computer science csc 774 adv. net. security1 presenter: tong zhou 11/21/2015 practical broadcast...
TRANSCRIPT
CSC 774 Adv. Net. Security 1
Computer Science
Presenter: Tong Zhou
04/21/23
Practical Broadcast Authentication in Sensor Networks
CSC 774 Adv. Net. Security 2Computer Science
Outline
• Background
• Basic Approach
• Various Extensions
• Implementation Results
• Conclusion & Future Work
CSC 774 Adv. Net. Security 3Computer Science
Background
• Wireless Sensor Network– Large number of resource constrained sensor nodes– A few powerful control nodes (Base Station)
• Broadcast Authentication in Sensor Network TESLA– Multilevel TESLA
CSC 774 Adv. Net. Security 4Computer Science
Review of Multilevel TESLA
Ki-1 Ki
...Ki-1,1 Ki-1,2 Ki-1,m Ki,1 Ki,2 Ki,m Ki+1,1...Ki-2,m
F01 F01 F01
F1 F1 F1 F1 F1 F1 F1
......
Time
Ki-1,0 Ki,0 Ki+1,0
F1 F1 F1
CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1
CSC 774 Adv. Net. Security 5Computer Science
Review of Multilevel TESLA (cont.)
• Benefits:– Trade-off between key chain length and broadcast
time– Resistant to packet loss
• Problems left:– Remove the long delay after CDMs are lost– Allow multiple senders– Revoke broadcast senders
CSC 774 Adv. Net. Security 6Computer Science
Practical Broadcast Authentication in WSN: Basic Scheme• Use Merkle tree to distribute the key chain
commitments – referred to as parameter distribution tree– The tree root is pre-distributed
– Each commitment is a leaf of the tree
Key chain commitmentss1 s4s3s2
K1 K4K3K2
K14
K34K12
Pre-distributed root
CSC 774 Adv. Net. Security 7Computer Science
Practical Broadcast Authentication in WSN: Basic Scheme (Cont.)• If the 2nd TESLA instance will be used:
– Sender broadcasts the parameter certificate ParaCert2 = { s2, K1, K34}
– Receivers immediately authenticate the commitment s2 by verifying
K14 = H( H( H(s2) K1 ) | K34)
s1 s4s3s2
K1 K4K3K2
K14
K34K12
CSC 774 Adv. Net. Security 8Computer Science
Practical Broadcast Authentication in WSN: Basic Scheme (Cont.)• The basic scheme has achieved:
– Security:• Attacker cannot send forged packet unless compromising the
sender• The parameter certificates are immune to DoS attack
– Overhead:• Storage: each receiver node needs to store the root of the parameter
distribution tree, and the parameters of the senders that are communicating
• Computation: each receiver node needs hash functions to validate the key chain commitment, where m is the number of SLA instances
– Allows multiple senders:• Senders can be added dynamically by generating enough instances
for late-joined senders
m2log1
CSC 774 Adv. Net. Security 9Computer Science
Scheme for Long-lived Senders
• Basic idea: – two-level parameter distribution tree
• Pre-Distribution– Fix the interval length that each TESLA key chain uses, denote such
an interval as (TESLA) instance interval. Assume each key chain has length L.
– Assume sender j needs nj instance intervals through out its life: use the nj key chain parameters as leaves to construct a lower level tree, denoted as Treej. When generating key chains for each sender: ki+1, L = F’(ki, 0), where F’ is a pseudo random function.
