wireless network security -...
TRANSCRIPT
©2013 Patrick Tague
Wireless Network Security14-814 – Spring 2013
Patrick Tague
Class #6 – Broadcast Security
©2013 Patrick Tague
Agenda• Security issues in broadcast communications
– TESLA broadcast authentication
– SPINS: Security protocols for sensor networks
– TinySec
©2013 Patrick Tague
Broadcast Communication• Broadcast comm takes
advantage of the shared medium for “one-to-many” transmissions– Can be much more efficient
than “one-to-one” unicast, depending on topology and scale
– In Wifi, single collision domain 1-to-N in one shot→
– In general, 1-to-N requires relaying
©2013 Patrick Tague
Topology and Scale• Gains from “broadcast advantage” depend on
network topology and scale– In a star topology, O(1) transmissions cover N nodes
(compared to O(N) in unicast)– In general, O(N/d) transmissions cover N nodes with
density d (compared to O(N2) in unicast)• Ex: d ~ log N
• Additional considerations with network scale:– Key management overhead for broadcast
authentication and encryption
©2013 Patrick Tague
Broadcast Authentication• Broadcasts data over wireless network
• Packet injection usually easy
• Goal: each receiver can verify data origin
Sender
Bob
M
Carol
M
DaveAliceMM
©2013 Patrick Tague
WiFi Broadcast Security• In WiFi, 1-to-N broadcast security protocols use
the Group Transient Key (GTK, remember Hole196?)– GTK keys are encrypted with PTK key-encryption keys
and sent via unicast to each group member
– [Buttyan & Hubaux, Security & Cooperation in Wireless Networks, 2007]
©2013 Patrick Tague
Generic Broadcast Auth.• Allows nodes to verify the source of packet
transmissions– First idea: use symmetric key cryptography and MACs
• Symmetric key group member indistinguishability→
– Second idea: use public-key signatures• Provably correct, but very expensive
– Third idea: packet-block signatures – sign a collection of packets, partition signature over packet block
• Packet loss problems, DoS opportunities, still expensive
©2013 Patrick Tague
Symmetric Keys Enough?
Senderw/ key K
Alice w/key K
Bob w/key K
M, MACK(M)
M', MACK(M')
M, MACK(M)
Some form of asymmetry is required
©2013 Patrick Tague
Asymmetry via Crypto• The classical way of achieving asymmetry is via
asymmetric crypto:– Sender uses a private key to sign the message, all
recipients use the corresponding public key
Sender, K
Alice, K-1 Bob, K-1
M, SigK(M)
M', SigK(M')
M, SigK(M)
©2013 Patrick Tague
So, Digital Signatures?• Signatures are expensive, e.g., RSA 1024:
– High generation cost (~10 milliseconds)
– High verification cost (~1 millisecond)
– High communication cost (128 bytes/packet)
• Very expensive on low-end processors
• If we use one signature over multiple packets, intolerant to packet loss
©2013 Patrick Tague
TESLA• TESLA = Timed Efficient Stream Loss-tolerant
Authentication [Perrig et al., RSA Cryptobytes 2002]
• Uses only symmetric cryptography
• Asymmetry via time– Only the correct sender could compute MAC at time t
– Delayed key disclosure for verification
– Requires loose time synchronization
©2013 Patrick Tague
Delayed Key Disclosure
t
F(K)AuthenticCommitment
P
MACK(P)
K disclosed
1: Verify K
2: Verify MAC
3: P Authentic!
F: public one-way function
©2013 Patrick Tague
Packet Verification• Receiver knows key disclosure schedule
• If receiver is certain that sender did not yet
disclose K at time of arrival of packet P, keep P
• Otherwise, drop packet P
©2013 Patrick Tague
One-Way Hash Chains• Versatile cryptographic primitive– Pick random rN and public one-way function F
– For i=N-1,...,0 : ri = F(ri+1), then publish r0
• Properties– Use in reverse order of construction: r1, r2, …, rN
– Infeasible to derive ri from rj (j<i)
– Efficiently authenticate ri using rj (j<i): rj = Fi-j(ri)
– Robust to missing values
r6 r7r4r3FFF r5
F
©2013 Patrick Tague
TESLA Schedules• Keys disclosed 2 time intervals after use• Receiver setup: Authentic K3, key disclosure
schedule
K5 K6 K7
tTime 4 Time 5 Time 6 Time 7
K4K3FFF
K5
Time 3
F
P1,MAC
K5(P1),
K3
P2,MAC
K7(P2),
K5
©2013 Patrick Tague
Robustness to Packet Loss
K5 K6 K7
tTime 4 Time 5 Time 6 Time 7
K4K3FFF
K5
Time 3
F
P3,MAC
K5(P3),
K3 P5,MAC
K7(P5),
K5
P1,MAC
K4(P1),
K2
P2,MAC
K4(P2),
K2
P4,MAC
K6(P4),
K4
©2013 Patrick Tague
Asymmetric Properties• Disclosed value of key chain is a public key, it
allows authentication of subsequent messages (assuming time synchronization)
• Receivers can only verify, not generate
• With trusted time stamping entity, TESLA can provide signature property
©2013 Patrick Tague
TESLA Summary• Low overhead– Communication (~ 20 bytes)– Computation (~ 1 MAC computation per packet)
• Perfect robustness to packet loss• Independent of number of receivers• Delayed authentication• Applications– Authentic media broadcast– Sensor networks– Secure routing protocols
©2013 Patrick Tague
What about highly-constrained nodes in wireless sensor networks?
©2013 Patrick Tague
µTESLA for WSN• Proposed as part of the SPINS architecture [Perrig
et al., WiNet 2002]– Reduced communication compared to TESLA, key
disclosure per epoch instead of per packet
– Includes several other optimizations for minimum overhead, practical in severely-constrained devices
©2013 Patrick Tague
SNEP for WSN• SPINS also includes the Secure Network
Encryption Protocol (SNEP) to provide data confidentiality, authentication, and freshness [Perrig et al., WiNet 2002]– SNEP includes efficient key generation– SNEP authenticated + encrypted packet structure:
• Data encrypted with shared key + counter (for semantic security)
• MAC over encrypted data
• Optional nonce-exchange for provable freshness
©2013 Patrick Tague
TinySec• The TinySec architecture provides a practical
security suite for wireless sensor networks [Karlof
et al., SenSys 2004] – TinySec-Auth provides authentication only– TinySec-AE provides authenticated encryption
– Extensive discussion of design trade-offs and simulation results included in the paper
©2013 Patrick Tague
In addition to security and performance features of the security protocols, what about the underlying key management?
©2013 Patrick Tague
Key Management• How to add a member to the group without
giving them access to past group activities?
• How to remove/revoke a member from the group without giving them access to future group activities?
• How to provide fresh credentials to group members?
©2013 Patrick Tague
Key Management• What about the risk of insider threats?
• How to detect when keys are compromised?– And what action to take upon detection?
• How to ensure key management doesn't open up additional attack vectors, e.g. DoS?
• How to balance security with overhead?– Communication, computation, storage, etc.
©2013 Patrick Tague
Further Reading• Broadcast authentication in VANETs– Studer et al., ESCAR 2008 / JCN 2009.– Raya et al., SASN 2005.
• More papers @ http://lca.epfl.ch/projects/ivc/
• … in WSN– Ren et al., WASA 2006.
• DoS-resilient broadcast authentication– Gunter et al., NDSS 2004.– Karlof et al., NDSS 2004.
©2013 Patrick Tague
Next Time• Key management– Centralized group key management
– Distributed key agreement
– Why is keying different in wireless?