Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer.

Slides:



Advertisements
Similar presentations
Secure Time Synchronization Service for Sensor Networks S. Ganeriwal, R. Kumar, M. B. Sirvastava Presented by: Kaiqi Xiong 11/28/2005 Computer Science.
Advertisements

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.
CSC 774 Advanced Network Security
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Sec-TEEN: Secure Threshold sensitive Energy Efficient sensor Network protocol Ibrahim Alkhori, Tamer Abukhalil & Abdel-shakour A. Abuznied Department of.
Containing DoS Attacks in Broadcast Authentication in Sensor Networks (Ronghua Wang, Wenliang Du, Peng Ning) Containing DoS Attacks in Broadcast Authentication.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Computer Science SDAP: A Secure Hop-by-Hop Data Aggregation Protocol for Sensor Networks Yi Yang, Xinran Wang, Sencun Zhu and Guohong Cao April 24, 2007.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Using Auxiliary Sensors for Pair-Wise Key Establishment in WSN Source: Lecture Notes in Computer Science (2010) Authors: Qi Dong and Donggang Liu Presenter:
Presented by Santhi Priya Eda Vinutha Rumale.  Introduction  Approaches  Video Streaming Traffic Model  QOS in WiMAX  Video Traffic Classification.
Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.
Security Issues In Sensor Networks By Priya Palanivelu.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.
Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
Establishing Pairwise Keys in Distributed Sensor Networks Donggang Liu, Peng Ning Jason Buckingham CSCI 7143: Secure Sensor Networks October 12, 2004.
ITIS 6010/8010: Wireless Network Security Weichao Wang.
1 Timed Efficient Stream Loss-tolerant Authentication.
Computer Science Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks Presented by Akshay Lal.
Computer Science 1 Research on Sensor Network Security Peng Ning Cyber Defense Laboratory Department of Computer Science NC State University 2005 TRES.
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
Lecture 16 Random Access protocols r A node transmits at random at full channel data rate R. r If two or more nodes “collide”, they retransmit at random.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
Computer Science Secure Hierarchical In-network Data Aggregation for Sensor Networks Steve McKinney CSC 774 – Dr. Ning Acknowledgment: Slides based on.
Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer.
Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.
Stochastic sleep scheduling (SSS) for large scale wireless sensor networks Yaxiong Zhao Jie Wu Computer and Information Sciences Temple University.
GZ06 : Mobile and Adaptive Systems A Secure On-Demand Routing Protocol for Ad Hoc Networks Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG.
Computer Science 1 CSC 774 Advanced Network Security Distributed detection of node replication attacks in sensor networks (By Bryan Parno, Adrian Perrig,
Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson
Protecting Privacy in WLAN with DoS Resistance using Client Puzzle Team 7 Yanisa Akkarawichai Rohan Shah CSC 774 – Advanced Network Security Prof. Peng.
A Two-Layer Key Establishment Scheme for Wireless Sensor Networks Yun Zhou, Student Member, IEEE, Yuguang Fang, Senior Member, IEEE IEEE TRANSACTIONS ON.
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
LiSP: A Lightweight Security Protocol for Wireless Sensor Networks TAEJOON PARK and KANG G. SHIN The University of Michigan Presented by Abhijeet Mugade.
Mangai Vetrivelan Snigdha Joshi Avani Atre. Sensor Network Vulnerabilities o Unshielded Sensor Network Nodes vulnerable to be compromised. o Attacks on.
Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.
Security in Mobile Ad Hoc Networks: Challenges and Solutions (IEEE Wireless Communications 2004) Hao Yang, et al. October 10 th, 2006 Jinkyu Lee.
Multi-user Broadcast Authentication in Wireless Sensor Networks Kui Ren, Wenjing Lou, Yanchao Zhang SECON2007 Manar Mahmoud Abou elwafa.
Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Random Key Predistribution Schemes for Sensor.
Efficient and Secure Source Authentication for Multicast 報告者 : 李宗穎 Proceedings of the Internet Society Network and Distributed System Security Symposium.
Tufts Wireless Laboratory School Of Engineering Tufts University Paper Review “An Energy Efficient Multipath Routing Protocol for Wireless Sensor Networks”,
Security for Broadcast Network
Turkmen Canli ± and Ashfaq Khokhar* Electrical and Computer Engineering Department ± Computer Science Department* The University of Illinois at Chicago.
1 An Interleaved Hop-by-Hop Authentication Scheme for Filtering of Injected False Data in Sensor Networks Sencun Zhu, Sanjeev Setia, Sushil Jajodia, Peng.
CS541 Advanced Networking 1 Contention-based MAC Protocol for Wireless Sensor Networks Neil Tang 4/20/2009.
1 Security for Broadcast Network Most slides are from the lecture notes of prof. Adrian Perrig.
Author: Na Ruan, Yoshiaki Hori Published in:
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
Computer Science Least Privilege and Privilege Deprivation: Towards Tolerating Mobile Sink Compromises in Wireless Sensor Network Presented by Jennifer.
In the name of God.
SPINS: Security Protocols for Sensor Networks
Location Cloaking for Location Safety Protection of Ad Hoc Networks
The TESLA Broadcast Authentication Protocol CS 218 Fall 2017
SPINS: Security Protocols for Sensor Networks
BROADCAST AUTHENTICATION
SPINS: Security Protocols for Sensor Networks
Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.
Presentation transcript:

Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer Science NC State University CSC 774 Adv. Net. Security

Background Sensor Networks One or a few more powerful base stations and a potentially large number of sensor nodes Inexpensive Limited resources (computational power, memory space, energy, etc.) When security is a concern, it is necessary for the sensors to authenticate messages received from base stations. CSC 774 Adv. Net. Security

Ki=F(Ki+1), F: pseudo random function TESLA A variation of TESLA Based on symmetric cryptography Provide broadcast source authentication by delayed disclosure of authentication keys Authentication of messages depends on the authenticity of the key chain commits K0. commitment Ki=F(Ki+1), F: pseudo random function Authentication Keys K4 F K3 K2 K1 K0 Kn= R Divide time into time intervals; associate one key with each interval; keys are chained together via a pseudo random function; distribute the last one of the key chain to the receivers a head of the first interval. Authenticate messages in a time interval with the corresponding key; do not disclose the authentication key until after a predefined delay. Security condition: if a receiver gets the messages before the corresponding key is disclosed, it buffers the messages. It then authenticates the buffered messages after receiving the corresponding key. … Time Key Disclosure K1 K2 Kn-2 CSC 774 Adv. Net. Security

Distribution of Key Chain Commits TESLA Digital signatures: Too expensive for sensors Use the current keys to authenticate the commitment of the next key chain. Attractive targets for attackers. Loss of commitment distribution messages  loss of the next key chain  bootstrap again. New commit K0’ Old key Kn Old key chain New key chain CSC 774 Adv. Net. Security

Distribution of Key Chain Commits (Cont’d) TESLA Unicast-based secure communication with the base station. Do not scale to large networks CSC 774 Adv. Net. Security

Techniques Multi-level TESLA Five Schemes Predetermination and broadcast instead of unicast. Use high-level key chain to authenticate commitments of low-level key chains. Tolerate communication failures and malicious attacks. Five Schemes Each later scheme improves over the previous one by addressing its limitations. The final scheme Low overhead Tolerate message losses Scalable to large networks Resistant to replay attacks and DOS attacks. CSC 774 Adv. Net. Security

Scheme I: Predetermined Key Chain Commitment Predetermine the TESLA parameters along with the master key distribution commitment start time other parameters Shortcomings Long key chain or large time interval? Difficulties in setting up start time CSC 774 Adv. Net. Security

Scheme II: Naïve Two-Level Key Chains One high-level key chain and multiple low-level key chains High-level key chain Authenticate commitments of low-level key chains Done through broadcast of Commit Distribution Messages (CDM) Low-level key chains Authenticate actual data messages CSC 774 Adv. Net. Security

Scheme II (Cont’d) The two-levels of key chains Beginning of each high-level interval is denoted as T_{i}. Since the high-level interval is usually long, we use t+delta_{max} < T_{i+1} as the security condition. Disclosure lag in the low-level key chains are determined in the same way as TESLA. Immediate authentication. CDMi-1=i|Ki,0|H(Ki+1, 0)|MACK’i-1(i|Ki, 0|H(Ki+1, 0 ))|K i-2 CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security

Scheme II (Cont’d) Key disclosure schedule CSC 774 Adv. Net. Security

Scheme II (cont’d) Limitations Loss of CDM message during high-level interval Ii  unable to authenticate during Ii+1 Loss of the last several low-level keys  unable to authenticate the corresponding messages. CSC 774 Adv. Net. Security

