay. Computation We have conducted an initial evaluation the amount of time required for a 4096-bit message authentication using SHA-1, and for 2048-bit RSA signing using the libtomcrypt library[8]. Using gprof on a Pentium-4 2GHz Linux machine, we measured that SHA-1 required an average of 46 milliseconds to perform, while RSA signing required an average of 2.26 seconds to perform. Although this platform is not the same as a typical mobile device, the timing measurements do allow us to estimate that the RSA operation requires roughly 4900 times more power than performing SHA-1. This suggests the computational savings available when using TESLA certificates. In our mobile node handoff protocol, we have allocated the computational load in a manner suited to each device s capabilities. Specifically, we have not burdened the mobile nodes with public key operations. Instead, due to their use of TESLA certificates, the mobile nodes use computationally efficient MACs to perform authentication. On the other hand, we have placed more computational burden upon the higher-powered access points by requiring them to perform public key cryptographic operations associated with the conventional PKI certificate. We are currently studying the use of TESLA and TESLA certificates for wireless sensor networks, and plan to conduct a more thorough estimation of power consumption on Cerfcubes [9], which is the sensor node device planned for our testbed. We note that although TESLA certificates reduce the amount of computation performed, this might not necessarily result in extended battery-life since, for many wireless devices, transmitting and receiving packets are costly operations. A careful analysis of the tradeoff between communication costs and computational costs for typical entity authentication services that will occur on wireless devices should be performed. Reducing Delay via Partial Authentication It has been observed that one drawback of the TESLA protocol is delay. The very property which provides the asymmetry necessary for authentication, also introduces two new issues. irst, many applications are inherently delaysensitive and cannot tolerate delay at the sender or at the receiver. Voice over Internet Protocol (VoIP) applications are a prime example of this, where even short delays significantly affect the perceived quality of service. Second, since TESLA involves buffering, it provides an adversary an easy avenue for performing a denial-of-service (DoS) attack.
4 An adversary may simply send false data to a receiver in order to fill the receiver s authentication buffer, causing newly arriving packets to be dropped. In [3], several modifications are proposed for the TESLA multicast authentication scheme. Reducing the authentication delay was considered an important issue for improving TESLA, and the authors present a scheme where receiver buffering is traded-off at the expense of source buffering. Rather than off load the buffering to the source, we propose to exploit a possibility in the authentication buffer at the receiver. Our basic approach to the problem of reducing the delay in TESLA is similar to the concurrent TESLA scheme presented in [3]. The concurrent TESLA approach was originally intended for allowing different receivers to authenticate packets according to different delays, while requiring less additional communication overhead than conventional TESLA. The method that we are about to describe differs from the concurrent TESLA scheme in its motivation and implementation. Rather than allow different users to completely authenticate packets at different delay times, as in the concurrent TESLA scheme, we propose to make use of multiple staggered keys in the delayed key disclosure so that packets may be partially authenticated prior to the disclosure of the appropriate authentication key. The use of partial authentication is a potentially powerful tool as it provides intermediate security levels between the extremes of not-authenticated and fully authenticated. These intermediate security levels can allow for new application-level security policies to be developed. As an example, consider a multimedia application in which media packets have a QoS delay requirement. As packets arrive, they are put in the staggered TESLA authentication buffer. If, at a certain time, the application deems that the service quality delivered to the user is not acceptable, the application will release packets that are partially authenticated in order to improve the delivered quality. An application-level security policy for releasing partially authenticated data should describe what level of partial authentication is allowed for improving QoS. In spite of the similarities with the concurrent TESLA scheme, and for the sake of clarity, we shall refer to the proposed method as staggered TESLA. As in TESLA, we start with a chain of keys or seeds that are related by application of a one-way function, namely s l sl 1 sl 2... s1 s0. (8) These seed values are used to derive the TESLA authentication keys by applying a one-way function as in s n tk n. (9) Time is again slotted into intervals, that are indexed according to the time variable i. We denote a data packet for time i by M i. We note, however, that this leads to ambiguity when referring to multiple data packets that are being created by a igure 2. TESLA. A queue chain for the receiver in staggered source during time interval i. We have chosen not to add extra labelling to remove this ambiguity for the sake of simplicity of exposition. inally, the TESLA seed s i will be disclosed at a later time i+d according to the maximum network delay needed for all receivers to receive a packet sent at time i, as in the standard TESLA protocol[1]. Now, as in TESLA, during time i, the data message M i will have authentication information appended to it in order to form the transmitted packet P i. However, unlike TESLA, multiple message authentication codes will be appended. These MACs will use L of the TESLA keys. or example, P i would be P i = [M i MAC tki (M i ) MAC tki 1 (M i ) (10) MAC tki L 1 (M i )]. We note that it is not necessary that the different MACs have the same length. This fact can be exploited to reduce the size of the packet P i if needed. ollowing the formation of P i, it is sent out on the network. In a normal TESLA scheme, the seed s i would be disclosed at time i + d, and packets from time i could not begin the authentication process until after i + d. However, by using multiple MACs, we introduce a type of memory into the authentication process and can begin authentication prior to disclosure of s i. or the staggered TESLA scheme, the receiver s buffer is altered from a conventional buffer into a sequence of queues. We have depicted such a chained buffer for L = 3 in ig. 2. The receiver puts the packet P i into the top level of the queue, and waits for the seed s i 2 to arrive so it can calculate tk i 2. After calculating tk i 2, the packet is tested for authenticity by verifying MAC tki 2 (M i ). If this verification fails, the packet is dropped from the queue, while if it passes, the packet is partially authenticated and graduates to the next layer of the buffer. This layer waits for s i 1 to arrive before it can test P i. Again, the packet is either dropped or graduated to the next layer of the queue. This process repeats through the seeds and TESLA keys until tk i is used for the final, and complete, authentication of P i.
5 The advantage of the staggered TESLA scheme is that a receiver does not have to wait for the seed s i to be revealed in order to start authenticating packets. Instead, the receiver can use whatever TESLA keys he has received in order to begin the authentication process and remove possibly bogus packets, such as those involved in a DoS attack. We noted earlier that the size of the MACs do not have to be the same. In fact, since one of our goals is to provide a filter to remove false packets before s i is revealed, we can choose the size of MAC tki L 1 to be small. or example, assuming ideal mixing behavior of the MAC, taking MAC tki L 1 to be only a single bit would mean that an adversary with no knowledge of the true tk i L 1 would only have a 50% chance of forgery, or a MAC of two bits would mean an adversary would only have a 25% chance of forgery. Next, suppose an adversary is a member of the multicast group. It is possible for the adversary to receive a seed, say s i j, and use this to forge portions of P i. This will allow the forged packet to pass the first few authentication tests in staggered TESLA. Ultimately, however, a packet forged for time i by a member of the multicast group must be tested using tk i, which is guaranteed to fail since s i is released according to the maximum network delay condition described in the original TESLA protocol. Therefore, rather than have d intervals of time available for performing a DoS attack, an adversary who is a member of the group has strictly less than d time intervals to fill the target receiver s buffer. Thus, staggered TESLA appears to provide some advantage against a DoS attack as it requires an internal adversary to attempt a DoS at a higher attack data rate than he would have had to employ against conventional TESLA. The selection of L, along with the size of the MACs that are employed, depends on the security requirements and the network conditions. An interesting direction for