Efficient and Secure Source Authentication for Multicast

Similar documents
Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Source Authentication in Group Communication Systems

Defenses against Wormhole Attack

Reliable Broadcast Message Authentication in Wireless Sensor Networks

Efficient and Secure Source Authentication for Multicast

Internet Engineering Task Force (IETF) ISSN: April 2010

Secure Routing for Mobile Ad-hoc Networks

CSC 774 Advanced Network Security

TESLA Certificates: An Authentication Tool for Networks of Compute-Constrained Devices Mathias Bohge

LHAP: A Lightweight Hop-by-Hop Authentication Protocol For Ad-Hoc Networks

LHAP: A Lightweight Hop-by-Hop Authentication Protocol For Ad-Hoc Networks

Department of Electrical and Computer Engineering, Institute for Systems Research, University of Maryland, College Park, MD 20742, USA

Kun Sun, Peng Ning Cliff Wang An Liu, Yuzheng Zhou

CIS 4360 Secure Computer Systems Applied Cryptography

ABSTRACT

Signature Amortization Using Multiple Connected Chains

Efficient and Secure Source Authentication for Multicast

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

CSC 774 Network Security

Wireless Network Security Spring 2011

SSL/TLS. How to send your credit card number securely over the internet

DoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Cryptographic Concepts

SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS

SCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich

A Tree-Based µtesla Broadcast Authentication for Sensor Networks

LHAP: A Lightweight Network Access Control Protocol for Ad-Hoc Networks

Flexible, Extensible, and Efficient VANET Authentication

PEAC: a Probabilistic, Efficient, and resilient Authentication protocol for broadcast Communications

Cryptographic Checksums

Internet Indirection Infrastructure

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Source Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Wireless Network Security Spring 2016

SPINS: Security Protocols for Sensor Networks

Security. Communication security. System Security

CMPE 257: Wireless and Mobile Networking

Mitigating DoS attacks against broadcast authentication in wireless sensor networks

Student ID: CS457: Computer Networking Date: 5/8/2007 Name:

CERIAS Tech Report VERIFYING DATA INTEGRITY IN PEER-TO-PEER VIDEO STREAMING. by Ahsan Habib, Dongyan Xu, Mikhail Atallah, Bharat Bhargava

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Low Cost Multicast Authentication via Validity Voting in Time-Triggered Embedded Control Networks

Security in Ad Hoc Networks *

DoS attack-tolerant TESLA-based broadcast authentication protocol in Internet of Things

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Chapter 9: Key Management

WPA-GPG: Wireless authentication using GPG Key

Wireless Network Security Spring 2015

CSCE 715: Network Systems Security

Deploying a New Hash Algorithm. Presented By Archana Viswanath

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Using secure multi-party computation when pocessing distributed health data

CIS 4360 Secure Computer Systems Symmetric Cryptography

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

International Journal of Advanced Research in Computer Science and Software Engineering

ANET: An Anonymous Networking Protocol

Secure Ad-Hoc Routing Protocols

Applied Cryptography and Computer Security CSE 664 Spring 2017

UNIT - IV Cryptographic Hash Function 31.1

CS408 Cryptography & Internet Security

Security Issues In Mobile IP

Spring 2010: CS419 Computer Security

Lecture 1 Applied Cryptography (Part 1)

Seven Cardinal Properties of Sensor Network Broadcast Authentication

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

T Cryptography and Data Security

Computer Science 461 Final Exam May 22, :30-3:30pm

L13. Reviews. Rocky K. C. Chang, April 10, 2015

What is Multicasting? Multicasting Fundamentals. Unicast Transmission. Agenda. L70 - Multicasting Fundamentals. L70 - Multicasting Fundamentals

Cryptography and Network Security

Cryptographic authentication on the communication from an 8051 based development board over UDP

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols

CS 425 / ECE 428 Distributed Systems Fall 2017

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Developing MapReduce Programs

Overview. SSL Cryptography Overview CHAPTER 1

MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card IEEE INFOCOM 2004

CS 268: IP Multicast Routing

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Session key establishment protocols

Reliable Transport I: Concepts and TCP Protocol

Cryptography and Network Security Chapter 1

Group-based Secure Source Authentication Protocol for VANETs

Wireless Network Security Spring 2013

Computer Networks. Wenzhong Li. Nanjing University

Session key establishment protocols

Announcements. me your survey: See the Announcements page. Today. Reading. Take a break around 10:15am. Ack: Some figures are from Coulouris

Securing the Frisbee Multicast Disk Loader

Security Requirements

Quick-Start for TCP and IP

HOST Authentication Overview ECE 525

Efficient Data Structures for Tamper-Evident Logging

Network Working Group. Category: Standards Track January 2006

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Ariadne: Secure On-Demand Routing in Ad-Hoc Networks an explanation for dummies

