Transcript Channel Access Protocols

Ad Hoc Networks Security
Instructor: Carlos Pomalaza-Ráez
Fall 2003
University of Oulu, Finland
1
Introduction to Cryptography
The idea is to protect data by transforming into a representation from
which is hard to recover. This provide us with:
 Confidentiality – only the sender and the receiver should know the
message content
 Authentication – sender and receiver can confirm the identity of each other
 Integrity – sender and receiver can detect any alteration of the message
 Non-repudiation – sender can not deny having created the message
 Freshness – message is recent and not a replay
Unless a message is properly protected unfriendly “agents” can capture or
see it as it moves across the network and,
 Insert messages into the connection
 Impersonate – fake (spoof) source address
 Hijack – take over connection a replacing the sender or receiver
 Denial of service – by, for example, overloading the resources
2
Private (Symmetric) – Key systems
In these systems the message M is encrypted using a key e which is known only to
the sender and the receiver. To encrypt the message compute X = E(M, e), E being
the encryption function. To decrypt X compute M = D(X, d), where d is the
decryption key corresponding to e. There is usually a simple relationship between e
and d. A widely known secret-key system is DES (Data Encryption Standard)
d – decryption key
e – encryption key
M
Alice
encryption
algorithm
X = E(M, e)
decryption
algorithm
M = D(X, d)
Bob
Unfriendly agent Eve
3
Public (Asymmetric)– Key systems
In these systems the message M is encrypted using a key e which is public. To
encrypt the message compute X = E(M, e), E being the encryption function. To
decrypt X compute M = D(X, d), where d is the decryption key corresponding to e.
Knowing e doesn’t help anyone to discover the decryption key d.
d – private decryption key
e – public encryption key
M
Alice
encryption
algorithm
X = E(M, e)
decryption
algorithm
M = D(X, d)
Bob
Unfriendly agent Eve
4
RSA – A Public-key Crypto-System
RSA stands for its inventors Ron Rivest, Adi Shamir, and Len Ademan. We
assume here that message is broken into parts of the right size, e.g. 1024 bits.
Choosing Keys
 Choose two large prime numbers p, q (e.g., 512 bits each)
 Compute n = pq, z = (p-1)(q-1) = Ф(n)
 Choose e, (e<n), such that it has no common factors with z, e.g.
gcd(e,Ф(n)) = 1 (gcd stands for greatest common divisor)
 Choose d such that ed-1 is exactly divisible by z (in other words,
ed mod Ф(n) = 1)
 Public key is (n,e)
 Private key is (n,d)
R.L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,”
Comm. of ACM, 21 (2), pp. 120-126, Feb. 1978.
5
RSA: Encryption - Decryption
T osend a message M using RSA, thesender computes,
X  M e (modn)
T o decrypt the message thereceivercomputes,
M 0  X d (modn)  M ed (modn)
Since M  ( n ) (modn)  1 and ed is 1  some multipleof  (n),
M ed (modn)  M 1 (modn)  M
Noticethatencryptionand decryptionfunctionsare identical,thatis :
E ( X , (k , n))  D( X , (k , n))  X k (modn)
6
Hash Algorithms
A basic tool for cryptography is a secure hash algorithm. Given a variable
length message x, a secure hash algorithm computes a function h(x)
which has a fixed and often smaller number of bits. It is usually not
possible to recover x from its hash function. Desirable properties of a
secure hash function are:
 A hash function h(x) is one-way if given y it is hard to find x such
that h(x) = y
 A hash function h(x) is weakly collision-free if given a message x1 it
is hard to find another message x2 such that h(x1) = h(x2)
 A hash function h(x) is strong collision-free if it is hard to find any
pair of messages x1, x2 such that h(x1) = h(x2)
An important property of secure hash functions, like any hash function, is
that they should uniformly cover their range. That is, for a uniform
distribution of the inputs, the output probabilities from the hash function
should be uniform.
