Slides - the GMU ECE Department

Download Report

Transcript Slides - the GMU ECE Department

Improvements to TESLA
Using Secret Sharing Scheme
ECE 646: Cryptography and Network Security
Professor: Dr. Jens-Peter Kaps
Project Team
Krishna Chaitanya Thirumalasetty
KamalEldin Mohamed
Lieyong Yang
Nick Ton
December 19, 2006
Agenda
Overview & Motivation
TESLA Protocol
•
•
•
•
Protocol Overview
Sender Setup
Receiver Authentication
DoS Attack
Improving DoS Attack
• Instant Key Disclosure (TIK)
• Staggered TESLA
• Public Key Cryptography (PKC)
Group Multicast Authentication (GMA)
•
•
•
•
•
Shamir’s Secret Sharing
Analytical Approach
Experimental Approach
Design & Implementation
Results
Conclusion
References
Research Motivation
• Our Observation:
• TELSA protocol are weak against Denial-of-Service (DoS)
attacks
• Our Goal:
• Analyze and implement improvements to TESLA
• Our Approach:
• Group Multicast Authentication (GMA) using Shamir
Threshold Scheme
TESLA – Overview
Timed Efficient Stream Loss-Tolerant Authentication
•
•
Broadcast authentication protocol for message authenticating
•
•
•
•
•
Uses symmetric key cryptography
Asymmetric key cryptography via time
Based on initial loose time synchronization
MAC is attached to each packet
Delayed-disclosure of keys
Published in IEEE Security and Privacy 2000, NDSS 2001 [PCST]
1- Verify Ki
F(Ki)
Authentic
Commitment
M
MAC (Ki , M)
3- M is authentic
ti-1
ti
Ki
is disclosed
2- Verify MAC
ti+1
time
TESLA – Sender Setup
•
Break time in intervals of same duration
•
Determine key chain length N, picks the last key KN randomly
•
Using a One Way Pseudo Random Function F compute Ki =
F(Ki+1), assign one key to each interval
•
Use F' to derive the key to compute MAC K’i= F’(K’i)
Key generation
Ki-1
F’
Ki
F’
K’i-1
interval i -1
Ki+1
F’
K’i
interval i
K’i+1
interval i +1
Key disclosure
KN
F’
K’N
interval N
time
TESLA – Receiver Authentication
Ki-1
Ki
F’
F’
K’i-1
Pi-1
Ki+1
Mi-1, Ki-2 MAC(K’i-1, Di-1)
Di-1
authenticated
F’
K’i
Pi
Mi , Ki-1 MAC(K’i, Di)
Di
authenticated after
reception of Pi+1
Pi+1
K’i+1
Mi+1, Ki MAC(K’i+1, Di+1)
Di+1
not yet authenticated
• When the receiver gets packet Pi,it can not verify the MAC since it does not yet know
Ki from which it can compute K’i
• Packet Pi+1 discloses Ki and allows the receiver to:
 verify that Ki is correct, e.g., F(Ki) = Ki-1
 compute K’i and check the authenticity of packet Pi by verifying the MAC of Pi
TESLA DoS Attack
– Receiver Side
Sender
• Delayed release of authentication keys
Receiver
• Limited buffer size
• Delayed Authentication
Attacker
• Flood the multicast group with bogus
traffic!
