Download presentation
Presentation is loading. Please wait.
Published byLogan Wilkins Modified over 9 years ago
1
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks
2
Computer Science CSC 774 Adv. Net. Security2 Outline Background Basic Approach Various Extensions Implementation Results Conclusion & Future Work
3
Computer Science CSC 774 Adv. Net. Security3 Background Wireless Sensor Network –Large number of resource constrained sensor nodes –A few powerful control nodes (Base Station) Broadcast Authentication in Sensor Network – TESLA –Multilevel TESLA
4
Computer Science CSC 774 Adv. Net. Security4 Review of Multilevel TESLA CDM i =i|K i+1,0 |H(K i+2,0 ) |MAC K’i (i|K i+1,0 |H(K i+2,0 ))|K i-1
5
Computer Science CSC 774 Adv. Net. Security5 Review of Multilevel TESLA (cont.) Benefits: –Trade-off between key chain length and broadcast time –Resistant to packet loss Problems left: –Remove the long delay after CDMs are lost –Allow multiple senders –Revoke broadcast senders
6
Computer Science CSC 774 Adv. Net. Security6 Practical Broadcast Authentication in WSN: Basic Scheme Use Merkle tree to distribute the key chain commitments – referred to as parameter distribution tree –The tree root is pre-distributed –Each commitment is a leaf of the tree Key chain commitmentss1s1 s4s4 s3s3 s2s2 K1K1 K4K4 K3K3 K2K2 K 14 K 34 K 12 Pre-distributed root
7
Computer Science CSC 774 Adv. Net. Security7 Practical Broadcast Authentication in WSN: Basic Scheme (Cont.) If the 2 nd TESLA instance will be used: –Sender broadcasts the parameter certificate ParaCert 2 = { s 2, K 1, K 34 } –Receivers immediately authenticate the commitment s 2 by verifying K 14 = H( H( H( s 2 ) K 1 ) | K 34 ) s1s1 s4s4 s3s3 s2s2 K1K1 K4K4 K3K3 K2K2 K 14 K 34 K 12
8
Computer Science CSC 774 Adv. Net. Security8 Practical Broadcast Authentication in WSN: Basic Scheme (Cont.) The basic scheme has achieved: –Security: Attacker cannot send forged packet unless compromising the sender The parameter certificates are immune to DoS attack –Overhead: Storage: each receiver node needs to store the root of the parameter distribution tree, and the parameters of the senders that are communicating Computation: each receiver node needs hash functions to validate the key chain commitment, where m is the number of SLA instances –Allows multiple senders: Senders can be added dynamically by generating enough instances for late-joined senders
9
Computer Science CSC 774 Adv. Net. Security9 Scheme for Long-lived Senders Basic idea: –two-level parameter distribution tree Pre-Distribution –Fix the interval length that each TESLA key chain uses, denote such an interval as ( TESLA) instance interval. Assume each key chain has length L. –Assume sender j needs n j instance intervals through out its life: use the n j key chain parameters as leaves to construct a lower level tree, denoted as Tree j. When generating key chains for each sender: k i+1, L = F’(k i, 0 ), where F’ is a pseudo random function. –With the roots of Tree j s as leaves, an upper level parameter distribution tree is generated, denoted as Tree R –Tree R ’s root is pre-distributed to receivers, while the parameter certificate of Tree R of sender j, denoted as ParaCert j and all the key chains generated for sender j is pre-distributed to sender j.
10
Computer Science CSC 774 Adv. Net. Security10 Scheme for Long-lived Senders: Example s1s1 s4s4 s3s3 s2s2 K1K1 K4K4 K3K3 K2K2 K 14 K 34 K 12 s’ 1 s’ 4 s’ 3 s’ 2 K’ 1 K’ 4 K’ 3 K’ 2 R3R3 K’ 34 K’ 12 Tree R Tree j Receivers: K 14 Pre-distribution: Sender 3 : ParaCert 3 ={s 3, K 4, K 12 }, and Sender 3 ’s key chains
11
Computer Science CSC 774 Adv. Net. Security11 Scheme for Long-lived Senders: Example s’ 1 s’ 4 s’ 3 s’ 2 K’ 1 K’ 4 K’ 3 K’ 2 R3R3 K’ 34 K’ 12 k 3,1 k 3,0 k 3,L k 2,0 k 2,L k 1,0 k 1,L k 4,0 k 4,L k 4,1 k 2,1 k 1,1 F’F’F’F’F’F’ Tree 3
12
Computer Science CSC 774 Adv. Net. Security12 Scheme for Long-lived Senders (Cont.) The above scheme has achieved: –Security: Same as in the basic scheme –Overhead: Storage: receivers’ are same as in the basic scheme, sender j needs to store ParaCert j besides all the key chains. Computation: for validation of each key chain commitment, and for validation of each sender, where m is the number of senders. –Benefit over basic scheme: Fixed key chain length Two ways to validate the key chain commitments
13
Computer Science CSC 774 Adv. Net. Security13 Distributing Parameter Certifications Due to the low bandwidth and small packet size, ParaCert j must be delivered in several packets. –Each packet must be authenticated independently and immediately –Assume that each ParaCert contains L hash values, each packet can hold b hash values. Adopt the idea of distillation codes.
14
Computer Science CSC 774 Adv. Net. Security14 Distributing Parameter Certifications: Example s1s1 s4s4 s3s3 s2s2 K1K1 K4K4 K3K3 K2K2 K 14 K 34 K 12 s5s5 s8s8 s7s7 s6s6 K5K5 K8K8 K7K7 K6K6 K 58 K 78 K 56 K 18 ParaCert 3 = {K 58, K 12, K 4, s 3 }, assume that each packet can hold 3 hash values, P 1 = {K 58, K 12, K 34 }, verify: K 18 = H(H(K 12 | K 34 )|K 58 ) P 2 = {K 4, s 3 }, verify: K 34 = H(K 4 |H(s 3 ))
15
Computer Science CSC 774 Adv. Net. Security15 Revoking TESLA Instances Revocation tree –Similar to the parameter distribution tree, the central server generates a revocation message for each TESLA instance, and use all the messages to construct a Merkle tree, whose root is pre-distributed. –Advantages: Guarantees a non-compromised sender not be revoked. –Disadvantages: Cannot guarantee each receiver receives the revocation message due to the unreliable communication Revoked senders must be remembered by receivers, which introduces large storage overhead.
16
Computer Science CSC 774 Adv. Net. Security16 Revoking TESLA Instances (Cont.) Proactive Refreshment of Authentication Keys –Central server sends TESLA key chains to the senders when senders are broadcasting, instead of pre-distributing all the key chains. Central server can revoke a sender by stop sending TESLA key chains to it. –Advantages: Guarantees a compromised sender be revoked Receivers do not need storage overhead –Disadvantages: A non-compromised sender may be revoked if it does not receive the key chains due to some communication problem.
17
Computer Science CSC 774 Adv. Net. Security17 Experimental Results: Authentication Rate Authentication rate under 0.2 loss rate and 200 forged parameter distribution packet per minute.
18
Computer Science CSC 774 Adv. Net. Security18 Experimental Results: Channel Loss Rate Channel loss rate: 0.2; # forged commitment distribution: 200 per minute; distribution rate: 95%.
19
Computer Science CSC 774 Adv. Net. Security19 Experimental Results: Average Failure Recovery Delay Average failure recovery delay. Assume 20 parameter distribution packet per minute.
20
Computer Science CSC 774 Adv. Net. Security20 Conclusion & Future Work Developed practical broadcast authentication techniques –Distribution of TESLA key chain parameters –Revocation of compromised senders Future Work –Other schemes based on the basic scheme –Remove the constraint of loosely synchronization of senders and receivers
21
Computer Science CSC 774 Adv. Net. Security21 Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.