Wireless Network Security 14-814 Spring 2014

Similar documents
Security Sensor Network. Biswajit panja

SPINS: Security Protocols for Sensor Networks

Security in Sensor Networks: Industry Trends, Present and Future Research Directions. Sensor Networks are Here!

Wireless Sensor Network Security. Seth A. Hellbusch CMPE 257

Wireless Sensor Networks Chapter 14: Security in WSNs

Secure Routing in Wireless Sensor Networks

How To Secure A Wireless Sensor Network

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Client Server Registration Protocol

Midterm. Name: Andrew user id:

End-to-End Security in Wireless Sensor Networks (WSNs) Talk by Claudio Anliker Supervised by Dr. Corinna Schmitt University of Zurich

Ariadne A Secure On-Demand Routing Protocol for Ad-Hoc Networks

A Practical Authentication Scheme for In-Network Programming in Wireless Sensor Networks

AN RC4 BASED LIGHT WEIGHT SECURE PROTOCOL FOR SENSOR NETWORKS

Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks

About the Authors Preface Acknowledgements List of Acronyms

Mobile Security Wireless Mesh Network Security. Sascha Alexander Jopen

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

Security and Privacy Issues in Wireless Sensor Networks for Healthcare

Security Solutions for Wireless Sensor Networks

How To Secure A Wireless Sensor Network

Efficient Data Transmission For Wireless Sensor Networks

Introduction to Network Security Key Management and Distribution

CSE/EE 461 Lecture 23

Network Security Protocols

Tema 5.- Seguridad. Problemas Soluciones

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview. SSL Cryptography Overview CHAPTER 1

CSC 774 Advanced Network Security. Outline. Related Work

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Foundation University, Islamabad, Pakistan

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

CSCE 465 Computer & Network Security

Protecting Privacy Secure Mechanism for Data Reporting In Wireless Sensor Networks


Module 7 Security CS655! 7-1!

Fast and Scalable Key Establishment in. Sensor Networks

Preventing Unauthorized Messages and Achieving End-to-End Security in Delay Tolerant Heterogeneous Wireless Networks

Improving Availability of Secure Wireless Sensor Networks

Chapter 5. Simple Ad hoc Key Management. 5.1 Introduction

Cryptography and Network Security Chapter 14

Wireless sensor network

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

A SECURE DATA TRANSMISSION FOR CLUSTER- BASED WIRELESS SENSOR NETWORKS IS INTRODUCED

Chapter 8. Network Security

Chapter 17 Wireless Sensor Network Security: A Survey

Some Security Trends over Wireless Sensor Networks

A STUDY OF SECURITY CHALLENGES IN WIRELESS SENSOR NETWORKS

Chapter 7: Network security

SiRiUS: Securing Remote Untrusted Storage

EXAM questions for the course TTM Information Security May Part 1

Problems of Security in Ad Hoc Sensor Network

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Neighborhood-Based Security Protocol for Wireless Sensor Networks

Bit Chat: A Peer-to-Peer Instant Messenger

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Secure and Efficient Data Transmission for Cluster-based Wireless Sensor Networks

A STUDY ON SECURE DATA TRANSMISSION IN CLUSTER BASED WIRELESS SENSOR NETWORKS

Secure Code Distribution in Dynamically Programmable Wireless Sensor Networks

LIST OF FIGURES. Figure No. Caption Page No.

Secure Unicast Position-based Routing Protocols for Ad-Hoc Networks

Group Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme

Wireless Sensor Networks Chapter 3: Network architecture

Signature Amortization Technique for Authenticating Delay Sensitive Stream

A Flexible Approach to Embedded Network Multicast Authentication

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

A CHAOS BASED SECURE CLUSTER PROTOCOL FOR WIRELESS SENSOR NETWORKS

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

CS155. Cryptography Overview

Introduction to Cryptography

Chap. 1: Introduction

An Overview of ZigBee Networks

Enhancing Base Station Security in Wireless Sensor Networks

Power Proximity Based Key Management for Secure Multicast in Ad Hoc Networks

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Transcription:

Wireless Network Security 14-814 Spring 2014 Patrick Tague Class #8 Broadcast Security & Key Mgmt 1

Announcements 2

Broadcast Communication Wireless networks can leverage the broadcast advantage property to send a message to multiple recipients simultaneously In a star (like a WiFi network), O(1) transmissions cover all N recipients In general, O(N/d) transmissions cover N recipients with density d, using relaying