…Serious DoS Attack…
Existing Solutions
Exiting Solutions Towards Tesla DoS Attack
• Key Disclosure Delay Invites DoS Attack
• TESLA with Instant Key Disclosure (TIK)
• Eliminate the authentication delay
• Rely on precise synchronization
• Staggered TESLA
• Shorten the key delay
• Multiple, staggered authentication keys
• Efficient Multi-Chained Stream Signature (EMSS)
New Public Key Solution Coming
• New Emerging Algorithms
• Elliptic Curve Cryptography (ECC)
– ECC 163 signature verification takes 480 ms on custom designed
hardware nodes
• NTRUEncrypt and NTRUSign
– NTRU 251 Vs RSA 1024 on Palm (Encrypt 42:1 Decrypt 333:1)
– NTRU 251 Vs ECC 163 on Palm (Encrypt 52.5:1 Decrypt 9:1)
• Faster & Smaller Chips – Moore’s Law
• Sensor Nodes Harvest Energy From Environment
Group MAC Authentication (GMA)
• Group MAC of each packet MACKg (Pj)
•
Original Tesla Packet Pj = {M j || i || MACK’i(Mj) || K{i-d}}
•
New Packet
Pj’ = Pj|| MACKg(Pj)
Pj’
GMA
MAC
TESLA
MAC
MACKg (Pj)
MACK’i(Mj)
Message||Key||ID
Pj
Our Solution
Group Multicast Authentication
(GMA)
Shamir’s Secret Sharing
Secret Sharing Scheme
• Secret is shared by a trust group – everyone has responsibility
• Address the problem of key distribution
• Allows multiple users to recover secret
Secret Sharing Scheme has two phase:
• Dealer Phase where secret shares are generated
• Reconstruction Phase where secrets are combined to reconstruct the
original secret
Secret S is shared by n users, each one has Si, 1< i ≤ n
• Iff any member in a group knows T or more shares
– can reconstruct the secret S
• Else
– Secret is not recoverable
Shamir Threshold Scheme
Dealer Phase:
1.Choose a very large prime number p, where p > max(S,n)
2.Let a0 = S, where S is the secret
3.Pick a coefficient of a polynomial function ai = [0,p)
• a1, ….,at-1, 0<aj <p-1
4.Compute the polynomial function to get S(i)
Reconstruction Phase
• Must have sufficient number of shares (ai)
S (i) = a0+ a1i1 + a2i2 +…+ at-1it-1
S (0) =a0=S
S (1) = a0+ a111 + a212 +…+ at-11t-1
S (2) = a0+ a121 + a222 +…+ at-12t-1
• t-1 functions can not solve
for secret S
• Lagrange interpolation
formula to
Reconstruct the secret Key
a0=S
……
S(t-1) = a0+ a1(t-1)1 + a2(t-1)2 +…+ at-1(t-1)t-1
GMA Protocol: Setup
• Each node is pre-configured with a routing table
• Only knows neighboring node
• Upstream nodes generate session keys for downstream nodes
• Each node is seeded with a secret share Si
• Si is created from secret S
• Each node is initialized with a threshold t ≤ N
• N is the total number of secrets shares
GMA Protocol: Secret Share Transmission
1.
•
•
1
2.
2
3.
4.
Uses K12 and K13 to send S2 and S3
Create session keys K24 and K35
Node 2 sends S1, S2
Node 3 sends S1, S3
Node 4 and Node 5 Responds
•
5
Creates session keys K12 and K13
Send secret share S1
Node 2 and Node 3 Initiates
•
•
•
•
3
4
Node 1 Initiates
Uses K24 and K35 to send S4 and S5
Node 2 and Node 3 Responds
•
Retransmit S4 and S5 to Node 1
Nodes send/receive until threshold is reached
GMA Protocol: Broadcast Authentication
1. Once a node has reached threshold
1
2
•
•
2. Sender Message Encryption
3
•
•
4
Each node calculates secret S
Use the secret to broadcast
5
MAC(x) = MACS(H(x))
y = ES(x)||MACS(x)
3. Receiver Message Decryption
•
•
x = Ds(y)
Compare MAC(Ds(y)) = MAC(x)
Analytical Approach
Manually simulated secret share exchange
• Analyzed for 10 node hierarchical network
• Analyzed 3 types of topology
• Observed the following:
– Node 0 (broadcast node) is first to achieve
threshold
– Leaf nodes are last to receive all shares
– Independent of topology
– Each node on average re-broadcast (t-1)n
Experimental Approach
Justification
• Provide evidence to support or reject analytical
observations
• Determine performance and efficiency metrics
– Timing data (convergence time, round-trip time)
Methodology
• Develop GMA protocol in the NS2
• Other simulation framework were available
(omnet++, simlink, …etc.)
