1 / 26

Improvements to TESLA Using Secret Sharing Scheme

Improvements to TESLA Using Secret Sharing Scheme. ECE 646: Cryptography and Network Security Professor: Dr. Jens-Peter Kaps Project Team Krishna Chaitanya Thirumalasetty KamalEldin Mohamed Lieyong Yang Nick Ton December 19, 2006. Agenda. Overview & Motivation TESLA Protocol

oihane
Télécharger la présentation

Improvements to TESLA Using Secret Sharing Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improvements to TESLAUsing Secret Sharing Scheme ECE 646: Cryptography and Network Security Professor: Dr. Jens-Peter Kaps Project Team Krishna Chaitanya Thirumalasetty KamalEldin Mohamed Lieyong Yang Nick Ton December 19, 2006

  2. Agenda • Overview & Motivation • TESLA Protocol • Protocol Overview • Sender Setup • Receiver Authentication • DoS Attack • Improving DoS Attack • Instant Key Disclosure (TIK) • Staggered TESLA • Public Key Cryptography (PKC) • Group Multicast Authentication (GMA) • Shamir’s Secret Sharing • Analytical Approach • Experimental Approach • Design & Implementation • Results • Conclusion • References

  3. Research Motivation • Our Observation: • TELSA protocol are weak against Denial-of-Service (DoS) attacks • Our Goal: • Analyze and implement improvements to TESLA • Our Approach: • Group Multicast Authentication (GMA) using Shamir Threshold Scheme

  4. TESLA – Overview Timed Efficient Stream Loss-Tolerant Authentication • Broadcast authentication protocol for message authenticating • Published in IEEE Security and Privacy 2000, NDSS 2001 [PCST] • Uses symmetric key cryptography • Asymmetric key cryptography via time • Based on initial loose time synchronization • MAC is attached to each packet • Delayed-disclosure of keys 1- Verify Ki M F(Ki)AuthenticCommitment Kiis disclosed MAC (Ki , M) 2- Verify MAC 3-M is authentic ti-1 ti ti+1 time

  5. TESLA – Sender Setup • Break time in intervals of same duration • Determine key chain length N, picks the last key KN randomly • Using a One Way Pseudo Random Function F compute Ki = F(Ki+1), assign one key to each interval • Use F' to derive the key to compute MAC K’i= F’(K’i) Key generation Ki-1 Ki Ki+1 KN F’ F’ F’ F’ K’i-1 K’i K’i+1 K’N time interval i -1 interval i interval i +1 interval N Key disclosure

  6. TESLA – Receiver Authentication Ki-1 Ki Ki+1 F’ F’ F’ K’i-1 K’i K’i+1 Pi-1 Pi Pi+1 Mi-1, Ki-2 MAC(K’i-1, Di-1) Mi , Ki-1 MAC(K’i, Di) Mi+1, Ki MAC(K’i+1, Di+1) Di-1 Di Di+1 authenticated authenticated after reception of Pi+1 not yet authenticated • When the receiver gets packet Pi,it can not verify the MAC since it does not yet know Ki from which it can compute K’i • Packet Pi+1 discloses Ki and allows the receiver to: • verify that Ki is correct, e.g., F(Ki) = Ki-1 • compute K’i and check the authenticity of packet Piby verifying the MAC of Pi

  7. TESLA DoS Attack – Receiver Side • Sender • Delayed release of authentication keys • Receiver • Limited buffer size • Delayed Authentication • Attacker • Flood the multicast group with bogus traffic! • …Serious DoS Attack…

  8. Existing Solutions

  9. Exiting Solutions Towards Tesla DoS Attack • Key Disclosure Delay Invites DoS Attack • TESLA with Instant Key Disclosure (TIK) • Eliminate the authentication delay • Rely on precise synchronization • Staggered TESLA • Shorten the key delay • Multiple, staggered authentication keys • Efficient Multi-Chained Stream Signature (EMSS)

  10. New Public Key Solution Coming • New Emerging Algorithms • Elliptic Curve Cryptography (ECC) • ECC 163 signature verification takes 480 ms on custom designed hardware nodes • NTRUEncrypt and NTRUSign • NTRU 251 Vs RSA 1024 on Palm (Encrypt 42:1 Decrypt 333:1) • NTRU 251 Vs ECC 163 on Palm (Encrypt 52.5:1 Decrypt 9:1) • Faster & Smaller Chips – Moore’s Law • Sensor Nodes Harvest Energy From Environment

  11. Pj’ GMA MAC TESLA MAC Message||Key||ID MACKg (Pj) MACK’i(Mj) Pj Group MAC Authentication (GMA) • Group MAC of each packet MACKg (Pj) • Original Tesla Packet Pj = {M j || i || MACK’i(Mj) || K{i-d}} • New Packet Pj’ = Pj|| MACKg(Pj)

  12. Our Solution • Group Multicast Authentication • (GMA)

  13. Shamir’s Secret Sharing • Secret Sharing Scheme • Secret is shared by a trust group – everyone has responsibility • Address the problem of key distribution • Allows multiple users to recover secret • Secret Sharing Scheme has two phase: • Dealer Phase where secret shares are generated • Reconstruction Phase where secrets are combined to reconstruct the original secret • Secret S is shared by n users, each one has Si, 1< i≤ n • Iff any member in a group knows T or more shares • can reconstruct the secret S • Else • Secret is not recoverable

  14. Shamir Threshold Scheme • Dealer Phase: • Choose a very large prime number p, where p > max(S,n) • Let a0 = S, where S is the secret • Pick a coefficient of a polynomial function ai = [0,p) • a1, ….,at-1, 0<aj <p-1 • Compute the polynomial function to get S(i) • Reconstruction Phase • Must have sufficient number of shares (ai) • S (i) = a0+ a1i1 + a2i2 +…+ at-1it-1 • S (0) =a0=S • S (1) = a0+ a111 + a212 +…+ at-11t-1 • S (2) = a0+ a121 + a222 +…+ at-12t-1 • …… • S(t-1) = a0+ a1(t-1)1 + a2(t-1)2 +…+ at-1(t-1)t-1 • t-1 functions can not solve for secret S • Lagrange interpolation formula to • Reconstruct the secret Key a0=S

  15. GMA Protocol: Setup • Each node is pre-configured with a routing table • Only knows neighboring node • Upstream nodes generate session keys for downstream nodes • Each node is seeded with a secret share Si • Si is created from secret S • Each node is initialized with a threshold t ≤ N • N is the total number of secrets shares

  16. GMA Protocol:Secret Share Transmission 1 • Node 1 Initiates • Creates session keys K12 and K13 • Send secret share S1 • Node 2 and Node 3 Initiates • Uses K12 and K13 to send S2 and S3 • Create session keys K24 and K35 • Node 2 sends S1, S2 • Node 3 sends S1, S3 • Node 4 and Node 5 Responds • Uses K24and K35 to send S4 and S5 • Node 2 and Node 3 Responds • Retransmit S4 and S5 to Node 1 2 3 4 5 Nodes send/receive until threshold is reached

  17. GMA Protocol: Broadcast Authentication 1 • Once a node has reached threshold • Each node calculates secret S • Use the secret to broadcast • Sender Message Encryption • MAC(x) = MACS(H(x)) • y = ES(x)||MACS(x) • Receiver Message Decryption • x = Ds(y) • Compare MAC(Ds(y)) = MAC(x) 2 3 4 5

  18. Analytical Approach • Manually simulated secret share exchange • Analyzed for 10 node hierarchical network • Analyzed 3 types of topology • Observed the following: • Node 0 (broadcast node) is first to achieve threshold • Leaf nodes are last to receive all shares • Independent of topology • Each node on average re-broadcast (t-1)n

  19. Experimental Approach • Justification • Provide evidence to support or reject analytical observations • Determine performance and efficiency metrics • Timing data (convergence time, round-trip time) • Methodology • Develop GMA protocol in the NS2 • Other simulation framework were available (omnet++, simlink, …etc.)

  20. Implementation Design • Risk Reduction Strategies • Simplify protocol • Identify essential operations within the GMA protocol • Divide Conquer • Divided the GMA protocol into: • Secret Share Exchange • Multicast Authentication • Testing Strategies • Automate test scenarios with python/shell scripts

  21. Class mirror C++ OTcl TclObject Agent Agent/TCP Protocol Implementation • class GMA_Agent : public Agent • { • public: • GMA_Agent() : GMA_Agent(“Agent/GMA_Agent”) {} • recv( Packet *, Handler *); • } • Class GB_Agent…. TclObject NsObject Agent GMA_Agent

  22. seqno_ cmn header scr_addr_ header ip header data_ data GMA header qLength_ GB header ack_ Additional Integration Steps Packet Implementation Additional modifications to NS2 Define new packet GMA_Packet Add new packet protocol ID into packet.h Add new packet type into ns-default.tcl Add an entry for new packet type ns-packet.tcl Modify ns2 Makefile

  23. Experimental Results Secret Share Exchange Convergence Time Size • Performed simulation • Random topology for: • 50, 100, 200 nodes • Bandwidth 10 kbps • Share size 128 bits • Collect convergence time for secret share exchange • Collect round-trip time for Node-0 acknowledgement • Conclusion • Share size is dependent upon network size and bandwidth • Round-trip broadcast authentication is exponentially proportional to the network size Round Trip time

  24. Conclusion • GMA Protocol • Can be viable augmentation to TELSA protocol • Does provide protection against DoS attack • Instant authentication of packets • Performance degrades exponentially for large network topology • Further Research & Development • Further analysis of the protocol setup • Secrecy of key exchange using AVISPA • Automated Validation of Internet Security Protocols and Applications • Solving the scalability problem through better implementation of the GMA protocol • Improvements to group key management

  25. References • A. Perrig, R. Canetti, J. Tygar, and D. Song, “The TESLA broadcast authentication protocol”, RSA CryptoBytes, 2002. • R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicast security: A taxonomy and some efficient constructions”, in INFOCOMM’99, 1999. • S. Cheung, “An efficient message authentication scheme for link state routing”, in Proceedings of the 13th Annual Computer Security Applications Conference, December 1997, pp. 90–98. • F. Bergadano, D. Cavagnino, and B. Crispo, “Chained stream authentication”, in Proceedings of the 7th Annual Workshop on Selected Areas in Cryptography, August 2000, pp. 144–157. • B. Briscoe, “FLAMeS: Fast, loss-tolerant authentication of multicast streams,” Technical report, BT Research, 2000. • A. Perrig, J. Tygar, “Secure Broadcast Communication in Wired and Wireless”, Kluwer Academic Publishers, Norwell, MA 2003. • A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficient and secure source authentication for multicast”, in Proceedings of Network and Distributed System Security Symposium, February 2001. • Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J. D. Tygar, “SPINS: Security Protocols for Sensor Networks”, in Proceedings of Seventh Annual International Conference on Mobile Computing and Network, July 2001 • Donggang Liu, Peng Ning, “Multi-Level µTESLA: A Broadcast Authentication System for Distributed Sensor Networks”, ACM Transactions on Embedded Computing Systems (TECS), Vol. 3, No. 4, pages 800--836, November 2004 • Kui Ren, Kai Zeng, Wenjing Lou, and Patrick J. Moran, "On broadcast authentication in wireless sensor networks", Lecture Notes in Computer Science, vol. 4138, pp. 502-514. International Conference on Wireless Algorithms, Systems, and Applications (WASA 2006), Xi'an, China, August 15-18, 2006

  26. Questions?

More Related