250 likes | 313 Vues
This research delves into the use of symmetric cryptography to authenticate messages in sensor networks with limited resources. Various schemes are discussed, improving scalability and security against attacks.
 
                
                E N D
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer Science NC State University CSC 774 Adv. Net. Security
Background • Sensor Networks • One or a few more powerful base stations and a potentially large number of sensor nodes • Inexpensive • Limited resources (computational power, memory space, energy, etc.) • When security is a concern, it is necessary for the sensors to authenticate messages received from base stations. CSC 774 Adv. Net. Security
Authentication Keys F F F F F F K0 K1 K3 K2 K4 Kn= R TESLA • A variation of TESLA • Based on symmetric cryptography • Provide broadcast source authentication by delayed disclosure of authentication keys • Authentication of messages depends on the authenticity of the key chain commits K0. commitment Ki=F(Ki+1), F: pseudo random function … Time Key Disclosure K1 K2 Kn-2 CSC 774 Adv. Net. Security
Distribution of Key Chain Commits • TESLA • Digital signatures: Too expensive for sensors • Use the current keys to authenticate the commitment of the next key chain. • Attractive targets for attackers. • Loss of commitment distribution messages  loss of the next key chain  bootstrap again. Old key Kn New commit K0’ Old key chain New key chain CSC 774 Adv. Net. Security
Distribution of Key Chain Commits (Cont’d) • TESLA • Unicast-based secure communication with the base station. • Do not scale to large networks CSC 774 Adv. Net. Security
Techniques • Multi-level TESLA • Predetermination and broadcast instead of unicast. • Use high-level key chain to authenticate commitments of low-level key chains. • Tolerate communication failures and malicious attacks. • Five Schemes • Each later scheme improves over the previous one by addressing its limitations. • The final scheme • Low overhead • Tolerate message losses • Scalable to large networks • Resistant to replay attacks and DOS attacks. CSC 774 Adv. Net. Security
Scheme I: Predetermined Key Chain Commitment • Predetermine the TESLA parameters along with the master key distribution • commitment • start time • other parameters • Shortcomings • Long key chain or large time interval? • Difficulties in setting up start time CSC 774 Adv. Net. Security
Scheme II: Naïve Two-Level Key Chains • Two-level key chains • One high-level key chain and multiple low-level key chains • High-level key chain • Authenticate commitments of low-level key chains • Done through broadcast of Commit Distribution Messages (CDM) • Low-level key chains • Authenticate actual data messages CSC 774 Adv. Net. Security
Scheme II (Cont’d) • The two-levels of key chains CDMi-1=i|Ki,0|H(Ki+1, 0)|MACK’i-1(i|Ki, 0|H(Ki+1, 0 ))|K i-2 CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security
Scheme II (Cont’d) • Key disclosure schedule CSC 774 Adv. Net. Security
Scheme II (cont’d) • Limitations • Loss of CDM message during high-level interval Ii • unable to authenticate during Ii+1 • Loss of the last several low-level keys  • unable to authenticate the corresponding messages. CSC 774 Adv. Net. Security
Scheme III: Fault Tolerant Two-Level Key Chains • Tolerate CDM message loss: • Periodically broadcast CDM messages • Assume • Probability that a receiver lose a CDM message: pf • Broadcast frequency: F, • Duration of a high-level interval: 0 • Reduce loss rate to • Increase overhead by F0 times • Tolerate normal message loss: • Connect the low-level key chains and the high-level key chain CSC 774 Adv. Net. Security
Scheme III (Cont’d) CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security
DOS attacks • CDM messages are more attractive to attackers • DOS attacks against CDM messages • Selective jamming • Smart attacks: only change certain fields in CDM messages • A receiver cannot discard the messages until it gets the corresponding disclosed key CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Disclosed High-level Key for Ii-1 Image of Low-level Key Chain Commitment for Ii+1 Low-level Key Chain Commitment for Ii+1 MAC CSC 774 Adv. Net. Security
Scheme IV: (Final) Two-Level Key Chains • Randomize CDM distribution to mitigate selective jamming attacks • We assume there are other methods to deal with constant jamming. • Random selection strategy to mitigate smart DOS attacks • Single buffer random selection • Multiple buffer random selection CSC 774 Adv. Net. Security
Scheme IV (Cont’d) • Single buffer random selection • Assume each sensor has one buffer for CDM • Initial verification to discard forged CDMi • Authenticate disclosed high-level key. • Authenticate Ki+1,0 if CDMi-1 is authenticated. • For the k-th copy of CDMi that passes the initial verification • Save it in the buffer with probability 1/k. • All such copies have equal probability to be saved. • The probability that a sensor has an authentic CDM • P(CDMi) = 1 p, where CSC 774 Adv. Net. Security
Scheme IV (Cont’d) • Multiple buffer random selection • Assume each sensor has m buffers for CDM • Initial verification to discard forged CDMi • Same as before. • For the k-th copy of a CDMi that passes the initial verification • km save it in one available buffer. • k > m save it in a randomly selected buffer with probability m/k; • All such copies have equal probability to be saved. • The probability that the sensor has an authentic CDM • P(CDMi) = 1 pm, where CSC 774 Adv. Net. Security
Scheme V: Multi-Level Key Chains • m levels of key chains, arranged from level 0 to level m-1 from top down. • Keys in level m-1 are used for authenticating data • Each higher-level key chain is used to authenticate the commitments for its immediately lower-level key chains. • Every two adjacent levels work in the same way as in Scheme IV. CSC 774 Adv. Net. Security
Simulation Study • Network model • Emulate broadcast channel over IP multicast • One base station • One attacker • Multiple sensor nodes • Sensors are one-hop neighbors of the base station and the attacker • Parameters • Channel loss rate • Percentage of forged CDM packets • Buffer size at sensors (data packets and CDM packets) CSC 774 Adv. Net. Security
Simulation Study (Cont’d) • Metrics • %authenticated data packets at a sensor node (#authenticated data packets/received data packets) • Average data authentication delay (the average time between the receipt and the authentication of a data packet). CSC 774 Adv. Net. Security
Experimental Results • Buffer allocation schemes 95% forged CDM 1 CDM buffers 1 CDM buffers CSC 774 Adv. Net. Security
Experimental Results (Cont’d) 39 CDM buffers 3 data buffers • %authenticated data packets 95% forged CDM CSC 774 Adv. Net. Security
Experimental Results (Cont’d) • Average data packet authentication delay 39 CDM buffers 3 data buffers CSC 774 Adv. Net. Security
Conclusion • Developed a multi-level key chain scheme to efficiently distribute commitments for TESLA • Low overhead • Tolerance of message loss • Scalable to large networks • Resistant to replay attacks and DOS attacks • Future work • Reduction of the long delay after complete loss of CDM • Broadcast authentication involving multiple base stations • Adaptive approach to dealing with the DOS attacks CSC 774 Adv. Net. Security
Thank You! CSC 774 Adv. Net. Security