further investigation that we plan to explore is the appropriate determination of L based upon minimum network delay (the minimum delay from the source to each receiver), as well as the underlying network topology and routing information. As a final note, we discuss how staggered TESLA can be used in TESLA certificates. Since staggered TESLA allows for partial authentication, it also provides a mechanism for partially authenticating TESLA certificates. This partial authentication is useful for removing false certificates before key disclosure. urther, it also allows for partial entity authentication, in which an entity may be given progressively higher levels of access as his certificate becomes more authenticated. CONCLUSION In this paper we have introduced an alternative to conventional public key certificates that is based upon symmetric key cryptography and the principles of delayed key disclosure. The work formalizes concepts presented in earlier work on TESLA by introducing a new certificate framework, which we call TESLA certificates. TESLA certificates rely upon a tradeoff between computation and authentication delay in order to achieve a certificate infrastructure that reduces computational complexity associated with certificate verification when compared with traditional public key infrastructure certificates. We applied TESLA certificates to the problem of maintaining authentication during handoff in a generic mobile network. We discussed two basic types of performance issues: computation and delay. urther, we introduced a modification to the TESLA protocol that provides partial authentication of multicast data. Unlike the concurrent TESLA schemes proposed earlier, our staggered TESLA allows for partial authentication of data, which makes it harder for an adversary to perform a denial-of-service attack, and also allows for partial authentication in TESLA certificates. inally, we note that further investigation needs to be done to examine the tradeoff between computation and communication, and the resulting effect each has upon battery consumption in order to determine the suitability of TESLA certificates for networks of mobile devices. ACKNOWLEDGEMENTS The authors would like to thank Adrian Perrig for referring them to the discussion of TESLA, and the outline of a PKI based on TESLA in [2]. REERENCES [1] A. Perrig, R. Canetti, B. Brisco, D. Song, and D. Tygar, TESLA: Multicast source authentication transform introduction, IET working draft, draft-ietf-msec-tesla-intro-01.txt. [2] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, The TESLA broadcast authentication protocol, in RSA Cryptobytes, [3] A. Perrig, R. Canetti, D. Song, and J.D. Tygar, Efficient and secure source authentication for multicast, in Proceedings of Network and Distributed System Security Symposium, ebruary [4] P. R. Zimmermann, The official PGP user s guide, MIT Press, [5] ITU-T, The directory: authentication framework, IT - Open Systems Interconnection. [6] S. Cheung, An efficient message authenticaiton scheme for link state routing, in Proceedings of 13th Annual Computer Security Applications Conference, [7] R.J. Anderson,. Bergadano, B. Crispo, J.H. Lee, C. Manifavas, and R.M. Needham, A new family of authentication protocols, Operating Systems Review, vol. 32, no. 4, pp. 9 20, [8] Libtomcrypt, [9] Intrinsyc product page,
Efficient and Secure Source Authentication for Multicast
Efficient and Secure Source Authentication for Multicast Authors: Adrian Perrig, Ran Canetti Dawn Song J. D. Tygar Presenter: Nikhil Negandhi CSC774 Network Security Outline: Background Problem Related
More informationDepartment of Electrical and Computer Engineering, Institute for Systems Research, University of Maryland, College Park, MD 20742, USA
Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 211, Article ID 392529, 18 pages doi:1.1155/211/392529 Research Article Energy-Efficient Source Authentication
More informationReliable Broadcast Message Authentication in Wireless Sensor Networks
Reliable Broadcast Message Authentication in Wireless Sensor Networks Taketsugu Yao, Shigeru Fukunaga, and Toshihisa Nakai Ubiquitous System Laboratories, Corporate Research & Development Center, Oki Electric
More informationSource Authentication in Group Communication Systems
Source Authentication in Group Communication Systems Xin Zhao University of Michigan 1301 Beal Ave, Ann Arbor, MI, 48105, USA zhaoxin@eecs.umich.edu Atul Prakash University of Michigan 1301 Beal Ave, Ann
More informationSource Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network
Source Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network 1 Ms.Anisha Viswan, 2 Ms.T.Poongodi, 3 Ms.Ranjima P, 4 Ms.Minimol Mathew 1,3,4 PG Scholar, 2 Assistant Professor,