Broadcast Security To leverage broadcast advantage All recipients need to be able to authenticate the transmitter / message from the single transmission All recipients need to be able to decrypt the message from the single transmission Also, the authentication, en/decryption, and key management mechanisms need to be efficient

Broadcast Authentication Sender wants to broadcast a single message in a wireless network To protect against packet injection and other threats, need to verify the data origin Alice M Sender M Dave M Bob M Carol

Broadcast Auth Mechanisms 1. Symmetric key crypto and message auth codes (MACs) Sender w/ key K M, MAC K (M) M, MAC K (M) Alice w/ key K M', MAC K (M') Bob w/ key K Some form of asymmetry is required

Broadcast Auth Mechanisms 2. Public-key signatures Sender uses a private key to sign the message, all recipients verify with the corresponding public key Sender, K M, Sig K (M) M, Sig K (M) Ex: RSA 1024 bit signatures Alice, K -1 Bob, K -1 High generation cost (~10 milliseconds) High verification M', Sig cost K (M') (~1 millisecond) High communication cost (128 bytes/packet) Even more costly 2014 for Patrick low-end Tague processors

Broadcast Auth Mechanisms 3. Packet-block signatures Sign a collection of packets, partition signature over packet block disperse the cost of signing over larger chunks of data Sender, K M = {M i : i=1,...,k}, Sig K (M) s 1 s k M i, s i Alice, K -1 Verify Sig K ({M i }) {s i } More efficient, but loss of 1 block no verification

TESLA TESLA = Timed Efficient Stream Loss-tolerant Authentication [Perrig et al., RSA Cryptobytes 2002] Uses only symmetric cryptography Asymmetry via time Only the correct sender could compute MAC at time t Delayed key disclosure for verification Requires loose time synchronization

Delayed Key Disclosure F: public one-way function 1: Verify K F(K) Authentic Commitment P MAC K (P) 2: Verify MAC K disclosed 3: P Authentic! t

One-Way Hash Chains Versatile cryptographic primitive Pick random r N and public one-way function F For i=n-1,...,0 : r i = F(r i+1 ), then publish r 0 r 3 F r 4 F r 5 F r F 6 r 7 Properties Use in reverse order of construction: r 1, r 2,, r N Infeasible to derive r i from r j (j<i) Efficiently authenticate r i using r j (j<i): r j = F i-j (r i ) Robust to missing values

TESLA Schedules Keys disclosed 2 time intervals after use Receiver setup: Authentic K3, key disclosure schedule K3 F K4 F F F K5 K6 K7 Time 3 Time 4 Time 5 Time 6 Time 7 t P1, MAC K5 (P1), K3 P2, MAC K7 (P2), K5

Robustness to Packet Loss K3 F K4 F F F K5 K6 K7 Time 3 Time 4 Time 5 Time 6 Time 7 t P1, MAC K4 (P1), K2 P2, MAC K4 (P2), K2 P3, MAC K5 (P3), P4, MAC K3 K6 (P4), P5, K4 MAC K7 (P5), K5

Asymmetric Properties Disclosed value of key chain is a public key, it allows authentication of subsequent messages (assuming time synchronization) Receivers can only verify, not generate With trusted time stamping entity, TESLA can provide signature property

TESLA Summary Low overhead Communication (~ 20 bytes) Computation (~ 1 MAC computation per packet) Perfect robustness to packet loss Independent of number of receivers Delayed authentication Applications Authentic media broadcast Sensor networks Secure routing protocols

What about highly-constrained nodes in wireless sensor networks?

µtesla for WSN Proposed as part of the SPINS architecture [Perrig et al., WiNet 2002] Reduced communication compared to TESLA, key disclosure per epoch instead of per packet Includes several other optimizations for minimum overhead, practical in severely-constrained devices

SNEP for WSN SPINS also includes the Secure Network Encryption Protocol (SNEP) to provide data confidentiality, authentication, and freshness [Perrig et al., WiNet 2002] SNEP includes efficient key generation SNEP authenticated + encrypted packet structure: Data encrypted with shared key + counter (for semantic security) MAC over encrypted data Optional nonce-exchange for provable freshness

TinySec The TinySec architecture provides a practical security suite for wireless sensor networks [Karlof et al., SenSys 2004] TinySec-Auth provides authentication only TinySec-AE provides authenticated encryption Extensive discussion of design trade-offs and simulation results included in the paper

Further Reading Broadcast authentication in VANETs Studer et al., ESCAR 2008 / JCN 2009. Raya et al., SASN 2005. More papers @ http://lca.epfl.ch/projects/ivc/ in WSN Ren et al., WASA 2006. DoS-resilient broadcast authentication Gunter et al., NDSS 2004. Karlof et al., NDSS 2004.

In addition to security and performance features of the security protocols, what about the underlying key management?

Key Management How to add a member to the group without giving them access to past group activities? How to remove/revoke a member from the group without giving them access to future group activities? How to provide fresh credentials to group members?

Group Key Management Group formation, joining, and leaving can be controlled entirely by distribution and revocation of keys A session encryption key (SEK) is given to all group members (used to distribute/collect data) Key encryption keys (KEK) given to group members are used to periodically update SEKs Revocation = not getting an SEK update KEKs may also need to be updated Updating key must be very efficient so it can occur often enough to minimize effects of misbehavior

Challenges Simple attack models such as eavesdropping, message injection / tampering, masquerading, etc. can affect the entire security architecture Unicast solutions may be infeasible / impractical Network and services are dynamic, need to scale Various types of overhead to manage Initial trust relationship

Scale & Dynamics Depending on the scenario, the group size could be 10s, 100s, 1000s, 1000000s, Group membership and service subscription can be dynamic Can change on the order of seconds, minutes, days, months, Join and leave are random Most likely, there's no one size fits all method

Logical Key Hierarchy LKH arranges group members in an m-ary tree Tree leaves correspond to members with unique KEKs Internal tree nodes represent group KEKs Tree root represents the SEK Each member gets SEK and KEKs along tree path K 0 K 1,0 K 1,1 K 2,0 K 2,1 K 2,2 K 2,3 M 0 M 1 M 2 M 3

LHK Addition If M 34 wants to join a group and the tree isn't full full Give Start Kanother 0, K 1,1, Klevel 2,3 to of M the tree 3 K 0 K 1,0 K 1,1 K 2,0 K 2,1 K 2,2 K 2,3 K 2,3 M 0 M 1 M 2 M 3 M 3 K 3,0 K 3,1 M 0 M 4

LHK Removal If M 3 wants to leave the group, update SEK/KEKs {K' 0, K' }K 1,1 2,2 {K' }K 0 1,0 K' K 0 K 1,0 K 1,1 K' 1,1 K 2,0 K 2,3 K 2,1 K 2,2 M 0 M 1 M M 2 3

Storage: LKH Overhead Authority holds O(N) total keys Each member holds 1 SEK + O(log m (N)) KEKs Communication: Broadcast flood required for every update message, O(log m (N)) msg/removal Note: every msg may require multiple transmissions... Computation: Symmetric en/decryption operations

Generalized Key Graphs Key graphs generalize key trees for secure group communication [Wong et al., TR 1997] The authors propose a graph generalization of LKH allowing users to belong to groups arbitrarily instead of using a tree structure

Further Generalization Iolus: scalable multicast grouping using more generalized hierarchy [Mittra, SIGCOMM 1997] Distribution tree composed of smaller multicast subgroups in a hierarchy A group security intermediary (GSI) in each subgroup manages inter-subgroup details A group security controller (GSC) manages top-level subgroup and GSIs Further techniques for update, join, leave, etc.

Iolus Framework

How do these update procedures translate to the wireless domain?

Metrics Previous techniques described focus on number of update messages to broadcast What about the physical topology of the network? Relaying messages over multiple wireless links? Energy expenditure of long/lossy links? Broadcast advantage?

Power-Efficient Key Trees [Lazos & Poovendran, 2005] Key updates in large wireless networks (WSNs, MANETs, etc.) should be energy-efficient

But, in all these approaches, there's a catch...

Initial Key Agreement All of these key management approaches assume the new user is a valid user that can establish a pairwise KEK with the server Valid user authentication keys So, initial key agreement requires pre-existing keys or a secure offline initialization Protocols such as Diffie-Hellman and their many variants can help here, as long as they're practical for the context Human-in-the-loop allows for different approaches, e.g., SafeSlinger [Farb et al., 2013]

Key Agreement in WSN In challenged systems (WSN), key agreement is often to expensive Option: authority assigns symmetric keys (KEK, etc.) prior to deployment, nodes that share SEKs/KEKs after deployment can bootstrap secure links See [Eschenauer & Gligor, CCS 2002; Tague & Poovendran, ToSN 2007]

This pre-distribution has its own class of associated threats/attacks I can provide hundreds of papers if you're interested in learning more

February 11-13: Project Survey Presentations February 18: Project Proposals

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information