7
Authentication via Digital Signatures
Similar to handwritten signatures
Method I:
 Bob encrypts entire message with his private key; this is Bob’s digital signature
 Bob send both the message and his digital signature
Dear Alice,
Original Text
Bob
Bob’s private key
Text encrypted with
Bob’s private key
Ready for Transmission
 Alice decrypts Bob’s message using Bob’s public key
 If decrypted message matches the message, Alice knows that the signed message
could only have come from Bob
 Signing the entire document/message is computationally expensive
8
Authentication via Digital Signatures
Method II:
 Compute a hash on the document/message
 The hash, also called a message digest, is much smaller than the document,
resembles a CRC (Cyclic Redundancy Check)
 Use private key to encrypt only the message digest
 Encrypted digest is commonly called a digital signature
 Computationally inexpensive
 Send both the document and the digitally signed message digest
At receiver
 Hash the document → MDA and decrypt the digital signature → MDB
 If MDA = MDB then receiver knows that:
 the identity of sender correctly matches the advertiser of the public key
(authentication)
 that the document hasn’t been tampered with (data integrity)
9
Digital Signature - Signed message digest
Bob sends digitally signed message
Original
Long
Message
Many to one
hash function
Fixed-size
message
digest
Alice verifies signature and integrity
of digitally signed message
Encrypted
message
digest
Original
Long
Message
Bob’s
private
key
Encrypted
message
digest
Send to Alice
Bob’s
public
key
Many to one
hash function
Fixed-size
message
digest
Compare
Fixed-size
message
digest
10
Non-Repudiation via Digital Signatures
Encrypted
message
digest
Original
Long
Message
 At receiver, if MDA = MDB
then receiver knows that:
Bob’s
public
key
Many to one
hash function
Fixed-size
message
digest
MDA
 Digital Signatures provide
authentication, integrity,
and non-repudiation
Compare
Fixed-size
message
digest
 Only the sender’s
private key could have
created this signature
(Non-repudiation &
Authentication)
 Sender can’t deny
sending message
MDB
11
One-Way Hash Chains
Construction
 Pick random rN and a public one-way function F
 ri = F(ri+1)
 Secret value: rN
 Public value: r0
r4
F
r5
F
r6
F
r7
F
r8
Properties
 Use in reverse order of construction, i.e. r1, r2,…, rN
 It is not feasible to derive ri from rj (j<i)
 Good for authenticating ri knowing rj (j<i), e.g. verify if rj = Fi-j(ri)
 Robust to missing values
12
Message Authentication Codes (MAC)
 It is a code – MAC(K,M)
 Calculated by some function MAC that requires little computation
 Inputs are the message M to be sent and K, the symmetric key
known only by the two parties
 The code is appended to each packet, i.e. {M, MAC(K,M)}
{M|C}
Alice
Bob
Compute
C = MAC(K,M)
Compute
C’ = MAC(K,M)
C = C’
Alice and Bob know in advance K and the MAC function
Yes
It’s Alice
No
not Alice
13
Unicast Source Authentication
Ka-b
Ka-b
Internet
Bob
Alice
{M|MAC(Ka-b, M)}
{M|MAC(Ka-c, M)}
{M|MAC(Ka-d, M)}
Carol
Ka-c
Ka-d
M is duplicated and sent
separately to each intended
receiver with it a different MAC
Dave
High overhead and consumes
network resources
14
Multicast Source Authentication
Ka
Ka
Bob
Alice
Internet
Carol
{M|MAC(Ka, M)}
Ka is known to all receivers.
Any receiver can forge a packet
Ka
Ka
Dave
Low overhead and less network
resources when compared with
unicast method
15
TESLA
Timed Efficient Stream Loss-Tolerant Authentication





Uses symmetric key cryptography
Asymmetric key cryptography via time
Based on initial loose time synchronization
MAC is attached to each packet
Delayed-disclosure of keys
1- Verify Ki
F(Ki)
Authentic
Commitment
M
MAC(Ki,M)
3- M is authentic
ti-1
ti
Ki
is disclosed
2- Verify MAC
ti+1
time
A. Perrig, R. Canetti, J.D. Tygar, D. Song, “Efficient authentication and signing of multicast streams over lossy
channels,” IEEE Symposium on Security and Privacy, May 2000.
16
TESLA – Sender Setup
Alice
 Break time in intervals of same duration
 Determine key chain length N, picks the last key KN randomly
 Using a One Way Pseudo Random Function F compute Ki =
F(Ki+1), assign one key to each interval
Key generation
Ki-1
F’
Ki
F’
K’i-1
interval i -1
Ki+1
F’
K’i
interval i
K’i+1
interval i +1
KN
F’
K’N
time
interval N
 Use F' to derive the key to compute MAC K‘i= F’(Ki)
17
TESLA – Authentication
Ki-1
Ki
F’
F’
K’i-1
Pi-1
Ki+1
Mi-1, Ki-2 MAC(K’i-1, Di-1)
Di-1
authenticated
F’
K’i
Pi
Mi , Ki-1 MAC(K’i, Di)
Pi+1
K’i+1
Mi+1, Ki MAC(K’i+1, Di+1)
Di
Di+1
authenticated after
reception of Pi+1
not yet authenticated
 When the receiver gets packet Pi,it can not verify the MAC since it does not yet know
Ki from which it can compute K’i
 Packet Pi+1 discloses Ki and allows the receiver to:
 verify that Ki is correct, e.g., F(Ki) = Ki-1
 compute K’i and check the authenticity of packet Pi by verifying the MAC of Pi
18
TESLA – Dynamic Packet Rates
 The MAC key and the disclosed key depend of the time interval
 The authentication key of Pj is Ki which is disclosed by packets sent in interval (i + d )
 In this example packet Pj+4 discloses key Ki+1 which allows the receiver to compute Ki
and to authenticate packet Pj
d=4
TΔ
i
i +1
Pj
Dj
K’i
i +2
i +3
Pj+2 Pj+3
Pj+1
Mj
Mj+1
Ki-4
Ki-2
Dj+1
Mj+2
Dj+3 Dj+4
Ki-1
K’i+2
i +4
i +5
Pj+4
Mj+3
Dj+4
Ki-1
K’i+3 K’i+3
K’i+5
Mj+4
Ki+1
19
Attacks to Ad-Hoc Networks
Passive
 Only eavesdrop
 Threats against privacy/anonymity
Active
 Injects packets and eavesdrops
 Characterized based on the number of controlled nodes in the network
Routing disruption attacks
 Causes legitimate data packets to be routed dysfunctionally (e.g.,
routing loop, black hole, gray hole, detour, partition)
Resource consumption attacks
 Consumes valuable network resources or node resources (e.g., injecting
data packets, injecting control packets)
20
ARIADNE: A Secure On-Demand Routing
Protocol for Ad Hoc Networks
 Withstands node compromise
 Relies on highly efficient symmetric cryptography
 Does not require trusted hardware or powerful processors
Authenticate routing messages using one of:
 Shared secrets between each pair of nodes
 Avoids need for synchronization
 Shared secrets between communicating nodes combined with
broadcast authentication
 Requires loose time synchronization
 Digital signatures
Y-C Hu, A. Perrig, D. B. Jonson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,”
8th ACM International Conference on Mobile Computing and Networking, MobiCom 2002, pp. 12-23.
21
ARIADNE: Key Setup
 Shared secret keys
 Key distribution center
 Bootstrapping from a Public Key Infrastructure (PKI)
 Pre-loading at initialization
 Initial TESLA keys
 Embed at initialization
 Assume PKI and embed Certifications Authority’s public key at
each node
 Digital signatures
 A mechanism distribute one authentic public key for each node
Each node also has an authentic element from the Route Discovery chain
of every node initiating Route Discoveries
22
ARIADNE: Route Discovery
 Takes after DSR
 Assume sender and receiver share secret (non-TESLA) keys for message
authentication
 Target authenticates ROUTE REQUESTS
 Sender includes a MAC computed with end-to-end key
 Target verifies authenticity and freshness of request using shared key
 Data authentication using TESLA keys
 Each hop authenticates new information in the REQUEST
 Target buffers REPLY until intermediate nodes release TESLA keys
o
o
TESLA security condition is verified at the target
Target includes a MAC in the REPLY to certify the condition was met
 Attacker can remove a node from node list in a REQUEST, but
 One-way hash functions verify that no hop was omitted (per-hop hashing)
23
ARIADNE: Route Discovery
 Assume all nodes know an authentic key of the TESLA one-way key chain of
every other node
 Securing ROUTE REQUEST
 Target can authenticate the sender (using their additional shared key)
 Initiator can authenticate each path entry in the ROUTE REPLY
 No intermediate node can remove any other node in the REQUEST or
REPLY
 ROUTE REQUEST packet contains eight fields:
 ROUTE REQUEST: label
 initiator: address of the sender
 target: address of the recipient
 id: unique identifier
 time interval: TESLA time interval of the pessimistic arrival time
 hash chain: sequence of MAC hashes
 node list: sequence of nodes on the path
 MAC list: MACs of the message using TESLA keys
24
ARIADNE: Route Discovery
 Upon receiving ROUTE REQUEST, a node:
1. Processes the request only if it is new
2. Processes the request only if the time interval is valid (not too far in the future,
but not for an already disclosed TESLA key)
3. Modifies the request and rebroadcasts it
– Appends its address to the node list, replaces the hash chain with H[A, hash
chain], appends MAC of entire REQUEST to MAC list using KAi where i is
the index for the time interval specified in the REQUEST
 When the target receives the route request:
1. Checks the validity of the REQUEST (determining that the keys from the time
interval have not been disclosed yet and that hash chain is correct)
2. Returns ROUTE REPLY containing eight fields
– ROUTE REPLY, target, initiator, time interval, node list, MAC list
– target MAC: MAC computed over above fields with key shared between
target and initiator
– key list: disclosable MAC keys of nodes along the path
25
ARIADNE: Route Discovery
 Node forwarding ROUTE REPLY
 Waits until it can disclose TESLA key from specified interval
o Appends that key to the key list
o This waiting does delay the return of the ROUTE REPLY but does not
consume extra computational power
 When initiator receives ROUTE REPLY
1. Verifies each key in the key list is valid
2. Verifies that the target MAC is valid
3. Verifies that each MAC in the MAC list is valid using the TESLA keys
The ROUTE MAINTENACE mechanism has similar features, e.g.,
 Based on DSR
 Node forwarding a packet to the next hop returns a ROUTE ERROR to the
original sender
 Prevent unauthorized nodes from sending errors, e.g. sender we
authenticates errors
26