Implementation Design
Risk Reduction Strategies
• Simplify protocol
– Identify essential operations within the GMA protocol
• Divide Conquer
– Divided the GMA protocol into:
• Secret Share Exchange
• Multicast Authentication
Testing Strategies
• Automate test scenarios with python/shell scripts
Protocol Implementation
C++
Class mirror OTcl
TclObject
TclObject
NsObject
Agent
Agent
GMA_Agent
Agent/TCP
class GMA_Agent : public Agent
{
public:
GMA_Agent() :
GMA_Agent(“Agent/GMA_Agent”)
{}
recv( Packet *, Handler *);
}
Class GB_Agent….
Additional Integration Steps
Packet
Implementation
header
data
Additional
modifications to NS2
Define new packet
GMA_Packet
seqno_
cmn header
Add new packet
protocol ID
into packet.h
ip header
scr_addr_
GMA header
GB header
data_
qLength_
ack_
Add new packet
type into
ns-default.tcl
Add an entry for
new packet type
ns-packet.tcl
Modify ns2
Makefile
Experimental Results
Secret Share Exchange Convergence Time Size
Performed simulation
• Random topology for:
– 50, 100, 200 nodes
• Bandwidth 10 kbps
• Share size 128 bits
• Collect convergence time for secret
share exchange
• Collect round-trip time for Node-0
acknowledgement
Conclusion
• Share size is dependent upon
network size and bandwidth
• Round-trip broadcast authentication
is exponentially proportional to the
network size
Round Trip time
Conclusion
GMA Protocol
• Can be viable augmentation to TELSA protocol
• Does provide protection against DoS attack
– Instant authentication of packets
• Performance degrades exponentially for large network
topology
Further Research & Development
• Further analysis of the protocol setup
• Secrecy of key exchange using AVISPA
– Automated Validation of Internet Security Protocols and
Applications
• Solving the scalability problem through better
implementation of the GMA protocol
• Improvements to group key management
References
•
•
•
•
•
•
•
•
•
•
A. Perrig, R. Canetti, J. Tygar, and D. Song, “The TESLA broadcast authentication protocol”, RSA
CryptoBytes, 2002.
R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicast security: A
taxonomy and some efficient constructions”, in INFOCOMM’99, 1999.
S. Cheung, “An efficient message authentication scheme for link state routing”, in Proceedings of
the 13th Annual Computer Security Applications Conference, December 1997, pp. 90–98.
F. Bergadano, D. Cavagnino, and B. Crispo, “Chained stream authentication”, in Proceedings of the
7th Annual Workshop on Selected Areas in Cryptography, August 2000, pp. 144–157.
B. Briscoe, “FLAMeS: Fast, loss-tolerant authentication of multicast streams,” Technical report,
BT Research, 2000.
A. Perrig, J. Tygar, “Secure Broadcast Communication in Wired and Wireless”, Kluwer Academic
Publishers, Norwell, MA 2003.
A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficient and secure source authentication for
multicast”, in Proceedings of Network and Distributed System Security Symposium, February 2001.
Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J. D. Tygar, “SPINS: Security Protocols
for Sensor Networks”, in Proceedings of Seventh Annual International Conference on Mobile
Computing and Network, July 2001
Donggang Liu, Peng Ning, “Multi-Level µTESLA: A Broadcast Authentication System for
Distributed Sensor Networks”, ACM Transactions on Embedded Computing Systems (TECS), Vol. 3,
No. 4, pages 800--836, November 2004
Kui Ren, Kai Zeng, Wenjing Lou, and Patrick J. Moran, "On broadcast authentication in wireless
sensor networks", Lecture Notes in Computer Science, vol. 4138, pp. 502-514. International
Conference on Wireless Algorithms, Systems, and Applications (WASA 2006), Xi'an, China, August
15-18, 2006
Questions?