Efficient Distribution of Key Chain Commitments for Broadcast Authentication in
advertisement
Computer Science Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer Science NC State University CSC 774 Adv. Net. Security 1 Background • Sensor Networks – One or a few more powerful base stations and a potentially large number of sensor nodes • Inexpensive • Limited resources (computational power, memory space, energy, etc.) – When security is a concern, it is necessary for the sensors to authenticate messages received from base stations. Computer Science CSC 774 Adv. Net. Security 2 TESLA • A variation of TESLA – Based on symmetric cryptography – Provide broadcast source authentication by delayed disclosure of authentication keys – Authentication of messages depends on the authenticity of the key chain commits K0. commitment Authentication Keys K0 Ki=F(Ki+1), F: pseudo random function F K 1 F K2 F K3 F K4 F F Kn = R … Time Key Disclosure K1 Computer Science K2 Kn-2 CSC 774 Adv. Net. Security 3 Distribution of Key Chain Commits • TESLA – Digital signatures: Too expensive for sensors – Use the current keys to authenticate the commitment of the next key chain. • Attractive targets for attackers. • Loss of commitment distribution messages loss of the next key chain bootstrap again. New commit K0’ Old key chain Computer Science Old key Kn New key chain CSC 774 Adv. Net. Security 4 Distribution of Key Chain Commits (Cont’d) • TESLA – Unicast-based secure communication with the base station. – Do not scale to large networks Computer Science CSC 774 Adv. Net. Security 5 Techniques • Multi-level TESLA – Predetermination and broadcast instead of unicast. – Use high-level key chain to authenticate commitments of low-level key chains. – Tolerate communication failures and malicious attacks. • Five Schemes – Each later scheme improves over the previous one by addressing its limitations. – The final scheme • • • • Low overhead Tolerate message losses Scalable to large networks Resistant to replay attacks and DOS attacks. Computer Science CSC 774 Adv. Net. Security 6 Scheme I: Predetermined Key Chain Commitment • Predetermine the TESLA parameters along with the master key distribution – commitment – start time – other parameters • Shortcomings – Long key chain or large time interval? – Difficulties in setting up start time Computer Science CSC 774 Adv. Net. Security 7 Scheme II: Naïve Two-Level Key Chains • Two-level key chains – One high-level key chain and multiple low-level key chains – High-level key chain • Authenticate commitments of low-level key chains • Done through broadcast of Commit Distribution Messages (CDM) – Low-level key chains • Authenticate actual data messages Computer Science CSC 774 Adv. Net. Security 8 Scheme II (Cont’d) • The two-levels of key chains F0 Ki-2,m Ki-1,1 F0 Ki-1 F1 Ki-1,2 F1 ... F1 Ki-1,m Ki,1 F1 ... Ki,2 F1 ... F1 F1 Ki,m Ki+1,1 Ki+1,2 ... F1 F1 Ki-1,0 F0 Ki F1 Ki+1,0 Ki,0 Time CDMi-1=i|Ki,0|H(Ki+1, 0)|MACK’i-1(i|Ki, 0|H(Ki+1, 0 ))|K i-2 CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Computer Science CSC 774 Adv. Net. Security 9 Scheme II (Cont’d) • Key disclosure schedule Ii Ii,1 Ii+1 ... Ii,2 Ii,m Ii+1,1 ... Ii+1,2 ... Disclosure of low-level keys Ki-1,m-d+1 Ki-1,m-d+2 ... ... Ki,m-d Ki,m-d+1 Ki,m-d+2 Distribution of low-level commitments Ki+1,0 Ki+2,0 Disclosure of high-level keys Ki-1 Ki Computer Science ... Ii+1,m Ki+1,m-d CSC 774 Adv. Net. Security Time 10 Scheme II (cont’d) • Limitations – Loss of CDM message during high-level interval Ii • unable to authenticate during Ii+1 – Loss of the last several low-level keys • unable to authenticate the corresponding messages. F0 Ki-2,m Ki-1,1 F0 Ki-1 F1 Ki-1,2 F1 ... F1 Ki-1,m Ki,1 F1 ... Ki,2 F1 ... F1 Ki,m F1 Ki+1,1 Ki+1,2 ... F1 F1 Ki-1,0 F0 Ki F1 Ki+1,0 Ki,0 Time Computer Science CSC 774 Adv. Net. Security 11 Scheme III: Fault Tolerant Two-Level Key Chains • Tolerate CDM message loss: – Periodically broadcast CDM messages – Assume • Probability that a receiver lose a CDM message: pf • Broadcast frequency: F, • Duration of a high-level interval: 0 – Reduce loss rate to p f F 0 – Increase overhead by F0 times • Tolerate normal message loss: – Connectthe low-level key chains and the high-level key chain