Presentation is loading. Please wait.

Presentation is loading. Please wait.

Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.

Published byIrea Billings Modified over 9 years ago

Similar presentations

Presentation on theme: "Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees."— Presentation transcript:

1 Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees

2 Giuseppe Bianchi Frequent practical problem: how to sign a chunked msg  Peer-to-peer delivery  Message divided into independent chunks  Frequently received out of order, and from distinct peers  Signature verification: needs to wait until COMPLETE message reconstruction  But what about fake injected chunks?  Per-chunk signatures: too expensive and too much overhead  Can we find a better solution? VERY LONG MESSAGE SIGNATURE CHUNK 1CHUNK 2 CHUNK 3CHUNK 4 CHUNK N …

3 Giuseppe Bianchi Merkle’s idea: Hash tree ABCDEFGH H(A)H(B)H(C)H(D)H(E)H(F)H(G)H(H) H[H(A),H(B)]H[H(C),H(D)]H[H(E),H(F)]H[H(G),H(H)] H{H[H(A),H(B)],H[H(C),H(D)]}H{H[H(E),H(F)],H[H(G),H(H)]} ROOT = H( H{H[H(A),H(B)],H[H(C),H(D)]}, H{H[H(E),H(F)],H[H(G),H(H)]} ) Digitally signed

4 Giuseppe Bianchi Single chunk verification: use “siblings” ABCDEFGH H(A)H(B)C1=H(C)S1 = H(D)H(E)H(F)H(G)H(H) S2 = H[H(A),H(B)] C2=H[C1,S1]H[H(E),H(F)]H[H(G),H(H)] C3 = H{S2,C2}S3 =H{H[H(E),H(F)],H[H(G),H(H)]} ROOT = H[C3, S3] Log(N) siblings needed

5 Giuseppe Bianchi Applications (limited list)  Chunk validation (see example)  One-time signatures  Node authentication  Signature spreading  ….

6 Giuseppe Bianchi Lecture 6.2: Extras: Source Authentication: TESLA

7 Giuseppe Bianchi Issue: source authentication in multicast/broadcast MESSAGE, HMAC(K,MESSAGE) NODE A Secret K NODE B Secret K MESSAGE, HMAC(K,MESSAGE) NODE A Secret K NODE B Secret K NODE C Secret K Spoofing possible!! Unicast: one sender only, hence one possible message source. But what about multicast? More than one possible source!

8 Giuseppe Bianchi The problem and the “solution”  The problem:  Symmetric authentication does NOT provide source authenticity in group communication  The solution:  Digital signature, obviously…  … but consider:  High overhead  Computational/time requirements for signing and (especially) verifying! »Little more than 150 RSA-2048 decryptions/sec over fully dedicated Intel core 2 1.83 GHz with Vista 32 bit… »Compare with symmetric auth, 3-5 ORDERS OF MAGNITUDE FASTER!

9 Giuseppe Bianchi A possible alternative  Amortize signature cost over MULTIPLE packets  Transmit P1…Pn  At the end transmit signed H(P1…Pn)  One signature every n packets  Killing problem:  What about lost packets???  What about fake injected packets  one is enough to vanish all effort  DoS

10 Giuseppe Bianchi TESLA  Use a symmetric authentication mechanism in an “asymmetric” manner  Asymmetry = time!  TESLA = Timed Efficient Stream Loss- Tolerant Authentication  A. Perrig, R. Canetti, J. D. Tygar, D. Song (2000)  RFC 4082  Proposed in the frame of MSEC (Multicast IPsec)

11 Giuseppe Bianchi The (basic) idea  Assumption: time synchronization (loose)  Core idea: delayed disclosure of key! Time epoch N Time epoch N+x Sender: generates key K known only to himself Transmits MSG, HMAC(K,MSG) Receiver: Buffers MSG and waits Sender: now broadcasts key K Receiver: Verifies that MSG was authentic! …………

12 Giuseppe Bianchi Key chains (to cope with losses)  Usual idea: use keys in reverse other from their (chain) generation  Result: receiver needs only to read one key to authenticate all past msg – hence tolerating losses Kn = random Kn-1 = H(Kn) K0 = H(K1)

13 Giuseppe Bianchi Technical details  Not presented for reasons of time shortage   Key chain: differs from key used in auth  Synchro protocols  Hash chain efficient computation and maintenance, o(log^2 N)  Refer to RFC or papers

Download ppt "Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees."

Similar presentations

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
1 The Pollution Attack in P2P Live Video Streaming: Measurement Results and Defenses Prithula Dhungel Xiaojun Hei Keith W. Ross Nitesh Saxena Polytechnic.

1 The Pollution Attack in P2P Live Video Streaming: Measurement Results and Defenses Prithula Dhungel Xiaojun Hei Keith W. Ross Nitesh Saxena Polytechnic.
RIPPLE Authentication for Network Coding Yaping Li, The Chinese University of Hong Kong Hongyi Yao, Tsinghua University Minghua Chen, The Chinese University.

RIPPLE Authentication for Network Coding Yaping Li, The Chinese University of Hong Kong Hongyi Yao, Tsinghua University Minghua Chen, The Chinese University.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
DoS Attacks on Sensor Networks Hossein Nikoonia Department of Computer Engineering Sharif University of Technology

DoS Attacks on Sensor Networks Hossein Nikoonia Department of Computer Engineering Sharif University of Technology
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
2015-6-1 1 Secure Vehicular Communications Speaker: Xiaodong Lin University of Waterloo

Secure Vehicular Communications Speaker: Xiaodong Lin University of Waterloo
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada Analysis of Multimedia Authentication Schemes Mohamed Hefeeda (Joint work.

Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada Analysis of Multimedia Authentication Schemes Mohamed Hefeeda (Joint work.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
Research Trends in MANETs at CIIT, Islamabad Mohammad Mahboob Yasin, PhD COMSATS Institute of Information Technology.

Research Trends in MANETs at CIIT, Islamabad Mohammad Mahboob Yasin, PhD COMSATS Institute of Information Technology.
Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)

Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.

Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.

INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland.

1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland.

Similar presentations

Ads by Google