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

02 - Distributed Systems

Transcription:

Efficient and Secure Source Authentication for Multicast Authors: Adrian Perrig, Ran Canetti Dawn Song J. D. Tygar Presenter: Nikhil Negandhi CSC774 Network Security Outline: Background Problem Related work An Overview of TESLA Extended TESLA Security Discussion & Robustness to DOS Conclusion Future Work 1

Problem: Efficient Source Authentication One sender, many receivers Receivers not trusted Lossy channel (lost packets are not retransmitted) Related Work: Digital Signatures Advantage: Non-repudiation Disadvantages: Too expensive, DOS on the receiver Simple MAC using shared secret as in UNICAST Advantages: Low overhead, MAC computation is fast Disadvantage: Insecure in multi-party case 2

An Overview of TESLA Provides multicast source authentication Efficient: - symmetric-key cryptography - 1 MAC function computation (1,000,000/s) - Low overhead per packet (10-20 bytes) Perfect loss robustness Scalable: After initial receiver bootstrap, unidirectional data flow Drawback: Delayed authentication TESLA: The basic idea 3

Security Condition A packet arrived safely if the receiver is assured that the sender cannot yet be in the time interval in which the corresponding key is disclosed. Receiver verifies that packet P arrives before sender discloses KP If security condition not satisfied, drop the packet Sender Setup Interval definition - Beginning time of one specific interval - Interval duration, disclosure delay Key chain - Compute using a pseudo-random function F - Digitally sign K0, give to receivers at registration. 4

Sending/Receiving Authenticated Packets Packet Pj sent in interval Ii is: {Mj/MACki(Mj)/Ki-d} The key remains secret for future intervals Packets sent in interval Ij can disclose key Drawbacks of TESLA: Receiver has to buffer packets - DoS attacks on the receiver Overhead for receivers in heterogeneous networks - uses many keys with different disclosure delays Synchronization - costly due to public key operations Not-scalable - sender has synchronized with all the receivers before transmission starts. 5

Extended TESLA: Immediate Authentication Concurrent TESLA instances Time Synchronization Determining Key Disclosure Delay Immediate Authentication Receiver authenticates packets as soon as they arrive Sender buffers packets during one disclosure delay Sender stores hash value of data of later packet in an earlier packet If packets are dropped, authentication? 6

Concurrent TESLA instances Why require multiple instances of TESLA with different disclosure delays? - low delay receivers :short key disclosure delay - high delay receivers: long key disclosure Solution: Same key chain but a different key schedule for all instances K u i+du = MAC key in Ii disclosed in I i+du Concurrent TESLA instances Advantages Generates all different independent keys for each instance Sender needs to disclose one key chain independent of number of concurrent instances 7

Time Synchronization Loose time synchronization Receiver knows an upper bound of difference between sender s local time and the receiver s local time = (del) 1. Direct: Explicit time synchronization with sender No extra infrastructure needed Two-phase protocol Del=ts-tr DoS? 2. Indirect Implicit Time Synchronization Synchronize with a time reference Determining Key Disclosure Delay Short disclosure delay security condition violated packets drop Long disclosure delay long authentication delay Security Condition is [(t R i + del To)/Tint] Ij < d d = disclosure delay in time intervals Tint = interval duration To = beginning time of 0 th time interval t R i =receiver s local time when packet Pi arrives Ij = time at which packet Pi is constructed del = upper bound of difference between sender s local time and the receiver s local time [ ] = truncate function 8

Security Discussion and Robustness to DoS DoS Attack on the Sender Not possible with indirect time synchronization Possible with direct time synchronization Solution: Sender aggregates multiple requests computes and signs a Merkle hash tree that is generated from all the requester s nonces Root H ad is included in signed part instead of receiver s nonce To verify the signature, each receiver reconstructs hash tree Example: A will receive N b, H cd No. of nodes returned = Security Discussion and Robustness to DoS DoS Attack on the RECEIVER Replay Attack - security condition drops packets if replayed with a long delay - add sequence number to each packet Flooding with bogus traffic - security condition drops a packet after one disclosure delay - immediate authentication Attacker fools receiver to believe that packet was sent out far in the future - in order to verify the disclosed key the receiver would hash until last committed key chain value - foiled by checking packet interval <= latest interval sender can be in Ij <= [(ti-to)/tint] 9

Conclusion Basic TESLA provides low computation and communication overhead and perfect lost robustness Additional information in a packet used to provide immediate authentication Reduced overhead when multiple TESLA instances are concurrently used with different authentication delays Derived a tight lower bound on disclosure delay Hardened the sender and receiver against various DoS attacks FUTURE WORK Source authentication with nonrepudiation Perfect time synchronization techniques with less complexity and low overhead 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback