BROADCAST AUTHENTICATION

Slides:



Advertisements
Similar presentations
Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.
Advertisements

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
Security Issues In Sensor Networks By Priya Palanivelu.
Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.
KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
ITIS 6010/8010: Wireless Network Security Weichao Wang.
Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.
1 Timed Efficient Stream Loss-tolerant Authentication.
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
Computer Science Secure Hierarchical In-network Data Aggregation for Sensor Networks Steve McKinney CSC 774 – Dr. Ning Acknowledgment: Slides based on.
GZ06 : Mobile and Adaptive Systems A Secure On-Demand Routing Protocol for Ad Hoc Networks Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG.
Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson
Security on Sensor Networks Presented by Min-gyu Cho SPINS: Security Protocol for Sensor Networks TinySec: Security for TinyOS SPINS: Security Protocol.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.
Group-based Source Authentication in VANETs You Lu, Biao Zhou, Fei Jia, Mario Gerla UCLA {youlu, zhb, feijia,
Multi-user Broadcast Authentication in Wireless Sensor Networks Kui Ren, Wenjing Lou, Yanchao Zhang SECON2007 Manar Mahmoud Abou elwafa.
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer.
Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor.
Efficient and Secure Source Authentication for Multicast 報告者 : 李宗穎 Proceedings of the Internet Society Network and Distributed System Security Symposium.
Security for Broadcast Network
1 Security for Broadcast Network Most slides are from the lecture notes of prof. Adrian Perrig.
Author: Na Ruan, Yoshiaki Hori Published in:
Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University.
S E A D Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks Yih-Chun Hu,David B.Johnson, Adrian Perrig.
Presented by: Reut Barazani Limor Levy. Contents Introduction Digital signature broadcast message authentication TESLA broadcast message authentication.
Overview Modern public-key cryptosystems: RSA
Packet Leashes: Defense Against Wormhole Attacks
CSCE 715: Network Systems Security
CS/ECE 578 Cyber-Security
Presented by: Dr. Munam Ali Shah
Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.
The TESLA Broadcast Authentication Protocol CS 218 Fall 2017
NET 311 Information Security
Transport Layer Unit 5.
Ariadne A Secure On-Demand Routing Protocol for Ad Hoc Networks
SPINS: Security Protocols for Sensor Networks
CS/ECE 418 Introduction to Network Security
SRDP: Securing Route Discovery in DSR
Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.
CS/ECE 478 Introduction to Network Security
CS/ECE 478 Network Security Dr. Attila Altay Yavuz
Path key establishment using multiple secured paths in wireless sensor networks CoNEXT’05 Guanfeng Li  University of Pittsburgh, Pittsburgh, PA Hui Ling.
Data Integrity: Applications of Cryptographic Hash Functions
Block vs Stream Ciphers
SPINS: Security Protocols for Sensor Networks
Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Message Authentication Code
Topic 13: Message Authentication Code
SPINS: Security Protocols for Sensor Networks
Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.
CRYPTOGRAPHY & NETWORK SECURITY
Discussion on TESLA Based Frame Authentication
TESLA Based Frame Authentication
Presentation transcript:

BROADCAST AUTHENTICATION TESLA EMMS Dr. Attila A. Yavuz CS/ECE 519/599 -- Adv Applied Cryptography

What Is Broadcast Authentication? One sender; multiple receivers All receivers need to authenticate messages from the sender.

Challenges in Broadcast Authentication Can we use symmetric cryptography in the same way as in point-to-point authentication? How about public key cryptography? Effectiveness? Cost? Research in broadcast authentication Reduce the number of public key cryptographic operations

Outline Two schemes TESLA EMSS Sender authentication Strong loss robustness High scalability Minimal overhead (-) Lack of immediate verification EMSS Non-repudiation High loss robustness Low overhead

TESLA – Overview Timed Efficient Stream Loss–tolerant Authentication Based on timed and delayed release of keys by the sender High level ideas Sender commits to a random key K and transmits the commitment to the receivers without revealing it Sender attaches a MAC to the next packet Pi with K as the MAC key Sender releases the key in packet Pi+1 and receiver uses this key K to verify Pi

TESLA – Scheme I Each packet Pi+1 authenticates Pi Problems? Ki’=F’(Ki) Each packet Pi+1 authenticates Pi Problems? Security? Robustness?

TESLA – Scheme I (Cont’d ) If attacker gets Pi +1 before receiver gets Pi, it can forge Pi Security Condition ArrTi + t < Ti +1 Sender’s clock is no more than t seconds ahead of that of the receivers One simple way: constant data rate Packet loss not tolerated

TESLA – Scheme II Generate a sequence of keys {Ki} with one-way function F Randomly generate Kn Ki = Fn-i(Kn) Commitment Ko = Fn (Kn) Attacker cannot invert F or compute any Kj given Ki, where j>i Receiver can compute all Kj from Ki, where j < i Kj = Fi-j (Ki); K’i = F’ (Ki)

TESLA – Scheme II (Cont’d)

TESLA – Scheme III Remaining problems with Scheme II Scheme III Inefficient for fast packet rates Sender cannot send Pi+1 until all receivers receive Pi Scheme III Does not require that sender wait for receiver to get Pi before it sends Pi+1 Basic idea: Disclose Ki in Pi+d instead of Pi+1

TESLA – Scheme III (Cont’d) Disclosure delay d = (tMax + dNMax)r  tMax: maximum clock discrepancy dNMax: maximum network delay r: packet rate Security Condition: ArrTi + t < Ti+d

TESLA – Scheme IV Deal with dynamic transmission rates Idea Divide time into intervals Use the same Ki to compute the MAC of all packets in the same interval i All packets in the same interval disclose the key Ki-d Achieve key disclosure based on intervals rather than on packet indexes

TESLA – Scheme IV (Cont’d)

TESLA – Scheme IV (Cont’d) Interval index: i = (t – To)/T Ki’ = F’(Ki) for each packet in interval i Pj = <Mj, i, Ki-d, MAC(Ki’, Mj, i, Ki-d) >

TESLA – Scheme V In Scheme IV: Scheme V A small d will force remote users to drop packets A large d will cause unacceptable delay for fast receivers Scheme V Use multiple authentication chains with different values of d Receiver verifies one security condition for each chain Ci, and drops the packet if none is satisfied

TESLA--Immediate Authentication Mj+vd can be immediately authenticated once packet j is authenticated Not to be confused with packet j+vd being authenticated

EMSS Efficient Multichained Streamed Signature Useful where Non Repudiation required Time synchronization may be a problem Based on signing a small number of special packets in the stream Each packet linked to a signed packet via multiple hash chains

EMSS – Basic Signature Scheme

EMSS – Basic Signature Scheme (Cont’d) Sender sends periodic signature packets Pi is verifiable if there exists a path from Pi to any signature packet Sj

EMSS – Extended Scheme More resiliency: Split hash into k chunks, where any k’ chunks are sufficient to allow the receivers to validate the information Rabin’s Information Dispersal Algorithm Sosme upper few bits of hash Requires any k’ out of k packets to arrive More robust