A Security Infrastructure for Trusted Devices

Similar documents
I-HARPS: An Efficient Key Pre-distribution Scheme

Key establishment in sensor networks

Key establishment in sensor networks

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

I-HARPS: An Efficient Key Predistribution Scheme for Mobile Computing Applications

BISS: Building secure routing out of an Incomplete Set of Security associations

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

CSC 774 Advanced Network Security

Certificateless Public Key Cryptography

Key Agreement Schemes

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Symmetric Cryptographic Protocols

Security Requirements for Crypto Devices

A Key-Management Scheme for Distributed Sensor Networks

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Considerations about the Architecture Solutions for PKI in Ad-hoc-Networks

Reliable Broadcast Message Authentication in Wireless Sensor Networks

Public-key Cryptography: Theory and Practice

Session key establishment protocols

Use of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks

Session key establishment protocols

By: Wenliang Du, Jing Deng, Yunghsiang S. Han, Pramod K. Varshney, Jonathan Katz, and Aram Khalili

Overview of Authentication Systems

Message Authentication and Hash function

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Proving who you are. Passwords and TLS

Enhancing the Security in WSN using Three Tier Security Architecture Chanchal G. Agrawal *

Public Key Establishment

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Digital Certificates Demystified

A General Probabilistic Model for Improving Key Assignment in Wireless Networks

DATA INTEGRITY TECHNIQUES IN CLOUD: AN ANALYSIS

Code Verification Work of Sybil Attack in Wireless Sensor Network

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

AEGIS Secure Processor

Forward-secure Key Evolution in Wireless Sensor Networks

CS530 Authentication

The SafeNet Security System Version 3 Overview

PKI Credentialing Handbook

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols

Offline dictionary attack on TCG TPM weak authorisation data, and solution

Cryptography and Network Security Chapter 14

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

SECURE SHARING OF DATA IN PRIVATE CLOUD BY RSA OAEP ALGORITHM. SRM University, Chennai

ESTABLISHMENT OF SECURE COMMUNICATION IN WIRELESS SENSOR NETWORKS

Wireless Network Security Spring 2016

Wireless Network Security Spring 2011

Study Guide for the Final Exam

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

18-642: Cryptography 11/15/ Philip Koopman

KEY DISTRIBUTION AND USER AUTHENTICATION

The Cryptographic Sensor

Lecture Note 6 KEY MANAGEMENT. Sourav Mukhopadhyay

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Cryptography. Lecture 12. Arpita Patra

(2½ hours) Total Marks: 75

Implementing Cryptography: Good Theory vs. Bad Practice

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

Public Key Infrastructures

MU2b Authentication, Authorization and Accounting Questions Set 2

Efficient Memory Integrity Verification and Encryption for Secure Processors

Models of Authentications in Ad Hoc Networks and Their Related Network Properties

Distributed ID-based Signature Using Tamper-Resistant Module

CPSC 467: Cryptography and Computer Security

Cryptographic protocols

Diffie-Hellman. Part 1 Cryptography 136

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Sowing Seeds Protocol based Key Distribution for Wireless Sensor Network

A Set-Covering Approach for Modeling Attacks on Key Predistribution in Wireless Sensor Networks

Authenticating People and Machines over Insecure Networks

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

T Cryptography and Data Security

A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks

Dynamic Key Ring Update Mechanism for Mobile Wireless Sensor Networks

ECEN 5022 Cryptography

Lecture 6 - Cryptography

OneID An architectural overview

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Outline Key Management CS 239 Computer Security February 9, 2004

Introduction to Cryptography Lecture 10

CPSC 467b: Cryptography and Computer Security

Key Management and Distribution

AS with all networks comprising geographically distributed

Verteilte Systeme (Distributed Systems)

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Security+ SY0-501 Study Guide Table of Contents

Rethinking Authentication. Steven M. Bellovin

IT443 Network Security Administration Spring Gabriel Ghinita University of Massachusetts at Boston

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Development Authority of the North Country Governance Policies

Enhanced Management of Certificate Caching and Revocation Lists in VANET

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

Authentication Part IV NOTE: Part IV includes all of Part III!

