Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Similar documents
Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Efficient and Secure Source Authentication for Multicast

Multicast overview. Introduction to multicast. Information transmission techniques. Unicast

Multicast overview. Introduction to multicast. Information transmission techniques. Unicast

IP Multicast Jean Yves Le Boudec 2017

ICS 351: Today's plan. routing protocol comparison encapsulation network dynamics multicasting in general IP multicasting IGMP PIM

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Multicast Technology White Paper

Student ID: CS457: Computer Networking Date: 5/8/2007 Name:

Integrated Services - Overview

IP Multicast. What is multicast?

Viewing IP and MPLS Multicast Configurations

Multicast H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

Multicast Communications. Slide Set were original prepared by Dr. Tatsuya Susa

Advanced Network Training Multicast

Wireless Network Security Spring 2011

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

IP Multicast. Overview. Casts. Tarik Čičić University of Oslo December 2001

Hands-On IP Multicasting for Multimedia Distribution Networks

CIS 5373 Systems Security

Networking interview questions

SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS

What is Multicasting? Multicasting Fundamentals. Unicast Transmission. Agenda. L70 - Multicasting Fundamentals. L70 - Multicasting Fundamentals

Why multicast? The concept of multicast Multicast groups Multicast addressing Multicast routing protocols MBONE Multicast applications Conclusions

Configuring MSDP. MSDP overview. How MSDP works. MSDP peers

Distributed Systems Multicast & Group Communication Services

Lecture 1 Applied Cryptography (Part 1)

Islamic University of Gaza Faculty of Engineering Department of Computer Engineering ECOM 4021: Networks Discussion. Chapter 1.

Multicast Communications

Internet2 Multicast Workshop

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Configuring MSDP. Overview. How MSDP operates. MSDP peers

IP Multicast: Does It Really Work? Wayne M. Pecena, CPBE, CBNE

ASM. Engineering Workshops

Table of Contents 1 MSDP Configuration 1-1

Configuring Basic IP Multicast

Multicast Quick Start Configuration Guide

DD2490 p IP Multicast routing. Multicast routing. Olof Hagsand KTH CSC

Multicast Technology for Broadcast-type Data Delivery Services

Contents. Overview Multicast = Send to a group of hosts. Overview. Overview. Implementation Issues. Motivation: ISPs charge by bandwidth

IP Multicast Jean Yves Le Boudec 2015

Broadcast and Multicast Routing

4.2 Multicast IP supports multicast to support one-to-many (radio, news, IP multicast was originally a many-to-many (any source MC or

Network Security: Threats and goals. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Multicast IPTV Distribution For Network Operators

Module 7 Implementing Multicast

Contents. Configuring MSDP 1

Security. Communication security. System Security

Source Authentication in Group Communication Systems

Configuring SSM. Finding Feature Information. Prerequisites for Configuring SSM

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

IPv6 PIM. Based on the forwarding mechanism, IPv6 PIM falls into two modes:

HP 5920 & 5900 Switch Series

CSE 123A Computer Networks

Table of Contents 1 MSDP Configuration 1-1

Topic: Multicast routing

Introduction to IGMP for IPTV Networks

Digital Certificates Demystified

ECE 697J Advanced Topics in Computer Networks

Internet Engineering Task Force (IETF) ISSN: April 2010

Cisco 5921 Embedded Services Router

Today s Plan. Class IV Multicast. Class IV: Multicast in General. 1. Concepts in Multicast What is Multicast? Multicast vs.

Overview. SSL Cryptography Overview CHAPTER 1

4 rd class Department of Network College of IT- University of Babylon

Lecture 19: Multicast. CSE 123: Computer Networks Stefan Savage

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

Configuring Basic IP Multicast

Configuring IP Multicast Routing

Introduction to Computer Security

Configuring PIM. Information About PIM. Send document comments to CHAPTER

Multicast Protocol Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

Multicast as an ISP service

Anniversary Retrospective: Where Multicast Has Been & Where It s Headed.

HPE FlexNetwork HSR6800 Routers

Security in ECE Systems

Configuring IP Multicast Routing

Table of Contents 1 PIM Configuration 1-1

HP 5500 HI Switch Series

IP Multicast Technology Overview

CSCE 463/612 Networks and Distributed Processing Spring 2018

CSCI 1680 Computer Networks Fonseca. Exam - Midterm. Due: 11:50am, 15 Mar Closed Book. Maximum points: 100

Washington State University CptS 455 Sample Final Exam (corrected 12/11/2011 to say open notes) A B C

Distributed Conditional Multicast Access for IP TV in High-Speed Wireless Networks (Destination Specific Multicast)

Introduction to computer networking

Lecture 12 Page 1. Lecture 12 Page 3

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Network Security and Cryptography. December Sample Exam Marking Scheme

Example questions for the Final Exam, part A

Chapter 6 Addressing the Network- IPv4

DATA COMMUNICATOIN NETWORKING

Student ID: CS457: Computer Networking Date: 5/8/2007 Name:

Configuring Wireless Multicast

Multicast Communications. Tarik Čičić, 4. March. 2016

Lecture 13 Page 1. Lecture 13 Page 3

(2½ hours) Total Marks: 75

HP 6125G & 6125G/XG Blade Switches

SDN-assisted IP Multicast

HP 5500 EI & 5500 SI Switch Series

Defenses against Wormhole Attack

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Transcription:

Network Security: Broadcast and Multicast Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2011

Outline 1. Broadcast and multicast 2. Receiver access control (i.e. data confidentiality) 3. Multicast authentication 4. DoS protection 2

Broadcast and multicast

Broadcast and multicast Unicast = send to one receiver Traditional IP routing TCP, HTTP, video and audio streaming Server sends a separate copy to each receiver Broadcast = send to everyone Terrestrial radio and television, satellite Link-layer broadcast on Ethernet or WLAN, flood-fill through an overlay network Multicast = send to a group of receivers IP multicast, overlay streaming, IPTV Can save bandwidth by routing through a tree 4

IP unicast 5

Satellite broadcast 6

IP multicast protocols 7

IP multicast Internet group management protocol (IGMP) in IPv4 and Multicast listener discovery (MLD) in IPv6 between clients and the gateway router Clients use to connect to a local multicast router Protocol-independent multicast (PIM) within larger networks PIM sparse mode (PIM-SM) or dense mode (PIM-DM) used closed routing domains Inter-domain protocols: Multicast Source Discovery Protocol (MSDP) and MBGP Still experimental The multicast routing protocols do not provide security in themselves 8

Future of multicast and broadcast? Multicast tree vs. P2P overlay protocols Youtube uses unicast IPTV uses multicast IP multicast works well in closed network, e.g. single operator 9

Security goals Applications: satellite and cable TV, Internet TV, peer-to-peer content distribution, GPS/Galileo, teleconference Access control to multicast and broadcast data Data authentication DoS protection access control for senders Privacy confidentiality of subscriber identities (which channel is my neighbor watching?) 10

Receiver access control 11

Access control to data Goal: allow only authorized access to data Encrypt data, distribute keys to authorized recipients (= multicast group) Key distribution issues: Revocation speed Amount of communication and computation per joining or leaving node Scalability (teleconference vs. satellite TV broadcast) Possible packet loss when session keys are replaced Sharing keys to unauthorized parties is easier than sharing data

Group key distribution Various efficient protocols for distributing keys to a multicast group Typical solution: unicast key distribution to individual subscribers Ok for small groups (e.g. teleconference) or slow updates (e.g. IPTV subscription) Can piggyback individual key updates on multicast data Does not require separate unicast channel Ok for slow updates (e.g. satellite TV) Advanced group key management protocols Typically log(n) communication to revoke one receiver out of N 13

Multicast and broadcast authentication

Multicast data authentication Security goals: Integrity, data-origin authentication Sometimes non-repudiation Early dropping of spoofed data to save bandwidth Other constraints: Packet loss tolerance vs. reliable transmission Real-time requirements Small groups could use a shared key and MACs Limitation: every member can spoof data Won t work for large or mutually distrusting groups Asymmetric crypto seems the right tool One sender and many receivers 15

Hash chaining Forward chaining Amortize the cost of a signature over many data packets Sender can send in real time Receiver should buffer data and consume only after signature received Received vulnerable to DoS from spoofed packets hash data H1 data H2 data H3 data H4 Sign(H4) n=4 Backward chaining Received can authenticate and consume data immediately Sender must buffer data before sending and signing Sign(H1) H1 data H2 data H3 data H4 data n=4 16

Loss tolerant chaining Redundant hash chains Efficient multi-chained stream signature (EMSS) E.g. 1-3-7 chaining sequence tolerates bursty losses of up to 7 packets: Redundant signatures costly Random chaining sequence shown to be efficient Alternative: forward error correction code 17

