Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Reut Barazani Limor Levy. Contents Introduction Digital signature broadcast message authentication TESLA broadcast message authentication.

Published byBlaze Dawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by: Reut Barazani Limor Levy. Contents Introduction Digital signature broadcast message authentication TESLA broadcast message authentication."— Presentation transcript:

1 Presented by: Reut Barazani Limor Levy

2 Contents Introduction Digital signature broadcast message authentication TESLA broadcast message authentication Identification Other authentication mechanisms

3 Introduction One of the main challenges of securing broadcast communication is source authentication. Authentication- enabling receivers of broadcast data to verify that the received data really originates from the claimed source and was not modified in route This problem is complicated by mutually untrusted receivers and unreliable communication environments where the sender does not retransmit lost packets.

4 Authentication methods can be studied in two groups: message authentication and Entity (or Identification) authentication. Exmple: A and B, communicate using a message protocol. A is the sender of a message M, and B is the receiver. Depending on the type of communication or network, B would require one or more of the following on receipt of the message:

5 (1) Authentication of the message, (2) Integrity of the data included in the message, (3) Authentication of sender A. Message authentication provides assurance of the identity of A, the originator of the message M. This type of authentication also includes an evidence of data integrity because if M is modified during transmission, A cannot be the originator. Entity authentication assures B of both the identity of A and his active participation. To avoid replay attacks(i.e., a intruder masquerades as A, and sends a previously used message), time-variant data (sequence numbers, time stamps, etc.) can be added to the message.

6 VANET Authentication Authentication is the core security requirement in VANET VANET pose unique challenges, such as real-time constraints, processing limitations, memory constraints, extensibility and flexibility for future requirements, etc. Currently no proposed technique addresses all of these requirements.

7 Digital signature broadcast message authentication Mechanism that is default for VANET, commonly using public-private key cryptography. Example: authenticating vehicles beacon messages and safety messages

8 Broadcast message authentication algorithm 1. Node A signs a message m as S and broadcasts (m,S,C(A)) 2. Receiver B runs extracts algorithm and extracts A’s public key 3. B verifies the CRL for C(A) 4. B checks whether Ver PKA (m,S)=‘valid’

9 Pairwise authentication Pairwise example: vehicle is daily approaching the RSU for information in case of 1:1 relationship we apply different authentication protocol, only useful if there are repeated interactions We use MAC (Message Authentication Code) MAC is much more faster than digital signature and often based on hash algorithms.

10 MAC algorithm Require: nodes A and B share a common secret key K 1. Node A computes M=MAC(m,K) and sends (m,M) to B 2. B receives (m’,M’) and compute =MAC(m’,K) 3. B accepts the message if and only if =M’

11

12 Key agreement scheme In VANET predistributed keys are not feasible, therefore shared secret keys needs to be derived by means of a key agreement scheme. Correct design executes good key agreement scheme and then uses a KDF (Key Derivation Function) to derive 2 separate keys used for the authentication

13 Groupwise authentication Similar to pairwise message authentication, the different is that a group of vehicles communicate with one vehicles. A group of vehicles use common secret key K and key agreement scheme needs to be excuted. Useful only if group member exchange several messages before break up or regroup of vehicles, otherwise using broadcast authentication scheme provides superior preformance

14 TESLA broadcast message authentication Timed Efficient Stream Loss-tolerant Authentication TESLA provides run-time efficient authentication based on a mixture of digital signatures (in our case ECDSA) and MACs generated using symmetric cryptography at the cost of authentication delay at the receivers’ side. TESLA was originally intended for authenticating broadcast streams where a delay in authentication is negligible (such as authentication of a multimedia file stream or a stock market ticker)

15 Huand Laberteaux (2006) applied TESLA to VANET, and conclude that, despite some obstacles, TESLA is an appropriate authentication mechanism for VANET. TESLA uses time to provide asymmetric signature properties with symmetric functions.

16 TESLA Algorithm broadcast authentication. 1. Initially, A signs S := SigSKA(k0) and broadcasts S, C(A). 2. Each receiver B runs CERT_CHECK and verifies S. 3. for message mi in time interval ti, i = 1 to n do 4. A computes Mi := MAC(mi, ki) and broadcasts Mi, mi. 5. B checks whether it received Mi, mi in time interval ti and buffers it. 6. end for 7. for message mi in time interval ti+1, i = 1 to n do 8. A broadcasts ki. 9. B checks whether Mi?=MAC(mi, ki). 10: end for

17 TESLA Algorithm explanation : The sender attaches a MAC to each packet. The MAC is computed over the contents of the packet. For each packet, the sender uses the current key from the one-way chain as a cryptographic key to compute the MAC. The sender discloses a key from the one-way chain after some pre-defined time delay (e.g., the key used in time interval i is disclosed at time interval i+3). The receiver receives the packet. He knew the schedule for disclosing keys and it can check that the key used to compute the MAC was not yet disclosed by the sender.

18 If it was not, then the receiver buffers the packet. Otherwise the packet is dropped due to inability to authenticate. The receiver checks that the disclosed key belongs to the hash-chain (by checking against previously released keys in the chain) and then checks the correctness of the MAC. If the MAC is correct, the receiver accepts the packet.

19 The protocol principals: There needs to be time synchronization between sender and receiver (Otherwise, after a key was opened an attacker could use that key to forge messages) The vehicles in VANET come with GPS units and thus are constantly synchronized to a single global time signal such that accurate time synchronization can be assumed.

20 Advantages and disadvantages TESLA protocol offers authenticity at reduced costs without involving any shared secret between senders and receivers. For this advantage the protocol was suited even in constrained environments such as sensor networks.

21 Identification Unlike message authentication, identification (or entity authentication) enables a claimer to prove knowledge of a secret that only the claimer knows, thus proving its identity. An identification process needs to include timeliness in order to prove that the claimer definitely has knowledge of the secret. Timeliness might be proven by an interactive challenge–response protocol or by authenticating a timestamp

22 Since there is a globally accurate time source available in VANET, we suggest using the timestamp method describe here: Entity authentication with timestamp: 1. A computes S := SigSKA(t B) and sends S, t, Cert(A) to B. 2. B runs CERT_CHECK, verifies that the timestamp t is acceptable, and checks whether VerPKA (S, t B) ?=valid. There are several variations of this scheme (the digital signature can be replaced by a symmetric MAC or by encryption)

23 We expect that identification will be applied to identify a vehicle to an RSU or to a service provider, e.g., for tolling, payment services, and subscription services.

24 Other authentication mechanisms One-time and k-time signature scheme, a so-called signature propagation that authenticate several packets with single signature. For instance, the hash-value of the first packet is attached to the second, and so on. The last packet of such a chain is finally signed. The receiver needs to buffer all messages until it finally authenticates all packets of the chain by verifying the digital signature.

25 A. BiBa scheme-Bins and Balls Signature Perrig’s BiBa broadcast authentication (2001) – require very large public keys in the range of 10 Kbyte. Not suited for VANET having low bandwidth communication channels.

26 B. ID-based signature scheme Recently had a revival based on pairing based cryptography. ID-based schemes have an advantage in VANET since they don’t require distributing certificates and by that saving bandwidth.

27 ID-based signature scheme example:

28 Group signatures Each member of the group holds a private key, and there is a single public key for the group. Each group member is able to create signature and the message will be verified by the group’s public key. The verifier don’t know which group member signed the message. Slower than ECDSA

Download ppt "Presented by: Reut Barazani Limor Levy. Contents Introduction Digital signature broadcast message authentication TESLA broadcast message authentication."

Similar presentations

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
2015-6-1 1 Secure Vehicular Communications Speaker: Xiaodong Lin University of Waterloo

Secure Vehicular Communications Speaker: Xiaodong Lin University of Waterloo
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 90321019 王怡君.

Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 王怡君.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.

Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Similar presentations

Ads by Google