1 / 25

Donggang Liu and Peng Ning Department of Computer Science NC State University

Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks. Donggang Liu and Peng Ning Department of Computer Science NC State University. Background. Sensor Networks

Download Presentation

Donggang Liu and Peng Ning Department of Computer Science NC State University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer Science NC State University CSC 774 Adv. Net. Security

  2. Background • Sensor Networks • One or a few more powerful base stations and a potentially large number of sensor nodes • Inexpensive • Limited resources (computational power, memory space, energy, etc.) • When security is a concern, it is necessary for the sensors to authenticate messages received from base stations. CSC 774 Adv. Net. Security

  3. Authentication Keys F F F F F F K0 K1 K3 K2 K4 Kn= R TESLA • A variation of TESLA • Based on symmetric cryptography • Provide broadcast source authentication by delayed disclosure of authentication keys • Authentication of messages depends on the authenticity of the key chain commits K0. commitment Ki=F(Ki+1), F: pseudo random function … Time Key Disclosure K1 K2 Kn-2 CSC 774 Adv. Net. Security

  4. Distribution of Key Chain Commits • TESLA • Digital signatures: Too expensive for sensors • Use the current keys to authenticate the commitment of the next key chain. • Attractive targets for attackers. • Loss of commitment distribution messages  loss of the next key chain  bootstrap again. Old key Kn New commit K0’ Old key chain New key chain CSC 774 Adv. Net. Security

  5. Distribution of Key Chain Commits (Cont’d) • TESLA • Unicast-based secure communication with the base station. • Do not scale to large networks CSC 774 Adv. Net. Security

  6. Techniques • Multi-level TESLA • Predetermination and broadcast instead of unicast. • Use high-level key chain to authenticate commitments of low-level key chains. • Tolerate communication failures and malicious attacks. • Five Schemes • Each later scheme improves over the previous one by addressing its limitations. • The final scheme • Low overhead • Tolerate message losses • Scalable to large networks • Resistant to replay attacks and DOS attacks. CSC 774 Adv. Net. Security

  7. Scheme I: Predetermined Key Chain Commitment • Predetermine the TESLA parameters along with the master key distribution • commitment • start time • other parameters • Shortcomings • Long key chain or large time interval? • Difficulties in setting up start time CSC 774 Adv. Net. Security

  8. Scheme II: Naïve Two-Level Key Chains • Two-level key chains • One high-level key chain and multiple low-level key chains • High-level key chain • Authenticate commitments of low-level key chains • Done through broadcast of Commit Distribution Messages (CDM) • Low-level key chains • Authenticate actual data messages CSC 774 Adv. Net. Security

  9. Scheme II (Cont’d) • The two-levels of key chains CDMi-1=i|Ki,0|H(Ki+1, 0)|MACK’i-1(i|Ki, 0|H(Ki+1, 0 ))|K i-2 CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security

  10. Scheme II (Cont’d) • Key disclosure schedule CSC 774 Adv. Net. Security

  11. Scheme II (cont’d) • Limitations • Loss of CDM message during high-level interval Ii • unable to authenticate during Ii+1 • Loss of the last several low-level keys  • unable to authenticate the corresponding messages. CSC 774 Adv. Net. Security

  12. Scheme III: Fault Tolerant Two-Level Key Chains • Tolerate CDM message loss: • Periodically broadcast CDM messages • Assume • Probability that a receiver lose a CDM message: pf • Broadcast frequency: F, • Duration of a high-level interval: 0 • Reduce loss rate to • Increase overhead by F0 times • Tolerate normal message loss: • Connect the low-level key chains and the high-level key chain CSC 774 Adv. Net. Security

  13. Scheme III (Cont’d) CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security

  14. DOS attacks • CDM messages are more attractive to attackers • DOS attacks against CDM messages • Selective jamming • Smart attacks: only change certain fields in CDM messages • A receiver cannot discard the messages until it gets the corresponding disclosed key CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Disclosed High-level Key for Ii-1 Image of Low-level Key Chain Commitment for Ii+1 Low-level Key Chain Commitment for Ii+1 MAC CSC 774 Adv. Net. Security

  15. Scheme IV: (Final) Two-Level Key Chains • Randomize CDM distribution to mitigate selective jamming attacks • We assume there are other methods to deal with constant jamming. • Random selection strategy to mitigate smart DOS attacks • Single buffer random selection • Multiple buffer random selection CSC 774 Adv. Net. Security

  16. Scheme IV (Cont’d) • Single buffer random selection • Assume each sensor has one buffer for CDM • Initial verification to discard forged CDMi • Authenticate disclosed high-level key. • Authenticate Ki+1,0 if CDMi-1 is authenticated. • For the k-th copy of CDMi that passes the initial verification • Save it in the buffer with probability 1/k. • All such copies have equal probability to be saved. • The probability that a sensor has an authentic CDM • P(CDMi) = 1 p, where CSC 774 Adv. Net. Security

  17. Scheme IV (Cont’d) • Multiple buffer random selection • Assume each sensor has m buffers for CDM • Initial verification to discard forged CDMi • Same as before. • For the k-th copy of a CDMi that passes the initial verification • km save it in one available buffer. • k > m save it in a randomly selected buffer with probability m/k; • All such copies have equal probability to be saved. • The probability that the sensor has an authentic CDM • P(CDMi) = 1 pm, where CSC 774 Adv. Net. Security

  18. Scheme V: Multi-Level Key Chains • m levels of key chains, arranged from level 0 to level m-1 from top down. • Keys in level m-1 are used for authenticating data • Each higher-level key chain is used to authenticate the commitments for its immediately lower-level key chains. • Every two adjacent levels work in the same way as in Scheme IV. CSC 774 Adv. Net. Security

  19. Simulation Study • Network model • Emulate broadcast channel over IP multicast • One base station • One attacker • Multiple sensor nodes • Sensors are one-hop neighbors of the base station and the attacker • Parameters • Channel loss rate • Percentage of forged CDM packets • Buffer size at sensors (data packets and CDM packets) CSC 774 Adv. Net. Security

  20. Simulation Study (Cont’d) • Metrics • %authenticated data packets at a sensor node (#authenticated data packets/received data packets) • Average data authentication delay (the average time between the receipt and the authentication of a data packet). CSC 774 Adv. Net. Security

  21. Experimental Results • Buffer allocation schemes 95% forged CDM 1 CDM buffers 1 CDM buffers CSC 774 Adv. Net. Security

  22. Experimental Results (Cont’d) 39 CDM buffers 3 data buffers • %authenticated data packets 95% forged CDM CSC 774 Adv. Net. Security

  23. Experimental Results (Cont’d) • Average data packet authentication delay 39 CDM buffers 3 data buffers CSC 774 Adv. Net. Security

  24. Conclusion • Developed a multi-level key chain scheme to efficiently distribute commitments for TESLA • Low overhead • Tolerance of message loss • Scalable to large networks • Resistant to replay attacks and DOS attacks • Future work • Reduction of the long delay after complete loss of CDM • Broadcast authentication involving multiple base stations • Adaptive approach to dealing with the DOS attacks CSC 774 Adv. Net. Security

  25. Thank You! CSC 774 Adv. Net. Security

More Related