Scheme III: Fault Tolerant Two-Level Key Chains Tolerate CDM message loss: Periodically broadcast CDM messages Assume Probability that a receiver lose a CDM message: pf Broadcast frequency: F, Duration of a high-level interval: 0 Reduce loss rate to Increase overhead by F0 times Tolerate normal message loss: Connect the low-level key chains and the high-level key chain CSC 774 Adv. Net. Security

CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Scheme III (Cont’d) CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security

CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 DOS attacks CDM messages are more attractive to attackers DOS attacks against CDM messages Selective jamming Smart attacks: only change certain fields in CDM messages  A receiver cannot discard the messages until it gets the corresponding disclosed key 1. We need at least one later CDM message that contains the authentic disclosed key to verify an earlier CDM message. 2. In order to have immediate authentication of low-level key commitment for interval i, we need at least an authentic CDM message for interval I-2, and a CDM message for interval I-1 that contains the authentic disclosed key. CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Image of Low-level Key Chain Commitment for Ii+1 Disclosed High-level Key for Ii-1 Low-level Key Chain Commitment for Ii+1 MAC CSC 774 Adv. Net. Security

Scheme IV: (Final) Two-Level Key Chains Randomize CDM distribution to mitigate selective jamming attacks We assume there are other methods to deal with constant jamming. Random selection strategy to mitigate smart DOS attacks Single buffer random selection Multiple buffer random selection CSC 774 Adv. Net. Security

Scheme IV (Cont’d) Single buffer random selection Assume each sensor has one buffer for CDM Initial verification to discard forged CDMi Authenticate disclosed high-level key. Authenticate Ki+1,0 if CDMi-1 is authenticated. For the k-th copy of CDMi that passes the initial verification Save it in the buffer with probability 1/k. All such copies have equal probability to be saved. The probability that a sensor has an authentic CDM P(CDMi) = 1  p, where CSC 774 Adv. Net. Security

Scheme IV (Cont’d) Multiple buffer random selection Assume each sensor has m buffers for CDM Initial verification to discard forged CDMi Same as before. For the k-th copy of a CDMi that passes the initial verification k  m  save it in one available buffer. k > m  save it in a randomly selected buffer with probability m/k; All such copies have equal probability to be saved. The probability that the sensor has an authentic CDM P(CDMi) = 1  pm, where CSC 774 Adv. Net. Security

Scheme V: Multi-Level Key Chains m levels of key chains, arranged from level 0 to level m-1 from top down. Keys in level m-1 are used for authenticating data Each higher-level key chain is used to authenticate the commitments for its immediately lower-level key chains. Every two adjacent levels work in the same way as in Scheme IV. More need to be added here. CSC 774 Adv. Net. Security

Simulation Study Network model Parameters Emulate broadcast channel over IP multicast One base station One attacker Multiple sensor nodes Sensors are one-hop neighbors of the base station and the attacker Parameters Channel loss rate Percentage of forged CDM packets Buffer size at sensors (data packets and CDM packets) CSC 774 Adv. Net. Security

Simulation Study (Cont’d) Metrics %authenticated data packets at a sensor node (#authenticated data packets/received data packets) Average data authentication delay (the average time between the receipt and the authentication of a data packet). CSC 774 Adv. Net. Security

Experimental Results Buffer allocation schemes 95% forged CDM 1 CDM buffers Multi-buffer random selection. A data packet has 65 bytes: header (1), index (8), data (40), MAC (8), disclosed key(8). 8 buffers = 448 bytes --> 4 CDM buffers. 56 bytes to store. A CDM has 41 bytes: header (1), level number and an index (1), next commitment (8), hash of next next commitment (8), MAC (8), disclosed key (8). For each CDM, 40 bytes for the firs copy, and 8 bytes for the later copies. 1 CDM buffers CSC 774 Adv. Net. Security

Experimental Results (Cont’d) 39 CDM buffers 3 data buffers %authenticated data packets 95% forged CDM CSC 774 Adv. Net. Security

Experimental Results (Cont’d) Average data packet authentication delay 39 CDM buffers 3 data buffers CSC 774 Adv. Net. Security

Conclusion Developed a multi-level key chain scheme to efficiently distribute commitments for TESLA Low overhead Tolerance of message loss Scalable to large networks Resistant to replay attacks and DOS attacks Future work Reduction of the long delay after complete loss of CDM Broadcast authentication involving multiple base stations Adaptive approach to dealing with the DOS attacks CSC 774 Adv. Net. Security

Thank You! CSC 774 Adv. Net. Security