350 likes | 509 Views
RIPPLE Authentication for Network Coding Yaping Li, Hongyi Yao, Minghua Chen, Sidharth Jaggi , and Alon Rosen. Presented by Scott Haseley, Luigi Di Tacchio. Motivation for Coding. How can we improve throughput in networks? Traditional Solutions Improve protocols Improve efficiency
E N D
RIPPLE Authentication for Network CodingYapingLi, HongyiYao, MinghuaChen, SidharthJaggi, and AlonRosen Presented by Scott Haseley, Luigi Di Tacchio
Motivation for Coding How can we improve throughput in networks? • Traditional Solutions • Improve protocols • Improve efficiency • Network Coding • Mathematical approach • Combine Messages
Combining Messages • Messages can be combined in a variety of ways • Receivers need to be able recover the original messages • XOR messages • b1 = (b1⊕b2) ⊕ b2 • Use a protocol to guarantee recovery • Ex: COPE
Linear Coding • Treat messages as vectors • Each vector contains n symbols • Each symbol is in the finite field Fq • m messages per generation • We append global coding coefficients for decoding • Nodes transmit linear combinations of messages in the generation
Linear Coding Example: a = {a1 a2 … an} + {1, 0, 0} b = {b1, b2, …bn} + {0, 1, 0} c = {c1, c2, …cn} + {0, 0, 1} Node i transmits 2a + 7b + c • Global coefficients imply linear independence • Decoding is done by Gaussian Elimination • Random scalars can be used for coding
Security Concerns • Pollution Attacks • Effects of data injection are amplified • All packets are corrupted in worse case • Cannot do source authentication with per-packet MAC • Messages are meant to be altered • Not desirable to protect with per-generation MAC • Recovery is expensive • False data propagation
HomomorphicMACs • In previous work, Homomorphic MAC was suggested • Sign: We can create a tag for any vector (message) • Combine: Create a new <vector, tag> pair for any other <vector, tag> pairs • Verify: 1 if tag is valid, 0 otherwise. • Required: Verify(Combine(valid <v, t> pairs)) = 1 • RIPPLE uses a Homomorphic MAC
Example: Butterfly Network S 1 2 3 4 D1 D2
RIPPLE and Levels • In RIPPLE, the network is divided in levels. • Level i includes all nodes whose longest distance from the source is at most i steps. • Each level has its own One-Way Key Chain for packet authentication.
Butterfly Network and Levels S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4
Nodes and One-Way Key Chains HASH HASH HASH HASH (0) (0) (1) (1) … … (2) (2) 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 …… D1 D2 …… LEVEL 4
How are the key chains used? • They are used to compute a MAC tag. • For each message M we want to send, we generate one MAC for each level. • How? Taking one key from each level key chain.
How are the key chains used? • So, for example: LEVEL 1 (0) (1) (2) LEVEL 2 (0) (1) (2) LEVEL 3 (0) (1) (2) LEVEL 4 (0) (1) (2) USED FOR M0 and M1 USED FOR M2 and M3 USED FOR M4 and M5
How are the MACs computed? • We want to send a message M0. • We have the commitments of all key chains. • The MAC is computed through an inner-product operation between the message and the key. REMINDER: INNER-PRODUCT < (a1, a2, a3), (b1, b2, b3) > = a1 * b1 + a2 * b2 + a3*b3
How are the MACs computed? • We want to send a message M0. • We have the commitments of all key chains. • We first take the commitment of level 4, (0). • We compute t4 = <M0, K4(0) >. (inner-product) • Then we take the commitment of level 3, (0). • We concatenate M0 with t4. • We compute t3= < (M0 | t4 ), K3(0) >. • In the same way we compute and . • t2= < (M0 | t4| t3), K2(0) >. • t1= < (M0 | t4 | t3 | t2), K1(0) >.
MACs computation: a logical schema K4(0) M0 t4 <a, b> | K3(0) t3 <a, b> M0 | t4 | K2(0) t2 <a, b> M0 | t4 | t3 | K1(0) t1 <a, b> M0 | t4 | t3 | t2 | M0 | t4 | t3 | t2 | t1
How are the MACs verified? • Let’s go through an example.
