CSC 774 Network Security What Is Broadcast Authentication? Topic 6. Broadcast Authentication
advertisement
Computer Science
CSC 774 Network Security
Topic 6. Broadcast Authentication
CSC 774 Network Security
Dr. Peng Ning
1
What Is Broadcast Authentication?
• One sender; multiple receivers
– All receivers need to authenticate messages from
the sender.
Computer Science
CSC 774 Network Security
Dr. Peng Ning
2
1
Challenges in Broadcast Authentication
• Can we use symmetric cryptography in the
same way as in point-to-point authentication?
• How about public key cryptography?
– Effectiveness?
– Cost?
• Research in broadcast authentication
– Reduce the number of public key cryptographic
operations
Computer Science
CSC 774 Network Security
Dr. Peng Ning
3
Computer Science
CSC 774 Network Security
Topic 6.1 TESLA and EMSS
CSC 774 Network Security
Dr. Peng Ning
4
2
Outline
• Two Schemes
– TESLA
•
•
•
•
Sender Authentication
Strong loss robustness
High Scalability
Minimal overhead
– EMSS
• Non-Repudiation
• High loss robustness
• Low overhead
Computer Science
CSC 774 Network Security
Dr. Peng Ning
5
TESLA - Properties
•
•
•
•
•
•
•
Low computational overhead
Low per packet communication overhead
Arbitrary packet loss tolerated
Unidirectional data flow
No sender side buffering
High guarantee of authentication
Freshness of data
Computer Science
CSC 774 Network Security
Dr. Peng Ning
6
3
TESLA – Overview
• Timed Efficient Stream Loss–tolerant Authentication
• Based on timed and delayed release of keys by the
sender
• Sender commits to a random key k and transmits it to
the receivers without revealing it
• Sender attaches a MAC to the next packet Pi with k as
the MAC key
• In Pi+1 packet sender “decommits” to the key and
receiver uses this key k to verify Pi
• Need a security assurance
Computer Science
CSC 774 Network Security
Dr. Peng Ning
7
Dr. Peng Ning
8
TESLA – Scheme I
•
•
•
•
•
•
•
Pi-1 = <Di-1, MAC(K’i-1 , Di-1)>
Di-1 = <Mi-1, F(Ki), Ki-2>
Mi-1 = Message
F(Ki) = commitment to Ki
K’i = F’(Ki)
Each packet Pi+1 authenticates Pi
Problems ??
Computer Science
CSC 774 Network Security
4
TESLA – Scheme I (contd )
• If attacker gets Pi+1 before receiver gets Pi, it can
forge Pi
• Security Condition
– ArrTi + δt < Ti+1
– Sender’s clock is no more than δt seconds ahead of that
of the receivers
• Packet loss not tolerated
Computer Science
CSC 774 Network Security
Dr. Peng Ning
9
Dr. Peng Ning
10
TESLA – Scheme I (Contd)
Computer Science
CSC 774 Network Security
5
TESLA – Scheme II
•
•
•
•
•
•
Generate a seq of keys { Ki }
Fv(x) = Fv-1( F(x) )
Fo(x) = x
Ko = Fn (K n)
Ki = Fn-i(Kn)
Attacker cannot invert F or compute any Kj given Ki;
j>i
• Receiver can compute all Kj from Ki ; j < i
• Kj = Fi-j (Ki) ; K’i = F’ (Ki)
Computer Science
CSC 774 Network Security
Dr. Peng Ning
11
Dr. Peng Ning
12
TESLA – Scheme II (Contd)
Computer Science
CSC 774 Network Security
6
TESLA – Scheme III
• Remaining problems with Scheme II
– Inefficient for fast packet rates
– Sender cannot send Pi+1 until all receivers receive Pi
• Scheme III
– Does not require that sender waits for receiver to
get Pi before it sends Pi+1
– Basic idea: Disclose Ki in Pi+d instead of Pi+1
Computer Science
CSC 774 Network Security
Dr. Peng Ning
13
TESLA – Scheme III (Cont’d)
• Disclosure delay d = (δtMax + dNMax)r
– δ tMax: maximum clock discrepancy
– dNMax: maximum network delay
– r: packet rate
• Security Condition:
– ArrTi + δt < Ti+d
• Does choosing a large d affect the security?
Computer Science
CSC 774 Network Security
Dr. Peng Ning
14
7
TESLA – Scheme IV
• Deals with Dynamic transmission rates
• Divide time into intervals
• Use the same Ki to compute the MAC of all
packets in the same interval i
• All packets in the same interval disclose the
key Ki-d
• Achieve key disclosure based on interval basis
than on packet index basis
Computer Science
CSC 774 Network Security
Dr. Peng Ning
15
Dr. Peng Ning
16
TESLA – Scheme IV (Cont’d)
Computer Science
CSC 774 Network Security
8
TESLA – Scheme IV (Cont’d)
•
•
•
•
Interval index: i = (t – To)/TΔ
Ki’ = F’(Ki) for each packet in interval i
Pj = < Mj, i, Ki-d, MAC(Ki’, Mj) >
Security condition:
– i + d > i’
– i’ = (tj+ δt-To)/TΔ
• i’ is the farthest interval the sender can be in
Computer Science
CSC 774 Network Security
Dr. Peng Ning
17
TESLA – Scheme V
• In Scheme IV:
– A small d will force remote users to drop packets
– A large d will cause unacceptable delay for fast
receivers
• Scheme V
– Use multiple authentication chains with different
values of d
• Receiver verifies one security condition for
each chain Ci, and drops the packet is none is
satisfied
Computer Science
CSC 774 Network Security
Dr. Peng Ning
18
9
TESLA – Initial Time Synchronization
• R→S: Nonce
• S →R: {Sender Time tS, Nonce, …}Ks-1
R only cares the
maximum time
value at S.
Max clock
discrepancy:
ΔT = tS-tR
Computer Science
CSC 774 Network Security
Dr. Peng Ning
19
EMSS
• Efficient Multichained Streamed Signature
• Useful where
– Non Repudiation required
– Time synchronization may be a problem
• Based on signing a small no. of special packets
in the stream
• Each packet linked to a signed packet via
multiple hash chains
Computer Science
CSC 774 Network Security
Dr. Peng Ning
20
10
EMSS – Basic Signature Scheme
Computer Science
CSC 774 Network Security
Dr. Peng Ning
21
EMSS – Basic Signature Scheme (Cont’d)
• Sender sends periodic signature packets
• Pi is verifiable if there exists a path from Pi to
any signature packet Sj
Computer Science
CSC 774 Network Security
Dr. Peng Ning
22
11
EMSS – Extended Scheme
• Basic scheme has too much redundancy
• Split hash into k chunks, where any k’ chunks
are sufficient to allow the receivers to validate
the information
– Rabins Information Dispersal Algorithm
– Some upper few bits of hash
• Requires any k’ out of k packets to arrive
• More robust
Computer Science
CSC 774 Network Security
Dr. Peng Ning
23
12
