Presentation on theme: "RIPPLE Authentication for Network Coding Yaping Li, The Chinese University of Hong Kong Hongyi Yao, Tsinghua University Minghua Chen, The Chinese University."— Presentation transcript:
RIPPLE Authentication for Network Coding Yaping Li, The Chinese University of Hong Kong Hongyi Yao, Tsinghua University Minghua Chen, The Chinese University of Hong Kong Sidharth Jaggi, The Chinese University of Hong Kong Alon Rosen, Herzliya Interdisciplinary Center, Israel 1
Network Coding Network coding Maximize network throuput Distributed solutions with low complexity Robust to packet loss and network failure Practical benifits What if some nodes are malicious? 2
Pollution Attacks 3 BA M F D E S Snowball effect
Taxonomy of Existing Solutions 4 End-to-endIn-network Public key based Symmetric key based ([Yu09, Agrawal09]) Only c-collusion resistant Vulnerable to a new tag pollution attack
New Tag Pollution Attacks 5 BA M F D E S ?? ?? ?? ???? Goal: Immediate detection Snowball effect ?? ??
Threat Model Attackers can Observe, inject, modify, delay, drop packets Launch tag pollution attacks Collude arbitrarily Attackers limitations Polynomial time bounded No access to randomness used by source 6
Homomorphic MAC Message Authentication Code (MAC) Keyed hash function (symmetric key) Homomorphic MAC Create a new tag from old ones without key 8 M
RIPPLE, Illustrated When to disclose a key? How to authenticate a key? How to prevent tag pollution attacks? S BA C D 9 Level 1 Level 2 Level 3 Level: length of the longest path to the source
Our Homomorphic MAC Provably resistant to tag pollution and arbitrary collusion 10
Tag Pollution Attack Resistant 11 BA M F D E S ? ? Immediate detection Achieved! ? ?
When to Disclose a Key? Time One way key Chains 12 Use time to create asymmetry (TESLA, [PERRIG02])
How to Authenticate a Key? Source: Create a one way key chain per level Difficult to compute from Use in reverse order of generation Sign, denote Nodes: Authenticate given is valid if is authentic and 13
Performance Analysis Settings: A network of 10k nodes, Maximum 16 levels Packet size 1024 bytes Generation size 32 packets Number of parents per node 6 GNU/Linux with 2.33GHz Intel Core 2 Duo processors Number of Tags/level SecurityComputational Overhead (ns)Packet Overhead MACVerify and CombineTag size (bytes)
Conclusion RIPPLE: Authentcation scheme for NC Has low complexity Tolerates arbitrary collusion Resists tag pollution attacks 15