1

Security for Broadcast Network

Most slides are from the lecture notes of prof. Adrian Perrig.

2

Challenges for Broadcast Security Broadcast applications need security

Packet injection or eavesdropping is easy Security solutions for point-to-point

communication not secure for broadcast Broadcast challenges

Scale to large audiences Dynamic membership Low overhead (computation & communication) Packet loss

How to achieve reliability in broadcasts? Lost packets are not retransmitted

3

Reliable Broadcast Transmission How to reliably and scalably disseminate

data to large numbers of receivers? Challenges

Ack implosion problem if receivers return Ack to sender for received packets

Nack implosion problem is severe as well For large numbers of receivers, there usually is

a fraction of them that do not obtain message Local repair mechanisms (create tree topology

and ask upstream parent for packet) faced numerous scalability difficulties

4

Forward Error Correction Forward Error Correction (FEC) is a

mechanism to reliably transmit data to a receiver without a back channel from receiver to sender Sender adds redundant information that

enables receiver to tolerate message loss Ideal for broadcast setting because

receiver does not need to contact server if messages were lost, simply wait for more redundancy information

5

Scale & Dynamics Small groups contain up to ~100 members Medium-size groups contain 100-1000

members Large groups contain 1000-109 members How does scale affect security?

Dynamic membership: members may join and leave at any time

How do dynamics affect security?

6

Communication Pattern Group can be single-source broadcast

One-to-many SSM: Single-source multicast, source-

specific multicast Multiple-source broadcast

Some-to-many All members broadcast

Many-to-many Which one is most common? Examples?

7

Group Key Management Receivers join/leave at any time Require forward & backward secrecy

Which property is easy to achieve? How? Challenge: scalable key management

Join

Forward Secrecy

Leave

Backward Secrecy

Time

8

MetricsWe use the following metrics to evaluate

group key agreement protocols Communication overhead

Number and size of messages (unicast & broadcast messages)

Join / leave overheads Computation overhead (by center and

by members) Security (collusion attacks?)

9

Security Requirements Group key secrecy

Computationally infeasible for a passive adversary to discover any group key

Backward secrecy Any subset of group keys cannot be used to discover

previous group keys. Forward secrecy

Any subset of group keys cannot be used to discover subsequent group keys.

Key Independence Any subset of group keys cannot be used to discover

any other group keys. Forward + Backward secrecy

10

What should we do?

Group key generation

who generates?

how can we generate group keys efficiently?

Group Key establishment

how can we authenticate sender?Key distribution by trusted third party

unicast

muticast

broadcast

Key agreement between group members

11

Group Key Management Protocol With a trusted Key Distribution Center (KDC),

what is simplest approach for key distribution? Group Key Management Protocol (GKMP)

Every member shares a key with KDC KDC unicasts all key updates to each member

Advantages Security, simplicity

Disadvantages Does not scale to large groups, high overhead

12

Group key generation methods

13

Centralized Flat Table Proposed by Chang et al., Infocom 1999;

and Waldvogel et al., IEEE JSAC 1999 Idea: 2 keys for each bit of member ID

Member with ID=9 (1001) gets keysK0,1 K1,0 K2,0 K3,1 K4,0

K0,0 K1,0 K2,0 K3,0 K4,0

K0,1 K1,1 K2,1 K3,1 K4,1

Bit=0

Bit=1

LSB ID Bit 0 MSB ID Bit 4

14

Centralized Flat Table How to add or expel a member? Advantages

Low communication and computation overhead

Low memory overhead at KDC Disadvantages

Does not provide key independence! Collusion attack possible!

15

Double One-way Key Chains Goal: Join members for a pre-determined time

period, preserve forward and backward secrecy Approach: use two one-way key chains For interval T3-T6, member gets K3’ and K6 Key for interval T3 is K3’ K3

T1 T2 T3 T4 T5 T7 T8T6 t

K1 K2 K3 K4 K5 K7 K8K6

K1’ K2’ K3’ K4’ K5’ K7’ K8’K6’

16

Double One-way Key Chains Advantages

Low storage overhead at KDC Only 2 keys need to be sent by unicast

communication after join event, no broadcast overhead!

No communication on leave events! Disadvantages

Cannot expel member Does not provide key independence, collusion

attack!

17

MARKS Idea: derive key tree top-down, each leaf

key is associated with a time interval K12 = H( “left” || K14 ) K34 = H( “right” || K14 ) K1 is key used to encrypt

data in time T1 K34 enables member

to receive data inintervals T3 & T4 K1 K2 K3 K4

K12 K34

K14

T1 T2 T3 T4 t

18

MARKS Member pays for time T3-T8, receives K34

and K58

K1 K2 K3 K4 K5 K7 K8

K12 K34 K56 K78

K14 K58

K18

T1 T2 T3 T4 T5 T7 T8

K6

T6 t

19

MARKS Discussion Advantages

O(log(T)) unicast communication after join events, no broadcast overhead!

No communication on leave events! Tradeoff between storage and

computation overhead on KDC Disadvantages

Cannot expel member

20

Logical Key Hierarchy (LKH) Idea: arrange members at leaves of a key

tree, each member receives keys on its path

K1 K2 K3 K4 K5 K7 K8

K12 K34 K56 K78

K14 K58

K18

M1 M2 M3 M4 M5 M7 M8

K6

M6

21

Logical Key Hierarchy (LKH) In LKH, root key is group key Each member shares leaf key with KDC How to join a member?

Computation and communication overhead?

How to expel a member? Computation and communication

overhead?

22

LKH Redistribute new keys when M6 is expelled

K1 K2 K3 K4 K5 K7 K8

K12 K34 K56’ K78

K14 K58’

K18’

M1 M2 M3 M4 M5 M7 M8

K6

M6

23

LKH Redistribute new keys when M6 is expelled

K1 K2 K3 K4 K5 K7 K8

K12 K34 K56’ K78

K14 K58’

K18’

M1 M2 M3 M4 M5 M7 M8

EK5(K56’); EK78(K58’); EK56’(K58’); EK14(K18’); EK58’(K18’)

24

LKH Discussion Advantages

Low computation and communication overhead: join and leave only require O(log(N)) broadcast message size

Disadvantages Requires broadcast message for each

event Key storage requires O(N) memory at KDC

25

LKH+ How can we reduce broadcast

message overhead for join events? Simply compute one-way function on

all keys on key path of joining member

Advantage: only send the position in key tree of joining member to group, all members can adjust their keys

26

LKH++ How can we reduce broadcast message

overhead for leave events? Suggested by Canetti et al. at Infocom

99 Idea: derive parent key from child key

through one-way function Key path that is updated after leave

event forms a one-way key chain, starting at leaf node

27

LKH++ Re-key

K1 K2 K3 K4 K5’ K7 K8

K12 K34 K56’ K78

K14 K58’

K18’

M1 M2 M3 M4 M5 M7 M8

EK5’(K56’); EK78(K58’); EK56’(K58’); EK14(K18’); EK58’(K18’)

K56’ = H( K5’ ), K58’ = H(K56’), K18’ = H(K58’)

28

LKH++ Discussion Advantages

log(N) bits broadcast for join event |K| log(N) bits broadcast for leave event

(LKH used 2 |K| log(N) bits) Secure against collusion attacks

Disadvantages Memory storage overhead

29

Key distribution How can we authentication the sender? Authentication (weaker)

Receiver can only convince herself that the data was generated by the sender

Sufficient for many apps – packet authentication Signature (stronger)

Receiver can prove to a third party that the data was generated by the sender

Important for proxy/cache application that receives data and needs to convince final receiver data ok

30

Broadcast Authentication Broadcasts data over wireless network Packet injection usually easy Each receiver can verify data origin

Sender

Bob

M

Carol

MDaveAlice MM

31

Authentication Needs Asymmetry

SenderK

AliceK

BobK

Msg, MAC(K,Msg)

Forged Msg, MAC(K, Forged Msg)

Msg, MAC(K,Msg)

MAC: Message Authentication Code (authentication tag)

K = shared key

32

Digital Signatures Impractical Signatures are expensive, e.g., RSA 1024:

High generation cost (~10 milliseconds) High verification cost (~1 millisecond) High communication cost (128 bytes/packet)

Very expensive on low-end processors If we aggregate signature over multiple

packets, intolerant to packet loss

33

TESLA Timed Efficient Stream Loss-tolerant

Authentication Uses only symmetric cryptography Asymmetry via time

Delayed key disclosure Requires loose time synchronization

34

Basic Authentication Mechanism

t

F(K)AuthenticCommitment

P

MAC(K,P)

Kdisclosed

1: Verify K

2: Verify MAC

3: P Authentic!

F: public one-way function

35

Security Condition Receiver knows key disclosure schedule

Security condition (for packet P): on arrival of P, receiver is certain that sender did not yet disclose K

If security condition not satisfied, drop packet

36

Bootstrapping Receivers Loose time synchronization

Receiver knows maximum time synchronization error, upper bound on sender’s time

Session setup, authenticated parameters Beginning time of one specific interval Interval duration Key chain commitment Disclosure delay

Digital signature for initial authentication

37

One-Way Hash Chains Versatile cryptographic primitive Construction

Pick random rN and public one-way function F ri = F(ri+1) Secret value: rN , public value r0

Properties Use in reverse order of construction: r1 , r2 … rN Infeasible to derive ri from rj (j<i) Efficiently authenticate ri using rj (j<i): rj = Fi-j(ri) Robust to missing values

r6 r7r4r3

FFFr5

F

38

TESLA Keys disclosed 2 time intervals after use Receiver setup: Authentic K3, key

disclosure schedule Authentication of P1: MAC(K5, P1 )

K5 K6 K7

tTime 4 Time 5 Time 6 Time 7

K4K3

P2

K5

P1

K3Verify MAC

FFFAuthenticate K5

K5

Time 3

F

39

TESLA: Robust to Packet Loss

K5 K6 K7

tTime 4 Time 5 Time 6 Time 7

K4K3

P2

K5

P1

K3Verify MAC

FFFAuthenticate K5

K5

Time 3

F

40

Asymmetric Properties Disclosed value of key chain is a

public key, it allows authentication of subsequent messages (assuming time synchronization)

Receivers can only verify, not generate

With trusted time stamping entity, TESLA can provide signature property

41

TESLA Summary Low overhead

Communication (~ 20 bytes) Computation (~ 1 MAC computation per packet)

Perfect robustness to packet loss Independent of number of receivers Delayed authentication Applications

Authentic media broadcast Sensor networks Secure routing protocols