Butterfly Network M0 | t40| t30| t20| t10 M1 | t41| t31| t21| t11 S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4
Butterfly Network – K1 released K1 K1 S < (M0 | t40| t30| t20), K1> == t10 < (M1 | t41| t31| t21), K1> == t11 M0 | t40| t30| t20| t10 M1 | t41| t31| t21| t11 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4
Butterfly Network – packets forwarded S M0 | t40| t30| t20 M0 | t40| t30| t20 M1 | t41| t31| t21 M1 | t41| t31| t21 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 D1 D2 LEVEL 4
Butterfly Network – K2 released K2 K20 K21 K2 S 1 2 LEVEL 1 M1 | t41| t31| t21 M0 | t40| t30| t20 3 LEVEL 2 4 LEVEL 3 M0 | t40| t30| t20 M1 | t41| t31| t21 D1 D2 LEVEL 4
Butterfly Network – packets coded S 1 2 LEVEL 1 M1 | t41| t31 M0 | t40| t30 3 LEVEL 2 4 LEVEL 3 M0 | t40| t30 M1 | t41| t31 D1 D2 LEVEL 4
Coding packets and MACs • Node 3 has to code M0 and M1. • So it will pick α0 and α1 and compute M01 = α0 M0 + α1 M1. • And what about the MACs of M01? We have only MACs of M0 and M1. HOMOMORPHIC MAC!!!
Homomorphic MAC MAC() = • In our example: M0 | t40| t30 M1 | t41| t31 α0 t40 + α1 t41 α0 t30 + α1 t31 α0 M0 + α1 M1 M01 | t401| t301
Butterfly Network – packet forwarded S 1 2 LEVEL 1 M01 | t401| t301 3 LEVEL 2 4 LEVEL 3 M0 | t40| t30 M1 | t41| t31 D1 D2 LEVEL 4
Butterfly Network – K3 released K3 K3 K3 S 1 2 LEVEL 1 3 LEVEL 2 M01 | t401| t301 4 LEVEL 3 M0 | t40| t30 M1 | t41| t31 D1 D2 LEVEL 4
Butterfly Network – packets forwarded S 1 2 LEVEL 1 3 LEVEL 2 M01 | t401 M01 | t401 4 LEVEL 3 M0 | t40 M1 | t41 D1 D2 LEVEL 4
Butterfly Network – K4 released K4 K4 S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 M01 | t401 M01 | t401 M0 | t40 M1 | t41 D1 D2 LEVEL 4
Butterfly Network – packets recovered S 1 2 LEVEL 1 3 LEVEL 2 4 LEVEL 3 M01 M01 M0 M1 M0 M1 D1 D2 LEVEL 4
Details we didn’t cover • How are the coefficient of the linear combination transmitted? • There is a way to “incorporate” them in the message. • What happens to subsequent messages? • They are transmitted, authenticated and coded following the same procedure. Subsequently released keys are authenticated checking they belong to the chain.
Conclusion • Is RIPPLE practical and efficient? Can it be implemented in real world scenario? • TESLA key disclosure introduces delay in packet authentication. • Packets have to be buffered: what about nodes with limited resources? (MANETs and sensor networks) • Single source traffic is ok: does it scale in a multiple source scenario? What about when every node is a source?
References • [1] Y. Li, H. Yao, M. Chen, S. Jaggi, and A. Rosen “RIPPLE Authentication for Network Coding”, INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1,9, 14-19 March 2010. • [2] R. Ahlswede, N. Cai, S. Li, and R. Yeung. “Network information flow”, IEEE Transactions on Information Theory, vol. 46, no. 4 pp. 1204-1216, 2000. • [3] S. Katti, H. Rahul, W. Hu, D. Katabi, M. Medard, and J. Crowcroft, “Xors in the air: Practical wireless network coding”, in Proc. of ACM SIGCOMM 2006, 2006. • [4] R. Kotter and M. Medard, “Beyond routing: An algebraic approach to network coding”, IEEE/ACM Transactions on Networking, vol. 11, pp. 782–796, 2003 • [5] D. Boneh, D. Freeman, J. Katz, and B. Waters. “Signing a linear subspace: Signature schemes for network coding”. In Proc. of PKC 2009, 2009.