Computer Science CSC 774 Adv. Net. Security 12 Scheme III (Cont’d) Ki-1 Ki F01 Ki-2,m Ki-1,1 F01 F1 Ki-1,2 F1 ... F1 Ki-1,m Ki,1 F01 F1 ... ... F1 F1 Ki,m Ki+1,1 ... F1 F1 Ki-1,0 Ki,2 F1 F1 Ki+1,0 Ki,0 Time CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Computer Science CSC 774 Adv. Net. Security 13 DOS attacks • CDM messages are more attractive to attackers • DOS attacks against CDM messages – Selective jamming – Smart attacks: only change certain fields in CDM messages • A receiver cannot discard the messages until it gets the corresponding disclosed key CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Low-level Key Chain Commitment for Ii+1 Image of Low-level Key Chain Commitment for Ii+1 Computer Science MAC Disclosed High-level Key for Ii-1 CSC 774 Adv. Net. Security 14 Scheme IV: (Final) Two-Level Key Chains • Randomize CDM distribution to mitigate selective jamming attacks – We assume there are other methods to deal with constant jamming. • Random selection strategy to mitigate smart DOS attacks – Single buffer random selection – Multiple buffer random selection Computer Science CSC 774 Adv. Net. Security 15 Scheme IV (Cont’d) • Single buffer random selection – Assume each sensor has one buffer for CDM – Initial verification to discard forged CDMi • Authenticate disclosed high-level key. • Authenticate Ki+1,0 if CDMi-1 is authenticated. – For the k-th copy of CDMi that passes the initial verification • Save it in the buffer with probability 1/k. • All such copies have equal probability to be saved. – The probability that a sensor has an authentic CDM # forged copies • P(CDMi) = 1 p, where p # total copies Computer Science CSC 774 Adv. Net. Security 16 Scheme IV (Cont’d) • Multiple buffer random selection – Assume each sensor has m buffers for CDM – Initial verification to discard forged CDMi • Same as before. – For the k-th copy of a CDMi that passes the initial verification • k m save it in one available buffer. • k > m save it in a randomly selected buffer with probability m/k; • All such copies have equal probability to be saved. – The probability that the sensor has an authentic CDM • P(CDMi) = 1 pm, where p Computer Science # forged copies # total copies CSC 774 Adv. Net. Security 17 Scheme V: Multi-Level Key Chains • m levels of key chains, arranged from level 0 to level m-1 from top down. – Keys in level m-1 are used for authenticating data – Each higher-level key chain is used to authenticate the commitments for its immediately lower-level key chains. – Every two adjacent levels work in the same way as in Scheme IV. Computer Science CSC 774 Adv. Net. Security 18 Simulation Study • Network model – – – – – Emulate broadcast channel over IP multicast One base station One attacker Multiple sensor nodes Sensors are one-hop neighbors of the base station and the attacker • Parameters – Channel loss rate – Percentage of forged CDM packets – Buffer size at sensors (data packets and CDM packets) Computer Science CSC 774 Adv. Net. Security 19 Simulation Study (Cont’d) • Metrics – %authenticated data packets at a sensor node (#authenticated data packets/received data packets) – Average data authentication delay (the average time between the receipt and the authentication of a data packet). Computer Science CSC 774 Adv. Net. Security 20 Experimental Results • Buffer allocation schemes 95% forged CDM 1 CDM buffers 1 CDM buffers Computer Science CSC 774 Adv. Net. Security 21 Experimental Results (Cont’d) • %authenticated data packets 39 CDM buffers 3 data buffers 95% forged CDM Computer Science CSC 774 Adv. Net. Security 22 Experimental Results (Cont’d) • Average data packet authentication delay 39 CDM buffers 3 data buffers Computer Science CSC 774 Adv. Net. Security 23 Conclusion • Developed a multi-level key chain scheme to efficiently distribute commitments for TESLA – – – – Low overhead Tolerance of message loss Scalable to large networks Resistant to replay attacks and DOS attacks • Future work – Reduction of the long delay after complete loss of CDM – Broadcast authentication involving multiple base stations – Adaptive approach to dealing with the DOS attacks Computer Science CSC 774 Adv. Net. Security 24 Thank You! Computer Science CSC 774 Adv. Net. Security 25