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Transcription:

Infrastructure () A Security Infrastructure for Trusted Devices Mahalingam Ramkumar Mississippi State University, MS Nasir Memon Polytechnic University, Brooklyn, NY January 31, 2005

Infrastructure () 1 Trusted Devices Renewal KDS Requirements 2 Random Key Pre-distribution Schemes 3 Infrastructure ()

Infrastructure () Emerging Models of Trust Trusted Devices Renewal KDS Requirements Paradigm shift in the model of trust in emerging applications Conventional applications - Client-server applications End users are trusted Trusted not to reveal passwords, private keys In theory, compromise of user A s secrets should not affect other users Pervasive / ubiquitous computing, ad hoc networks, DRM devices need to be trusted to behave in a responsible fashion not the owners or operators. How do we trust devices? More appropriately, how do devices trust each other?

Trusted Devices Outline Infrastructure () Trusted Devices Renewal KDS Requirements Devices play by the rules Compliance to established rules. How? Trusted devices provided with secrets Secrets serve as a hook for compliance Verify compliance before providing secrets Verification of (possession of) secrets = verification of compliance Mechanism to distribute and establish possession of secrets - key distribution scheme (KDS)

Infrastructure () Trusted Devices Renewal KDS Requirements Tamper Resistance and Read Proofness Even owners of the devices should not have access to the secrets Devices are trusted not to reveal their secrets! Both tamper resistance and read-proofness are mandatory Tamper resistance - guarantees that components that guarantee compliance cannot be modified after a device is provided with secrets Read proofness - guarantees that secrets from a compliant device cannot be transferred to a non-compliant device

Renewability Outline Infrastructure () Trusted Devices Renewal KDS Requirements Technology for tamper-resistance is expected to improve (necessity is the mother of invention!) Yet perfect tamper resistance / read proofing may never be achievable Need to renew secrets periodically

Infrastructure () Safe Renewal of Secrets Trusted Devices Renewal KDS Requirements Secrets originally assigned by the manufacturer Take the device back to the manufacturer every time for renewal? - not practical Renewal has to occur over open channels (Internet?) Devices will authenticate themselves using old secrets to receive new secrets If old secrets in a device have been compromised, what prevents an attacker from getting new secrets? Need an additional secret that cannot be compromised by tampering. No, password is not sufficient.

Infrastructure () Trusted Devices Renewal KDS Requirements Circuit-Delay Based Authentication B. Gassend, D. Clarke, M. van Dijk, S. Devadas, Delay-based Circuit Authentication and Applications, Proceedings of the 2003 ACM symposium on Applied Computing, Melbourne, Florida, pp 294 301, 2003. Uncontrollable delays unique to each chip can serve as a signature Not exposable by tampering Sensitive to environmental variations - could be compensated Possibly weak secret

Safe Renewal Outline Infrastructure () Trusted Devices Renewal KDS Requirements Assumptions 1 The existence of a weak secret which cannot be exposed by tampering. 2 The only way to obtain secrets from a device A is by tampering with the device A. 3 Devices that are tampered with are rendered unusable in the future. Safe renewal is feasible! The key renewal process (protocol) can de set up such that each brute force attempt would need TA s involvement!

Infrastructure () KDS Requirements Trusted Devices Renewal KDS Requirements Extremely large scale (billions of devices) Support ad hoc interactions (no Kerberos) Light on resources (possibly no asymmetric crypto) Interoperability - different vendors Renewability Multicast security?

