Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer Science NC State University CSC 774 Adv. Net. Security
Background Sensor Networks One or a few more powerful base stations and a potentially large number of sensor nodes Inexpensive Limited resources (computational power, memory space, energy, etc.) When security is a concern, it is necessary for the sensors to authenticate messages received from base stations. CSC 774 Adv. Net. Security
Ki=F(Ki+1), F: pseudo random function TESLA A variation of TESLA Based on symmetric cryptography Provide broadcast source authentication by delayed disclosure of authentication keys Authentication of messages depends on the authenticity of the key chain commits K0. commitment Ki=F(Ki+1), F: pseudo random function Authentication Keys K4 F K3 K2 K1 K0 Kn= R Divide time into time intervals; associate one key with each interval; keys are chained together via a pseudo random function; distribute the last one of the key chain to the receivers a head of the first interval. Authenticate messages in a time interval with the corresponding key; do not disclose the authentication key until after a predefined delay. Security condition: if a receiver gets the messages before the corresponding key is disclosed, it buffers the messages. It then authenticates the buffered messages after receiving the corresponding key. … Time Key Disclosure K1 K2 Kn-2 CSC 774 Adv. Net. Security
Distribution of Key Chain Commits TESLA Digital signatures: Too expensive for sensors Use the current keys to authenticate the commitment of the next key chain. Attractive targets for attackers. Loss of commitment distribution messages loss of the next key chain bootstrap again. New commit K0’ Old key Kn Old key chain New key chain CSC 774 Adv. Net. Security
Distribution of Key Chain Commits (Cont’d) TESLA Unicast-based secure communication with the base station. Do not scale to large networks CSC 774 Adv. Net. Security
Techniques Multi-level TESLA Five Schemes Predetermination and broadcast instead of unicast. Use high-level key chain to authenticate commitments of low-level key chains. Tolerate communication failures and malicious attacks. Five Schemes Each later scheme improves over the previous one by addressing its limitations. The final scheme Low overhead Tolerate message losses Scalable to large networks Resistant to replay attacks and DOS attacks. CSC 774 Adv. Net. Security
Scheme I: Predetermined Key Chain Commitment Predetermine the TESLA parameters along with the master key distribution commitment start time other parameters Shortcomings Long key chain or large time interval? Difficulties in setting up start time CSC 774 Adv. Net. Security
Scheme II: Naïve Two-Level Key Chains One high-level key chain and multiple low-level key chains High-level key chain Authenticate commitments of low-level key chains Done through broadcast of Commit Distribution Messages (CDM) Low-level key chains Authenticate actual data messages CSC 774 Adv. Net. Security
Scheme II (Cont’d) The two-levels of key chains Beginning of each high-level interval is denoted as T_{i}. Since the high-level interval is usually long, we use t+delta_{max} < T_{i+1} as the security condition. Disclosure lag in the low-level key chains are determined in the same way as TESLA. Immediate authentication. CDMi-1=i|Ki,0|H(Ki+1, 0)|MACK’i-1(i|Ki, 0|H(Ki+1, 0 ))|K i-2 CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security
Scheme II (Cont’d) Key disclosure schedule CSC 774 Adv. Net. Security
Scheme II (cont’d) Limitations Loss of CDM message during high-level interval Ii unable to authenticate during Ii+1 Loss of the last several low-level keys unable to authenticate the corresponding messages. CSC 774 Adv. Net. Security
Scheme III: Fault Tolerant Two-Level Key Chains Tolerate CDM message loss: Periodically broadcast CDM messages Assume Probability that a receiver lose a CDM message: pf Broadcast frequency: F, Duration of a high-level interval: 0 Reduce loss rate to Increase overhead by F0 times Tolerate normal message loss: Connect the low-level key chains and the high-level key chain CSC 774 Adv. Net. Security
CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Scheme III (Cont’d) CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 CSC 774 Adv. Net. Security
CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 DOS attacks CDM messages are more attractive to attackers DOS attacks against CDM messages Selective jamming Smart attacks: only change certain fields in CDM messages A receiver cannot discard the messages until it gets the corresponding disclosed key 1. We need at least one later CDM message that contains the authentic disclosed key to verify an earlier CDM message. 2. In order to have immediate authentication of low-level key commitment for interval i, we need at least an authentic CDM message for interval I-2, and a CDM message for interval I-1 that contains the authentic disclosed key. CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1 Image of Low-level Key Chain Commitment for Ii+1 Disclosed High-level Key for Ii-1 Low-level Key Chain Commitment for Ii+1 MAC CSC 774 Adv. Net. Security
Scheme IV: (Final) Two-Level Key Chains Randomize CDM distribution to mitigate selective jamming attacks We assume there are other methods to deal with constant jamming. Random selection strategy to mitigate smart DOS attacks Single buffer random selection Multiple buffer random selection CSC 774 Adv. Net. Security
Scheme IV (Cont’d) Single buffer random selection Assume each sensor has one buffer for CDM Initial verification to discard forged CDMi Authenticate disclosed high-level key. Authenticate Ki+1,0 if CDMi-1 is authenticated. For the k-th copy of CDMi that passes the initial verification Save it in the buffer with probability 1/k. All such copies have equal probability to be saved. The probability that a sensor has an authentic CDM P(CDMi) = 1 p, where CSC 774 Adv. Net. Security
Scheme IV (Cont’d) Multiple buffer random selection Assume each sensor has m buffers for CDM Initial verification to discard forged CDMi Same as before. For the k-th copy of a CDMi that passes the initial verification k m save it in one available buffer. k > m save it in a randomly selected buffer with probability m/k; All such copies have equal probability to be saved. The probability that the sensor has an authentic CDM P(CDMi) = 1 pm, where CSC 774 Adv. Net. Security
Scheme V: Multi-Level Key Chains m levels of key chains, arranged from level 0 to level m-1 from top down. Keys in level m-1 are used for authenticating data Each higher-level key chain is used to authenticate the commitments for its immediately lower-level key chains. Every two adjacent levels work in the same way as in Scheme IV. More need to be added here. CSC 774 Adv. Net. Security
Simulation Study Network model Parameters Emulate broadcast channel over IP multicast One base station One attacker Multiple sensor nodes Sensors are one-hop neighbors of the base station and the attacker Parameters Channel loss rate Percentage of forged CDM packets Buffer size at sensors (data packets and CDM packets) CSC 774 Adv. Net. Security
Simulation Study (Cont’d) Metrics %authenticated data packets at a sensor node (#authenticated data packets/received data packets) Average data authentication delay (the average time between the receipt and the authentication of a data packet). CSC 774 Adv. Net. Security
Experimental Results Buffer allocation schemes 95% forged CDM 1 CDM buffers Multi-buffer random selection. A data packet has 65 bytes: header (1), index (8), data (40), MAC (8), disclosed key(8). 8 buffers = 448 bytes --> 4 CDM buffers. 56 bytes to store. A CDM has 41 bytes: header (1), level number and an index (1), next commitment (8), hash of next next commitment (8), MAC (8), disclosed key (8). For each CDM, 40 bytes for the firs copy, and 8 bytes for the later copies. 1 CDM buffers CSC 774 Adv. Net. Security
Experimental Results (Cont’d) 39 CDM buffers 3 data buffers %authenticated data packets 95% forged CDM CSC 774 Adv. Net. Security
Experimental Results (Cont’d) Average data packet authentication delay 39 CDM buffers 3 data buffers CSC 774 Adv. Net. Security
Conclusion Developed a multi-level key chain scheme to efficiently distribute commitments for TESLA Low overhead Tolerance of message loss Scalable to large networks Resistant to replay attacks and DOS attacks Future work Reduction of the long delay after complete loss of CDM Broadcast authentication involving multiple base stations Adaptive approach to dealing with the DOS attacks CSC 774 Adv. Net. Security
Thank You! CSC 774 Adv. Net. Security