– With the roots of Treejs as leaves, an upper level parameter distribution tree is generated, denoted as TreeR
– TreeR’s root is pre-distributed to receivers, while the parameter certificate of TreeR of sender j, denoted as ParaCertj and all the key chains generated for sender j is pre-distributed to sender j.
jniijs 1, }{
CSC 774 Adv. Net. Security 10Computer Science
Scheme for Long-lived Senders: Example
s1 s4s3s2
K1 K4K3K2
K14
K34K12
s’1 s’4s’3s’2
K’1 K’4K’3K’2
R3
K’34K’12
TreeR
Treej
Receivers: K14
Pre-distribution:
Sender3:
ParaCert3={s3, K4, K12}, and Sender3’s key chains
CSC 774 Adv. Net. Security 11Computer Science
Scheme for Long-lived Senders: Example
s’1 s’4s’3s’2
K’1 K’4K’3K’2
R3
K’34K’12
k3,1
k3,0
k3,L
k2,0
k2,L
k1,0
k1,L
k4,0
k4,L
k4,1k2,1k1,1
F’F’F’
Tree3
CSC 774 Adv. Net. Security 12Computer Science
Scheme for Long-lived Senders (Cont.)
• The above scheme has achieved:– Security:
• Same as in the basic scheme
– Overhead:• Storage: receivers’ are same as in the basic scheme, sender j needs
to store ParaCertj besides all the key chains.
• Computation: for validation of each key chain commitment, and for validation of each sender, where m is the number of senders.
– Benefit over basic scheme:• Fixed key chain length
• Two ways to validate the key chain commitments
m2log1
jn2log1
CSC 774 Adv. Net. Security 13Computer Science
Distributing Parameter Certifications
• Due to the low bandwidth and small packet size, ParaCertj must be delivered in several packets.– Each packet must be authenticated independently and immediately
– Assume that each ParaCert contains L hash values, each packet can hold b hash values. Adopt the idea of distillation codes.
CSC 774 Adv. Net. Security 14Computer Science
Distributing Parameter Certifications: Example
s1 s4s3s2
K1 K4K3K2
K14
K34K12
s5 s8s7s6
K5 K8K7K6
K58
K78K56
K18
ParaCert3 = {K58, K12, K4, s3}, assume that each packet can hold 3 hash values,
P1 = {K58, K12, K34}, verify: K18 = H(H(K12| K34)|K58)
P2 = {K4, s3}, verify: K34 = H(K4|H(s3))
CSC 774 Adv. Net. Security 15Computer Science
Revoking TESLA Instances
• Revocation tree– Similar to the parameter distribution tree, the central server
generates a revocation message for each TESLA instance, and use all the messages to construct a Merkle tree, whose root is pre-distributed.
– Advantages:• Guarantees a non-compromised sender not be revoked.
– Disadvantages:• Cannot guarantee each receiver receives the revocation message
due to the unreliable communication
• Revoked senders must be remembered by receivers, which introduces large storage overhead.
CSC 774 Adv. Net. Security 16Computer Science
Revoking TESLA Instances (Cont.)
• Proactive Refreshment of Authentication Keys– Central server sends TESLA key chains to the senders
when senders are broadcasting, instead of pre-distributing all the key chains. Central server can revoke a sender by stop sending TESLA key chains to it.
– Advantages:• Guarantees a compromised sender be revoked
• Receivers do not need storage overhead
– Disadvantages:• A non-compromised sender may be revoked if it does not receive
the key chains due to some communication problem.
CSC 774 Adv. Net. Security 17Computer Science
Experimental Results: Authentication Rate
Authentication rate under 0.2 loss rate and 200 forged parameter distribution packet per minute.
CSC 774 Adv. Net. Security 18Computer Science
Experimental Results: Channel Loss Rate
Channel loss rate: 0.2; # forged commitment distribution: 200 per minute; distribution rate: 95%.
CSC 774 Adv. Net. Security 19Computer Science
Experimental Results: Average Failure Recovery Delay
Average failure recovery delay. Assume 20 parameter distribution packet per minute.
CSC 774 Adv. Net. Security 20Computer Science
Conclusion & Future Work
• Developed practical broadcast authentication techniques– Distribution of TESLA key chain parameters– Revocation of compromised senders
• Future Work– Other schemes based on the basic scheme– Remove the constraint of loosely synchronization
of senders and receivers