More informationCryptography and Network Security Chapter 14
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationCSC 774 Advanced Network Security
Computer Science CSC 774 Advanced Network Security Topic 4.3 Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks 1 Wireless Sensor Networks (WSN) A WSN consists of a potentially
More informationEntity Recognition for Sensor Network Motes (Extended Abstract)
Entity Recognition for Sensor Network Motes (Extended Abstract) Stefan Lucks 1, Erik Zenner 2, André Weimerskirch 3, Dirk Westhoff 4 1 Theoretische Informatik, University of Mannheim, Germany 2 Erik Zenner,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution
Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationNetwork Security and Cryptography. December Sample Exam Marking Scheme
Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers
More informationNetwork Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: Broadcast and Multicast Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Broadcast and multicast 2. Receiver access control (i.e. data confidentiality)
More informationKALASALINGAM UNIVERSITY
KALASALINGAM UNIVERSITY (Kalasalingam Academy of Research and Education) DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CLASS NOTES CRYPTOGRAPHY AND NETWOTK SECURITY (CSE 405) Prepared by M.RAJA AP/CSE
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationIdentity-Based Decryption
Identity-Based Decryption Daniel R. L. Brown May 30, 2011 Abstract Identity-based decryption is an alternative to identity-based encryption, in which Alice encrypts a symmetric key for Bob under a trusted
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationSECURE ROUTING PROTOCOLS IN AD HOC NETWORKS
SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS INTRODUCTION 1. With the advancement in radio technologies like Bluetooth, IEEE 802.11or Hiperlan, a new concept of networking has emerged, known as ad hoc networks,
More informationCertificateless Public Key Cryptography
Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.
More informationNetwork Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011
Network Security: Broadcast and Multicast Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2011 Outline 1. Broadcast and multicast 2. Receiver access control (i.e. data confidentiality)
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationUsing Cryptography CMSC 414. October 16, 2017
Using Cryptography CMSC 414 October 16, 2017 Digital Certificates Recall: K pub = (n, e) This is an RSA public key How do we know who this is for? Need to bind identity to a public key We can do this using
More informationS. Erfani, ECE Dept., University of Windsor Network Security
4.11 Data Integrity and Authentication It was mentioned earlier in this chapter that integrity and protection security services are needed to protect against active attacks, such as falsification of data
More informationOverview of Mobile Networking Initiatives at WINLAB
Overview of Mobile Networking Initiatives at WINLAB Introduction: The Next Generation MSC Custom Mobile Infrastructure (e.g. GSM, 3G) BTS Public Switched Network (PSTN) BSC GGSN, etc. WLAN Access Point
More informationSecure Routing for Mobile Ad-hoc Networks
Department of Computer Science IIT Kanpur CS625: Advanced Computer Networks Outline 1 2 3 4 Outline 1 2 3 4 Need Often setting up an infrastructure is infeasible Disaster relief Community networks (OLPC)
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationComputer Networks. Wenzhong Li. Nanjing University
Computer Networks Wenzhong Li Nanjing University 1 Chapter 7. Network Security Network Attacks Cryptographic Technologies Message Integrity and Authentication Key Distribution Firewalls Transport Layer
More informationCT30A8800 Secured communications
CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007 Secured Communications: Key exchange Schneier, Applied Cryptography:
More informationBackground. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33
Background Network Security - Certificates, Keys and Signatures - Dr. John Keeney 3BA33 Slides Sources: Karl Quinn, Donal O Mahoney, Henric Johnson, Charlie Kaufman, Wikipedia, Google, Brian Raiter. Recommended
More informationSEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security
SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security Consider 2. Based on DNS, identified the IP address of www.cuhk.edu.hk is 137.189.11.73. 1. Go to http://www.cuhk.edu.hk 3. Forward the
More informationLecture Note 6 KEY MANAGEMENT. Sourav Mukhopadhyay
Lecture Note 6 KEY MANAGEMENT Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Key Management There are actually two distinct aspects to the use of public-key encryption in this regard:
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationCryptographic authentication on the communication from an 8051 based development board over UDP
Cryptographic authentication on the communication from an 8051 based development board over UDP Bogdan Groza 1, Pal-Stefan Murvay 2, Ioan Silea 1, Tiberiu Ionica 1 Politehnica University of Timisoara,
More informationSignature Amortization Using Multiple Connected Chains
Signature Amortization Using Multiple Connected Chains Qusai Abuein 1 and Susumu Shibusawa 2 1 Graduate School of Science and Engineering 2 Department of Computer and Information Sciences Ibaraki University,
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationThe Cryptographic Sensor
The Cryptographic Sensor Libor Dostálek and Václav Novák {libor.dostalek, vaclav.novak}@prf.jcu.cz Faculty of Science University of South Bohemia České Budějovice Abstract The aim is to find an effective
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationNetwork Security and Cryptography. 2 September Marking Scheme
Network Security and Cryptography 2 September 2015 Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers to the questions,
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationCommunication in Broadband Wireless Networks. Jaydip Sen Convergence Innovation Lab Tata Consultancy Services Ltd. Kolkata, INDIA
Secure Multicast and Broadcast Communication in Broadband Wireless Networks Jaydip Sen Convergence Innovation Lab Tata Consultancy Services Ltd. Kolkata, INDIA Agenda Network entry procedure for a mobile
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2018 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationComputers and Security
The contents of this Supporting Material document have been prepared from the Eight units of study texts for the course M150: Date, Computing and Information, produced by The Open University, UK. Copyright
More informationSecurity. Communication security. System Security
Security Communication security security of data channel typical assumption: adversary has access to the physical link over which data is transmitted cryptographic separation is necessary System Security
More informationDoS attack-tolerant TESLA-based broadcast authentication protocol in Internet of Things
2012 International Conference on Selected Topics in Mobile and Wireless Networking DoS attack-tolerant TESLA-based broadcast authentication protocol in Internet of Things Na Ruan, Yoshiaki Hori Department
More informationSSL/TLS. How to send your credit card number securely over the internet
SSL/TLS How to send your credit card number securely over the internet The security provided by SSL SSL is implemented at level 4 The transport control layer In practice, SSL uses TCP sockets The underlying
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationThe Identity-Based Encryption Advantage
White Paper Security The Identity-Based Encryption Advantage Table of Contents page Introduction... 1 Six Requirements for Enterprise Key Management... 1 Traditional Approaches to Key Management... 2 Public
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationThe SafeNet Security System Version 3 Overview
The SafeNet Security System Version 3 Overview Version 3 Overview Abstract This document provides a description of Information Resource Engineering s SafeNet version 3 products. SafeNet version 3 products
More informationA Security Infrastructure for Trusted Devices
Infrastructure () A Security Infrastructure for Trusted Devices Mahalingam Ramkumar Mississippi State University, MS Nasir Memon Polytechnic University, Brooklyn, NY January 31, 2005 Infrastructure ()
More informationDefenses against Wormhole Attack
Defenses against Wormhole Attack Presented by: Kadhim Hayawi, ID: 20364216 COURSE PRESENTATION FOR ECE750 - INTELLIGENT SENSORS AND SENSOR NETWORKS Prof. Otman A. Basir Outline Introduction Packet Leashes
More informationSubnet Multicast for Delivery of One-to-Many Multicast Applications
Subnet Multicast for Delivery of One-to-Many Multicast Applications We propose a new delivery scheme for one-to-many multicast applications such as webcasting service used for the web-based broadcasting
More informationDigital it Signatures. Message Authentication Codes. Message Hash. Security. COMP755 Advanced OS 1
Digital Signatures Digital it Signatures Offer similar protections as handwritten signatures in the real world. 1. Difficult to forge. 2. Easily verifiable. 3. Not deniable. 4. Easy to implement. 5. Differs
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationT Cryptography and Data Security
