Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Yuzheng

advertisement 
Computer Science
Efficient Security Mechanisms for Routing
Protocols
Yih-Chun Hu, Adrian Perrig, David B. Johnson
Presented by Yuzheng Zhou for CSC774
Secure Routing mechanisms in MANET
• Most previous secure routing mechanisms use
standard digital signatures
– Public key cryptography is expensive, especially
for MANET.
• Symmetric cryptography much more efficient
– Link state routing
– Distance vector routing: SEAD works, but is still
vulnerable for several attacks
– This paper propose four mechanisms addressing
secure distance vector/ path vector routing.
Computer Science
2
Roadmap
•
•
•
Distance vector routing and attacks
Previous work - SEAD
Four mechanisms based on symmetric cryptography
–
Securing distance vector protocols
• Hash tree chain
• Tree-authenticated one-way chains
• Skiplists
– Securing path vector protocols
• Cumulative authentication
•
Conclusion and future work
Computer Science
3
Distance vector routing
• Finds shortest paths between nodes in the
network
• Each router maintains a routing table list for all
possible destinations
address / distance (metric) / first hop
• Periodically transmits a routing update to each
of its neighbor routers
sequence / distance (metric)
Computer Science
4
Attacks to Distance Vector Routing
•
•
•
•
Advertising short distances (blackhole)
Claim longer distances
Injecting routing loops
Inject a large number of route updates
Computer Science
5
Previous work: SEAD
• SEAD (k=5, n=3)
• Attacks
– Same distance fraud
– Hash chain verification as long as O(ks)
– DoS attack for the nodes missing several routing updates
Computer Science
6
Review: Merkle hash tree
•
To verify v2, need v3’, m01, m47, and verify
Computer Science
7
Mechanism I: Hash Tree Chains
• Prevent same-distance fraud
• A hybrid between a hash tree and a one-way chain
– One-way chain property enforce that nodes cannot decrease the
distance metric (as in SEAD)
– Hash tree property is used to authenticate the node id.
Computer Science
8
Hash Tree Chains (cont..)
Computer Science
9
Mechanism II: Tree-authenticated one-way chains
• Speed up authentication of revived routing update
– O(ks)  O (k +log(s))
Computer Science
10
Tree-authenticated one-way chains (cont..)
• Tree-authenticated one-way chains
– Use a new hash chain for each sequence
number
– All the hash chains are organized as a
merkle hash tree
– To authenticate anchor, following the path to
the root of the hash tree
– To authenticate update, using the anchor
Computer Science
11
MW-chains (prepare for skiplists)
• Provides instant authentication and low storage
overhead for signatures
– This one-way chain contains a list of values-heads
– Between any two heads are a set of signature branches and a
set of checksum branches
– Sender uses a checksum chain that moves in the opposite
direction of the signature chains, to prevent an attacker from
forging an earlier message
Computer Science
12
MW-chains (cont..)
Computer Science
13
Mechanism III: Skiplists
• Goal: Prevent DoS attacks, speed up hash
chain authentication
• Method:
– Skip many steps in a virtual hash chain
– Skipchains can be embedded inside skiplists
– Represented by a MW-chain capable of signing
enough bits to ensure security
• A new head is chosen by hashing the head of this step
• Anchor of this skipchain is computed
• Sign this new anchor
Computer Science
14
Skipchains
Computer Science
15
Path vector routing
• Each routing update includes a list of routers
on the route
• Choose a route with the shortest recorded route
• Authenticate each hop the routing update has
traversed as recorded in the path
• Assure no hops were removed from that
recorded path
Computer Science
16
Path vector routing (cont..)
• Traditional way of authentication:
– Each node inserts an authenticator in the packet,
recipient individually verify each authenticator
– Network overhead of carrying a MAC for each
node in the path
• Cumulative authentication
– A single MAC together with an ordered list of
nodes traversed by the packet
Computer Science
17
Mechanism IV: Cumulative Authentication
• Each packet maintains a path authenticator
and an address list
• When packet traverses a node, the node append
its address to the address list
• Authenticate its position by replacing the path
authenticator with a MAC computed over the
received path authenticator and the packet’s
immutable fields
Computer Science
18
Cumulative Authentication (cont..)
Example: to authenticate packet p, each node authenticate
using a MAC shared with target T
Computer Science
19
Conclusions and future work
• Summary
– Presented four new mechanisms for secure
distance vector and path vector routing protocols
– Based on symmetric cryptography
– Use Merkle hash tree and M-W chain
• Future Work
– Decrease the overhead
Computer Science
20
Computer Science
Thank you!
Q&A
Related documents
COMPUTER NETWORKS
COMPUTER NETWORKS
I acknowledge that I have read and agree to the above
I acknowledge that I have read and agree to the above
Final Exam Review
Final Exam Review
Routing Transit Information There are four types of numbers found
Routing Transit Information There are four types of numbers found
Tutorial 7 - Prince Sultan University
Tutorial 7 - Prince Sultan University
övning 15. kontrollfrågor om kryptografisk programvara
övning 15. kontrollfrågor om kryptografisk programvara
Chapter 10
Chapter 10
Mash
Mash
OmniCore 5052 Enterprise Core Routing Switch
OmniCore 5052 Enterprise Core Routing Switch
Efficient Security Mechanisms for Routing Protocols
Efficient Security Mechanisms for Routing Protocols
Download
advertisement