What is KPD? Outline Infrastructure () Random KPD An (offline) TA and N nodes with unique IDs TA chooses P secrets R Node A is pre-loaded with k secrets S A = F (R, ID A ) Node B is pre-loaded with k secrets S B = F (R, ID B ) Nodes A and B can discover shared secret K AB = G(ID B, S A ) = G(ID A, S B ) Only nodes A and B can discover K AB

n-secure KPD Outline Infrastructure () Random KPD Pre-loaded keys in different nodes are not independent A finite number of other nodes can be compromised to reveal K AB n-secure KPD resists compromises of up to n nodes KPDs are tradeoffs between security and complexity Large n large k Different mechanisms of trade-off Efficient KPD schemes k = O(n)

Infrastructure () Extents of Compromise Random KPD Attacker pools keys from many node with the purpose of determining shares secret between Two nodes i and j (Attack 1) Node i and TA (Attack 2) All P secrets (Attack 3)

Infrastructure () Classes of KPDs Random KPD Deterministic KPDs based in finite field arithmetic (Blom, Matsuhito) Attacks 1,2,3 have the same complexity Subset intersection schemes (matrix, Mitch, Dyer, Erdos et al) Attacks 1 to 3 increasingly complex Random KPDs - provide only probabilistic guarantees For example, n-secure with probability of failure 10 20 Most random KPDs are based on subset intersection Exception - Leighton and Micali (Scheme II) Attacks 1 to 3 increasingly complex

Infrastructure () Random KPD Probababilistic Guarantees are Good Enough! Even for determinsitic schemes the final shared secret has a finite number of bits What is the probability that an attacker can guess a 64-bit key? - more than 10 20. Probabilistic guarantees are not bad as long as the probability of failure is small

Random KPDs Outline Infrastructure () Random KPD Two basic types Leighton and Micali (scheme III) - based on repeated hashing of preloaded keys Random preloaded subsets (RPS) - a slight modification of subset intersection schemes TA has P keys, each node is given a subset of k keys In SI schemes the allocation is done in a deterministic fashion In RPS it is done either randomly (Eschenauer-Gligor, Chan-Perrig-Song, Liu-Ning) or psuedo-randomly (Pietro-Mancini-Mei, Ramkumar-Memon) Former methods need bandwidth overhead to determine share keys - psuedo-random methods provide an elegant solution by using a one-way function of node ID

Infrastructure () Random KPD HAshed Random Preloaded Subsets Defined by three parameters, P, k, L TA chooses P secrets Each node gets a subset of the secrets (randomized by node ID) The preloaded keys are hashed repeatedly - a variable number of times Hash depths uniformly distributed between 1 and L (randomized by node ID) Shared secret based on maximum hash depths of the shared keys

Infrastructure (), RPS and LM Random KPD is a generalization of RPS and LM LM is with P = k RPS is with L = 0

Infrastructure () Illustration of Random KPD

Infrastructure () Summary of Properties Random KPD Efficient, k = O(n) RPS, k = O(n), LM, k = O(n 3 ) RPS - k = e log(p)n, - k = e log(p)n Theoretically, not possible to do better than O(n) Different threat models How difficult is it to fool another node? (Attack 1) To fool the TA? (Attack 2) All random KPDs provide more resistance to Attack 2 (which is good) does better than other random KPDs against Attack 1 And does very much better (by 2 orders of magnitude) against Attack 2. Safe renewal with KPDs - need additional unique key or high resistance to attack 2

And More! Outline Infrastructure () Random KPD Tree hierarchical extension (RPS - does not offer seperation of levels) Caters for seamless renewal The same preloaded secrets can also be used for Broadcast authentication - equivalent to signature schemes Targeted signatures / Designated verifiers... Broadcast encryption - an efficient solution for node revocation Discovery of group secrets Infrastructure

Infrastructure () vs PKI Feature 1 Deployment 2 Shared secret 3 Source Authentication 4 Non repudiation PKI 1 tree hierarchical deployment of CAs 2 exchanging signed public keys 3 encrypting with private key 4 source authentication 1 tree hierarchical deployment of TAs 2 exchanging unique IDs 3 appending key based MACs 4 source authentication with trusted devices

Infrastructure () vs PKI Feature 1 Revocation (1) 2 Revocation (2) 3 Automatic revocation 4 Seamless renewal 5 Broadcast Encryption 6 Choosing Public keys PKI 1 broadcasting revocation list 2 none 3 expiry of certificate 4 possible 5 not possible 6 not possible 1 broadcasting revocation list 2 broadcasting revocation secret 3 periodic renewal 4 possible with some loss of security 5 possible by TA and peers 6 possible

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback