1 / 35

Presented by Scott Haseley, Luigi Di Tacchio

RIPPLE Authentication for Network Coding Yaping Li, Hongyi Yao, Minghua Chen, Sidharth Jaggi , and Alon Rosen. Presented by Scott Haseley, Luigi Di Tacchio. Motivation for Coding. How can we improve throughput in networks? Traditional Solutions Improve protocols Improve efficiency

dotty
Télécharger la présentation

Presented by Scott Haseley, Luigi Di Tacchio

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RIPPLE Authentication for Network CodingYapingLi, HongyiYao, MinghuaChen, SidharthJaggi, and AlonRosen Presented by Scott Haseley, Luigi Di Tacchio

  2. Motivation for Coding How can we improve throughput in networks? • Traditional Solutions • Improve protocols • Improve efficiency • Network Coding • Mathematical approach • Combine Messages

  3. Combining Messages

  4. Combining Messages • Messages can be combined in a variety of ways • Receivers need to be able recover the original messages • XOR messages • b1 = (b1⊕b2) ⊕ b2 • Use a protocol to guarantee recovery • Ex: COPE

  5. Linear Coding • Treat messages as vectors • Each vector contains n symbols • Each symbol is in the finite field Fq • m messages per generation • We append global coding coefficients for decoding • Nodes transmit linear combinations of messages in the generation

  6. Linear Coding Example: a = {a1 a2 … an} + {1, 0, 0} b = {b1, b2, …bn} + {0, 1, 0} c = {c1, c2, …cn} + {0, 0, 1} Node i transmits 2a + 7b + c • Global coefficients imply linear independence • Decoding is done by Gaussian Elimination • Random scalars can be used for coding

  7. Security Concerns • Pollution Attacks • Effects of data injection are amplified • All packets are corrupted in worse case • Cannot do source authentication with per-packet MAC • Messages are meant to be altered • Not desirable to protect with per-generation MAC • Recovery is expensive • False data propagation

  8. HomomorphicMACs • In previous work, Homomorphic MAC was suggested • Sign: We can create a tag for any vector (message) • Combine: Create a new <vector, tag> pair for any other <vector, tag> pairs • Verify: 1 if tag is valid, 0 otherwise. • Required: Verify(Combine(valid <v, t> pairs)) = 1 • RIPPLE uses a Homomorphic MAC

  9. RIPPLE THROUGH AN EXAMPLE

  10. Example: Butterfly Network S 1 2 3 4 D1 D2

  11. RIPPLE and Levels • In RIPPLE, the network is divided in levels. • Level i includes all nodes whose longest distance from the source is at most i steps. • Each level has its own One-Way Key Chain for packet authentication.

  12. Butterfly Network and Levels S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4

  13. Nodes and One-Way Key Chains HASH HASH HASH HASH (0) (0) (1) (1) … … (2) (2) 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 …… D1 D2 …… LEVEL 4

  14. How are the key chains used? • They are used to compute a MAC tag. • For each message M we want to send, we generate one MAC for each level. • How? Taking one key from each level key chain.

  15. How are the key chains used? • So, for example: LEVEL 1 (0) (1) (2) LEVEL 2 (0) (1) (2) LEVEL 3 (0) (1) (2) LEVEL 4 (0) (1) (2) USED FOR M0 and M1 USED FOR M2 and M3 USED FOR M4 and M5

  16. How are the MACs computed? • We want to send a message M0. • We have the commitments of all key chains. • The MAC is computed through an inner-product operation between the message and the key. REMINDER: INNER-PRODUCT < (a1, a2, a3), (b1, b2, b3) > = a1 * b1 + a2 * b2 + a3*b3

  17. How are the MACs computed? • We want to send a message M0. • We have the commitments of all key chains. • We first take the commitment of level 4, (0). • We compute t4 = <M0, K4(0) >. (inner-product) • Then we take the commitment of level 3, (0). • We concatenate M0 with t4. • We compute t3= < (M0 | t4 ), K3(0) >. • In the same way we compute and . • t2= < (M0 | t4| t3), K2(0) >. • t1= < (M0 | t4 | t3 | t2), K1(0) >.

  18. MACs computation: a logical schema K4(0) M0 t4 <a, b> | K3(0) t3 <a, b> M0 | t4 | K2(0) t2 <a, b> M0 | t4 | t3 | K1(0) t1 <a, b> M0 | t4 | t3 | t2 | M0 | t4 | t3 | t2 | t1

  19. How are the MACs verified? • Let’s go through an example.

  20. Butterfly Network M0 | t40| t30| t20| t10 M1 | t41| t31| t21| t11 S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4

  21. Butterfly Network – K1 released K1 K1 S < (M0 | t40| t30| t20), K1> == t10 < (M1 | t41| t31| t21), K1> == t11 M0 | t40| t30| t20| t10 M1 | t41| t31| t21| t11 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4

  22. Butterfly Network – packets forwarded S M0 | t40| t30| t20 M0 | t40| t30| t20 M1 | t41| t31| t21 M1 | t41| t31| t21 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4

  23. Butterfly Network – K2 released K2 K20 K21 K2 S 1 2 LEVEL 1 M1 | t41| t31| t21 M0 | t40| t30| t20 3 LEVEL 2 4 LEVEL 3 M0 | t40| t30| t20 M1 | t41| t31| t21 D1 D2 LEVEL 4

  24. Butterfly Network – packets coded S 1 2 LEVEL 1 M1 | t41| t31 M0 | t40| t30 3 LEVEL 2 4 LEVEL 3 M0 | t40| t30 M1 | t41| t31 D1 D2 LEVEL 4

  25. Coding packets and MACs • Node 3 has to code M0 and M1. • So it will pick α0 and α1 and compute M01 = α0 M0 + α1 M1. • And what about the MACs of M01? We have only MACs of M0 and M1. HOMOMORPHIC MAC!!!

  26. Homomorphic MAC MAC() = • In our example: M0 | t40| t30 M1 | t41| t31 α0 t40 + α1 t41 α0 t30 + α1 t31 α0 M0 + α1 M1 M01 | t401| t301

  27. Butterfly Network – packet forwarded S 1 2 LEVEL 1 M01 | t401| t301 3 LEVEL 2 4 LEVEL 3 M0 | t40| t30 M1 | t41| t31 D1 D2 LEVEL 4

  28. Butterfly Network – K3 released K3 K3 K3 S 1 2 LEVEL 1 3 LEVEL 2 M01 | t401| t301 4 LEVEL 3 M0 | t40| t30 M1 | t41| t31 D1 D2 LEVEL 4

  29. Butterfly Network – packets forwarded S 1 2 LEVEL 1 3 LEVEL 2 M01 | t401 M01 | t401 4 LEVEL 3 M0 | t40 M1 | t41 D1 D2 LEVEL 4

  30. Butterfly Network – K4 released K4 K4 S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 M01 | t401 M01 | t401 M0 | t40 M1 | t41 D1 D2 LEVEL 4

  31. Butterfly Network – packets recovered S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 M01 M01 M0 M1 M0 M1 D1 D2 LEVEL 4

  32. Details we didn’t cover • How are the coefficient of the linear combination transmitted? • There is a way to “incorporate” them in the message. • What happens to subsequent messages? • They are transmitted, authenticated and coded following the same procedure. Subsequently released keys are authenticated checking they belong to the chain.

  33. Conclusion • Is RIPPLE practical and efficient? Can it be implemented in real world scenario? • TESLA key disclosure introduces delay in packet authentication. • Packets have to be buffered: what about nodes with limited resources? (MANETs and sensor networks) • Single source traffic is ok: does it scale in a multiple source scenario? What about when every node is a source?

  34. References • [1] Y. Li, H. Yao, M. Chen, S. Jaggi, and A. Rosen “RIPPLE Authentication for Network Coding”, INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1,9, 14-19 March 2010. • [2] R. Ahlswede, N. Cai, S. Li, and R. Yeung. “Network information flow”, IEEE Transactions on Information Theory, vol. 46, no. 4 pp. 1204-1216, 2000. • [3] S. Katti, H. Rahul, W. Hu, D. Katabi, M. Medard, and J. Crowcroft, “Xors in the air: Practical wireless network coding”, in Proc. of ACM SIGCOMM 2006, 2006. • [4] R. Kotter and M. Medard, “Beyond routing: An algebraic approach to network coding”, IEEE/ACM Transactions on Networking, vol. 11, pp. 782–796, 2003 • [5] D. Boneh, D. Freeman, J. Katz, and B. Waters. “Signing a linear subspace: Signature schemes for network coding”. In Proc. of PKC 2009, 2009.

  35. Thank you

More Related