T-79.159 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Kaufman et al: Ch 11.6; 9.7-9; Stallings:
More informationEfficient and Secure Source Authentication for Multicast
Efficient and Secure Source Authentication for Multicast Adrian Perrig yλ Ran Canetti z Dawn Song y J. D. Tygar y y UC Berkeley, Λ Digital Fountain, z IBM T.J. Watson fperrig,dawnsong,tygar@cs.berkeley.edu,
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More information1.264 Lecture 28. Cryptography: Asymmetric keys
1.264 Lecture 28 Cryptography: Asymmetric keys Next class: Anderson chapters 20. Exercise due before class (Reading doesn t cover same topics as lecture) 1 Asymmetric or public key encryption Receiver
More informationPrincess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)
Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536) Prepared by Dr. Samia Chelloug E-mail: samia_chelloug@yahoo.fr Content
More information14. Internet Security (J. Kurose)
14. Internet Security (J. Kurose) 1 Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer:
More informationNetwork Security Issues and Cryptography
Network Security Issues and Cryptography PriyaTrivedi 1, Sanya Harneja 2 1 Information Technology, Maharishi Dayanand University Farrukhnagar, Gurgaon, Haryana, India 2 Information Technology, Maharishi
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More information1. CyberCIEGE Advanced VPNs
1. CyberCIEGE Advanced VPNs CyberCIEGE is an information assurance (IA) training tool that illustrates computer and network security principles through simulation and resource management trade-offs. CyberCIEGE
More informationA Tree-Based µtesla Broadcast Authentication for Sensor Networks
A Tree-Based µtesla Broadcast Authentication for Sensor Networks Donggang Liu Peng Ning Sencun Zhu Sushil Jajodia Cyber Defense Laboratory Department of Computer Center for Secure Department of Computer
More informationPublic Key Infrastructure scaling perspectives
Public Key Infrastructure scaling perspectives Finseskolen 2012 Anders Fongen, PhD Norwegian Defence Research Establishment anders.fongen@ffi.no Outline of presentation Short intro to PKI architecture
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationTopSec Product Family Voice encryption at the highest security level
Secure Communications Product Brochure 01.01 TopSec Product Family Voice encryption at the highest security level TopSec Product Family At a glance The TopSec product family provides end-to-end voice encryption
More informationKey Management and Distribution
Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationComputer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University
Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two
More informationKey Management and Distribution
2 and Distribution : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 css441y15s2l10, Steve/Courses/2015/s2/css441/lectures/key-management-and-distribution.tex,
More informationAnalysis of Broadcast Authentication Mechanism in Selected Network Topologies
RADIOENGINEERING, VOL. 20, NO. 1, APRIL 2011 167 Analysis of Broadcast Authentication Mechanism in Selected Network Topologies Tomas VANEK, Matej ROHLIK Dept. of Telecommunication Engineering, Czech Technical
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2017 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationUse of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks
Use of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks Aleksi Toivonen Helsinki University of Technology Aleksi.Toivonen@tkk.fi Abstract Sensor networks are easily deployable
More informationSIP-Based Multimedia Services Provision in Ad Hoc Networks
SIP-Based Multimedia Services Provision in Ad Hoc Networks Y. Rebahi, D. Sisalem, U. Depirianto Fraunhofer Institut Fokus Kaiserin-Augusta-Allee 31 10589 Berlin, Germany {rebahi, sisalem, depirianto}@fokus.fraunhofer.de
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationEfficiency Optimisation Of Tor Using Diffie-Hellman Chain
Efficiency Optimisation Of Tor Using Diffie-Hellman Chain Kun Peng Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract Onion routing is the most common anonymous communication channel.
More informationCryptographic Techniques. Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building
Cryptographic Techniques Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building Outline Data security Cryptography basics Cryptographic systems DES RSA C. H. HUANG IN CML 2 Cryptography
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationChapter 3. Principles of Public-Key Cryptosystems
Chapter 3 Principles of Public-Key Cryptosystems The concept of public-key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption. key distribution
More information