290 likes | 535 Views
Improvements to TESLA Using Secret Sharing Scheme. ECE 646: Cryptography and Network Security Professor: Dr. Jens-Peter Kaps Project Team Krishna Chaitanya Thirumalasetty KamalEldin Mohamed Lieyong Yang Nick Ton December 19, 2006. Agenda. Overview & Motivation TESLA Protocol
E N D
Improvements to TESLAUsing Secret Sharing Scheme ECE 646: Cryptography and Network Security Professor: Dr. Jens-Peter Kaps Project Team Krishna Chaitanya Thirumalasetty KamalEldin Mohamed Lieyong Yang Nick Ton December 19, 2006
Agenda • Overview & Motivation • TESLA Protocol • Protocol Overview • Sender Setup • Receiver Authentication • DoS Attack • Improving DoS Attack • Instant Key Disclosure (TIK) • Staggered TESLA • Public Key Cryptography (PKC) • Group Multicast Authentication (GMA) • Shamir’s Secret Sharing • Analytical Approach • Experimental Approach • Design & Implementation • Results • Conclusion • References
Research Motivation • Our Observation: • TELSA protocol are weak against Denial-of-Service (DoS) attacks • Our Goal: • Analyze and implement improvements to TESLA • Our Approach: • Group Multicast Authentication (GMA) using Shamir Threshold Scheme
TESLA – Overview Timed Efficient Stream Loss-Tolerant Authentication • Broadcast authentication protocol for message authenticating • Published in IEEE Security and Privacy 2000, NDSS 2001 [PCST] • Uses symmetric key cryptography • Asymmetric key cryptography via time • Based on initial loose time synchronization • MAC is attached to each packet • Delayed-disclosure of keys 1- Verify Ki M F(Ki)AuthenticCommitment Kiis disclosed MAC (Ki , M) 2- Verify MAC 3-M is authentic ti-1 ti ti+1 time
TESLA – Sender Setup • Break time in intervals of same duration • Determine key chain length N, picks the last key KN randomly • Using a One Way Pseudo Random Function F compute Ki = F(Ki+1), assign one key to each interval • Use F' to derive the key to compute MAC K’i= F’(K’i) Key generation Ki-1 Ki Ki+1 KN F’ F’ F’ F’ K’i-1 K’i K’i+1 K’N time interval i -1 interval i interval i +1 interval N Key disclosure
TESLA – Receiver Authentication Ki-1 Ki Ki+1 F’ F’ F’ K’i-1 K’i K’i+1 Pi-1 Pi Pi+1 Mi-1, Ki-2 MAC(K’i-1, Di-1) Mi , Ki-1 MAC(K’i, Di) Mi+1, Ki MAC(K’i+1, Di+1) Di-1 Di Di+1 authenticated authenticated after reception of Pi+1 not yet authenticated • When the receiver gets packet Pi,it can not verify the MAC since it does not yet know Ki from which it can compute K’i • Packet Pi+1 discloses Ki and allows the receiver to: • verify that Ki is correct, e.g., F(Ki) = Ki-1 • compute K’i and check the authenticity of packet Piby verifying the MAC of Pi
TESLA DoS Attack – Receiver Side • Sender • Delayed release of authentication keys • Receiver • Limited buffer size • Delayed Authentication • Attacker • Flood the multicast group with bogus traffic! • …Serious DoS Attack…
Exiting Solutions Towards Tesla DoS Attack • Key Disclosure Delay Invites DoS Attack • TESLA with Instant Key Disclosure (TIK) • Eliminate the authentication delay • Rely on precise synchronization • Staggered TESLA • Shorten the key delay • Multiple, staggered authentication keys • Efficient Multi-Chained Stream Signature (EMSS)
New Public Key Solution Coming • New Emerging Algorithms • Elliptic Curve Cryptography (ECC) • ECC 163 signature verification takes 480 ms on custom designed hardware nodes • NTRUEncrypt and NTRUSign • NTRU 251 Vs RSA 1024 on Palm (Encrypt 42:1 Decrypt 333:1) • NTRU 251 Vs ECC 163 on Palm (Encrypt 52.5:1 Decrypt 9:1) • Faster & Smaller Chips – Moore’s Law • Sensor Nodes Harvest Energy From Environment
Pj’ GMA MAC TESLA MAC Message||Key||ID MACKg (Pj) MACK’i(Mj) Pj Group MAC Authentication (GMA) • Group MAC of each packet MACKg (Pj) • Original Tesla Packet Pj = {M j || i || MACK’i(Mj) || K{i-d}} • New Packet Pj’ = Pj|| MACKg(Pj)
Our Solution • Group Multicast Authentication • (GMA)
Shamir’s Secret Sharing • Secret Sharing Scheme • Secret is shared by a trust group – everyone has responsibility • Address the problem of key distribution • Allows multiple users to recover secret • Secret Sharing Scheme has two phase: • Dealer Phase where secret shares are generated • Reconstruction Phase where secrets are combined to reconstruct the original secret • Secret S is shared by n users, each one has Si, 1< i≤ n • Iff any member in a group knows T or more shares • can reconstruct the secret S • Else • Secret is not recoverable
Shamir Threshold Scheme • Dealer Phase: • Choose a very large prime number p, where p > max(S,n) • Let a0 = S, where S is the secret • Pick a coefficient of a polynomial function ai = [0,p) • a1, ….,at-1, 0<aj <p-1 • Compute the polynomial function to get S(i) • Reconstruction Phase • Must have sufficient number of shares (ai) • S (i) = a0+ a1i1 + a2i2 +…+ at-1it-1 • S (0) =a0=S • S (1) = a0+ a111 + a212 +…+ at-11t-1 • S (2) = a0+ a121 + a222 +…+ at-12t-1 • …… • S(t-1) = a0+ a1(t-1)1 + a2(t-1)2 +…+ at-1(t-1)t-1 • t-1 functions can not solve for secret S • Lagrange interpolation formula to • Reconstruct the secret Key a0=S
GMA Protocol: Setup • Each node is pre-configured with a routing table • Only knows neighboring node • Upstream nodes generate session keys for downstream nodes • Each node is seeded with a secret share Si • Si is created from secret S • Each node is initialized with a threshold t ≤ N • N is the total number of secrets shares
GMA Protocol:Secret Share Transmission 1 • Node 1 Initiates • Creates session keys K12 and K13 • Send secret share S1 • Node 2 and Node 3 Initiates • Uses K12 and K13 to send S2 and S3 • Create session keys K24 and K35 • Node 2 sends S1, S2 • Node 3 sends S1, S3 • Node 4 and Node 5 Responds • Uses K24and K35 to send S4 and S5 • Node 2 and Node 3 Responds • Retransmit S4 and S5 to Node 1 2 3 4 5 Nodes send/receive until threshold is reached
GMA Protocol: Broadcast Authentication 1 • Once a node has reached threshold • Each node calculates secret S • Use the secret to broadcast • Sender Message Encryption • MAC(x) = MACS(H(x)) • y = ES(x)||MACS(x) • Receiver Message Decryption • x = Ds(y) • Compare MAC(Ds(y)) = MAC(x) 2 3 4 5
Analytical Approach • Manually simulated secret share exchange • Analyzed for 10 node hierarchical network • Analyzed 3 types of topology • Observed the following: • Node 0 (broadcast node) is first to achieve threshold • Leaf nodes are last to receive all shares • Independent of topology • Each node on average re-broadcast (t-1)n
Experimental Approach • Justification • Provide evidence to support or reject analytical observations • Determine performance and efficiency metrics • Timing data (convergence time, round-trip time) • Methodology • Develop GMA protocol in the NS2 • Other simulation framework were available (omnet++, simlink, …etc.)
Implementation Design • Risk Reduction Strategies • Simplify protocol • Identify essential operations within the GMA protocol • Divide Conquer • Divided the GMA protocol into: • Secret Share Exchange • Multicast Authentication • Testing Strategies • Automate test scenarios with python/shell scripts
Class mirror C++ OTcl TclObject Agent Agent/TCP Protocol Implementation • class GMA_Agent : public Agent • { • public: • GMA_Agent() : GMA_Agent(“Agent/GMA_Agent”) {} • recv( Packet *, Handler *); • } • Class GB_Agent…. TclObject NsObject Agent GMA_Agent
seqno_ cmn header scr_addr_ header ip header data_ data GMA header qLength_ GB header ack_ Additional Integration Steps Packet Implementation Additional modifications to NS2 Define new packet GMA_Packet Add new packet protocol ID into packet.h Add new packet type into ns-default.tcl Add an entry for new packet type ns-packet.tcl Modify ns2 Makefile
Experimental Results Secret Share Exchange Convergence Time Size • Performed simulation • Random topology for: • 50, 100, 200 nodes • Bandwidth 10 kbps • Share size 128 bits • Collect convergence time for secret share exchange • Collect round-trip time for Node-0 acknowledgement • Conclusion • Share size is dependent upon network size and bandwidth • Round-trip broadcast authentication is exponentially proportional to the network size Round Trip time
Conclusion • GMA Protocol • Can be viable augmentation to TELSA protocol • Does provide protection against DoS attack • Instant authentication of packets • Performance degrades exponentially for large network topology • Further Research & Development • Further analysis of the protocol setup • Secrecy of key exchange using AVISPA • Automated Validation of Internet Security Protocols and Applications • Solving the scalability problem through better implementation of the GMA protocol • Improvements to group key management
References • A. Perrig, R. Canetti, J. Tygar, and D. Song, “The TESLA broadcast authentication protocol”, RSA CryptoBytes, 2002. • R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicast security: A taxonomy and some efficient constructions”, in INFOCOMM’99, 1999. • S. Cheung, “An efficient message authentication scheme for link state routing”, in Proceedings of the 13th Annual Computer Security Applications Conference, December 1997, pp. 90–98. • F. Bergadano, D. Cavagnino, and B. Crispo, “Chained stream authentication”, in Proceedings of the 7th Annual Workshop on Selected Areas in Cryptography, August 2000, pp. 144–157. • B. Briscoe, “FLAMeS: Fast, loss-tolerant authentication of multicast streams,” Technical report, BT Research, 2000. • A. Perrig, J. Tygar, “Secure Broadcast Communication in Wired and Wireless”, Kluwer Academic Publishers, Norwell, MA 2003. • A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficient and secure source authentication for multicast”, in Proceedings of Network and Distributed System Security Symposium, February 2001. • Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J. D. Tygar, “SPINS: Security Protocols for Sensor Networks”, in Proceedings of Seventh Annual International Conference on Mobile Computing and Network, July 2001 • Donggang Liu, Peng Ning, “Multi-Level µTESLA: A Broadcast Authentication System for Distributed Sensor Networks”, ACM Transactions on Embedded Computing Systems (TECS), Vol. 3, No. 4, pages 800--836, November 2004 • Kui Ren, Kai Zeng, Wenjing Lou, and Patrick J. Moran, "On broadcast authentication in wireless sensor networks", Lecture Notes in Computer Science, vol. 4138, pp. 502-514. International Conference on Wireless Algorithms, Systems, and Applications (WASA 2006), Xi'an, China, August 15-18, 2006