Guy Fawkes protocol (1) Delayed authentication [Ross Anderson 1997] Initially, receiver knows Y = hash(x) To authenticate message M: 1. Sender publishes commitment Z = MAC X (M) 2. Sender publishes message M and the secret X Z is a commitment that binds the message M and the secret X. Revealing X later authenticates M Critical detail: The commitment Z must be received before X is revealed In the Guy Fawkes protocol, Z is published in a news paper = broadcast medium with guaranteed latest delivery time 18

Guy Fawkes protocol (2) Out-of-band initialization: Sender selects a random X 0 and computes Y 0 = hash(x 0 ) Sender publishes Y 0 via an authenticate channel Protocol round i=1,2,3, : 1. Sender selects a random X i and computes Y i = hash(x i ) 2. Sender publishes in a newspaper Z i = MAC X i-1 (M i, Y i ) 3. Sender publishes M i, hash(x i ), X i-1 Z i is a commitment that binds the message M i and the secret X i-1. Revealing X i-1 later authenticates M i The next key Y i is authenticated together with M i Critical: Each Z i must be received before X i-1 is revealed 19

Lamport hash chain [Leslie Lamport 1981] One-time passwords for client-server authentication Initialization: Random number X 0 Hash chain X i = h(x i-1 ), i=1 n Server stores X n Client reveals hashes in reverse order: X n 1, X n-2, Protects against password sniffing Cannot be replayed like a normal password Better than real random passwords> takes less storage space and the serve password database (/etc/password) can be public Entity authentication only; no key exchange 20

TESLA multicast stream authentication Time efficient stream loss-tolerant authentication [Perrig et al. 2000][RFC 4082] After initialization, secret-key crypto (cryptographic hash and MACs) only Delayed authentication: broadcast sender commits to MAC keys and reveals them after a fixed delay Authentication delay at least one round-trip time (RTT) MAC keys come from a hash chain Requires loose clock synchronization Authentication delay must be set to > maximum clock skew No buffering of data at sender; buffering for a fixed period at the receiver Tolerates packet loss Scales to any number of receivers No non-repudiation 21

TESLA keys k 0 h k 1 h k 2 h k 3 h??? h k t-1 h k t = random h h h h h MAC keys: k 1 k 2 k 3??? k t-1 k t Initialization: Sender commits to the key chain and release schedule by signing: k 0, start time T 1, interval duration T int, disclosure delay d T int Time periods start at T 1, others T i+1 =T i +T int MAC keys k 1, k 2, k 3, Used for message authentication in periods starting from T 1, T 2, T 3 k i revealed d periods later (revealing k i reveals all k j, j i) Sender and receiver must have loosely synchronized clocks 22

TESLA authentication k 0 h k 1 h k 2 h k 3 h k 4 h??? h k N-1 h k N = random h h h h h h MAC keys: k 1 k 2 k 3 k 4??? k N-1 k N T 1 T 2 T 3 T 4 T N-1??? T N Packets:??? Setup: Sign(k0,Y1,Tint,d=2,N) Contain k 1 Contain k 2 Contain k N-3 Contain k N-2 Contain k N-1 Contain k N Packets received in period i will be authenticated in period i+d If a packet that belongs to the period [T i,t i+1 ] is received after T i+1, it cannot be authenticated Ok to have silent periods but dummy packets may be needed to avoid long authentication delays Next key chain can be initialized by sending the new k 0 in the last packets of the previous chain (cf. Guy Fawkes) 23

DoS protection

Access control for senders Multicast is a mechanism for traffic amplification can be used for DoS attacks to consume bandwidth One-root solution: the root node of the multicast tree authenticates senders and checks for authorization Ok for satellite broadcast No such root in IP multicast in the Internet, in many-to-many communication, or in peer-to-peer content distribution Authentication of data at each router needed to avoid insertion of false data maybe too expensive Reverse path forwarding: each router checks the routing table for the source address and decides whether the packet came from the right direction Prevents some spoofing attacks Needed to prevent routing loops anyway

Non-crypto access control for receivers A multicast receiver could subscribe to a large number of multicast streams Packet flood to the location of the receiver Either free, unencrypted streams or streams of encrypted packets it cannot decrypt Need some way of limiting subscriptions at the receiver end 26

Exercises Combine backward and forward chaining to divide the buffering requirement between sender and receiver How could a criminal organization use cryptography to make a series of anonymous but plausible threats? (Hint: Guy Fawkes was a 17th century terrorist) If the receiver has no capability for public-key operations, how would you initialize TESLA? 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback