Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.

Slides:



Advertisements
Similar presentations
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
Advertisements

1 The Pollution Attack in P2P Live Video Streaming: Measurement Results and Defenses Prithula Dhungel Xiaojun Hei Keith W. Ross Nitesh Saxena Polytechnic.
RIPPLE Authentication for Network Coding Yaping Li, The Chinese University of Hong Kong Hongyi Yao, Tsinghua University Minghua Chen, The Chinese University.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.
A Survey of Key Management for Secure Group Communications Celia Li.
Advanced Security Constructions and Key Management Class 16.
DoS Attacks on Sensor Networks Hossein Nikoonia Department of Computer Engineering Sharif University of Technology
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Secure Vehicular Communications Speaker: Xiaodong Lin University of Waterloo
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks C. Karlof, N. Sastry, D. Wagner SPINS: Security Protocol for Sensor Networks A.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada Analysis of Multimedia Authentication Schemes Mohamed Hefeeda (Joint work.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
Security Issues In Sensor Networks By Priya Palanivelu.
Research Trends in MANETs at CIIT, Islamabad Mohammad Mahboob Yasin, PhD COMSATS Institute of Information Technology.
Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland.
KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.
Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
A Lightweight Hop-by-Hop Authentication Protocol For Ad- Hoc Networks Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date:2005/01/20.
ITIS 6010/8010: Wireless Network Security Weichao Wang.
Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.
1 Timed Efficient Stream Loss-tolerant Authentication.
The Shared Channel Model for DoS Carl A. Gunter With Sanjeev Khanna, Kaijun Tan, and Santosh Venkatesh.
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
Security Introduction Class February Overview  Security Properties  Security Primitives  Sample Protocols.
Security Considerations for Wireless Sensor Networks Prabal Dutta (614) Security Considerations for Wireless Sensor Networks.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
GZ06 : Mobile and Adaptive Systems A Secure On-Demand Routing Protocol for Ad Hoc Networks Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG.
Chapter 21 Public-Key Cryptography and Message Authentication.
Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.
Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson
Security on Sensor Networks Presented by Min-gyu Cho SPINS: Security Protocol for Sensor Networks TinySec: Security for TinyOS SPINS: Security Protocol.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
Group-based Source Authentication in VANETs You Lu, Biao Zhou, Fei Jia, Mario Gerla UCLA {youlu, zhb, feijia,
Multi-user Broadcast Authentication in Wireless Sensor Networks Kui Ren, Wenjing Lou, Yanchao Zhang SECON2007 Manar Mahmoud Abou elwafa.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks Donggang Liu and Peng Ning Department of Computer.
Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)
Efficient and Secure Source Authentication for Multicast 報告者 : 李宗穎 Proceedings of the Internet Society Network and Distributed System Security Symposium.
Security for Broadcast Network
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Security for Broadcast Network Most slides are from the lecture notes of prof. Adrian Perrig.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University.
Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1.
@Yuan Xue 285: Network Security CS 285 Network Security Digital Signature Yuan Xue Fall 2012.
Packet Leashes: Defense Against Wormhole Attacks
The TESLA Broadcast Authentication Protocol CS 218 Fall 2017
Ariadne A Secure On-Demand Routing Protocol for Ad Hoc Networks
SPINS: Security Protocols for Sensor Networks
BROADCAST AUTHENTICATION
Data Integrity: Applications of Cryptographic Hash Functions
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor Networks
Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.
Comparison of Digital Signature with TESLA
TESLA Based Frame Authentication
Presentation transcript:

Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees

Giuseppe Bianchi Frequent practical problem: how to sign a chunked msg  Peer-to-peer delivery  Message divided into independent chunks  Frequently received out of order, and from distinct peers  Signature verification: needs to wait until COMPLETE message reconstruction  But what about fake injected chunks?  Per-chunk signatures: too expensive and too much overhead  Can we find a better solution? VERY LONG MESSAGE SIGNATURE CHUNK 1CHUNK 2 CHUNK 3CHUNK 4 CHUNK N …

Giuseppe Bianchi Merkle’s idea: Hash tree ABCDEFGH H(A)H(B)H(C)H(D)H(E)H(F)H(G)H(H) H[H(A),H(B)]H[H(C),H(D)]H[H(E),H(F)]H[H(G),H(H)] H{H[H(A),H(B)],H[H(C),H(D)]}H{H[H(E),H(F)],H[H(G),H(H)]} ROOT = H( H{H[H(A),H(B)],H[H(C),H(D)]}, H{H[H(E),H(F)],H[H(G),H(H)]} ) Digitally signed

Giuseppe Bianchi Single chunk verification: use “siblings” ABCDEFGH H(A)H(B)C1=H(C)S1 = H(D)H(E)H(F)H(G)H(H) S2 = H[H(A),H(B)] C2=H[C1,S1]H[H(E),H(F)]H[H(G),H(H)] C3 = H{S2,C2}S3 =H{H[H(E),H(F)],H[H(G),H(H)]} ROOT = H[C3, S3] Log(N) siblings needed

Giuseppe Bianchi Applications (limited list)  Chunk validation (see example)  One-time signatures  Node authentication  Signature spreading  ….

Giuseppe Bianchi Lecture 6.2: Extras: Source Authentication: TESLA

Giuseppe Bianchi Issue: source authentication in multicast/broadcast MESSAGE, HMAC(K,MESSAGE) NODE A Secret K NODE B Secret K MESSAGE, HMAC(K,MESSAGE) NODE A Secret K NODE B Secret K NODE C Secret K Spoofing possible!! Unicast: one sender only, hence one possible message source. But what about multicast? More than one possible source!

Giuseppe Bianchi The problem and the “solution”  The problem:  Symmetric authentication does NOT provide source authenticity in group communication  The solution:  Digital signature, obviously…  … but consider:  High overhead  Computational/time requirements for signing and (especially) verifying! »Little more than 150 RSA-2048 decryptions/sec over fully dedicated Intel core GHz with Vista 32 bit… »Compare with symmetric auth, 3-5 ORDERS OF MAGNITUDE FASTER!

Giuseppe Bianchi A possible alternative  Amortize signature cost over MULTIPLE packets  Transmit P1…Pn  At the end transmit signed H(P1…Pn)  One signature every n packets  Killing problem:  What about lost packets???  What about fake injected packets  one is enough to vanish all effort  DoS

Giuseppe Bianchi TESLA  Use a symmetric authentication mechanism in an “asymmetric” manner  Asymmetry = time!  TESLA = Timed Efficient Stream Loss- Tolerant Authentication  A. Perrig, R. Canetti, J. D. Tygar, D. Song (2000)  RFC 4082  Proposed in the frame of MSEC (Multicast IPsec)

Giuseppe Bianchi The (basic) idea  Assumption: time synchronization (loose)  Core idea: delayed disclosure of key! Time epoch N Time epoch N+x Sender: generates key K known only to himself Transmits MSG, HMAC(K,MSG) Receiver: Buffers MSG and waits Sender: now broadcasts key K Receiver: Verifies that MSG was authentic! …………

Giuseppe Bianchi Key chains (to cope with losses)  Usual idea: use keys in reverse other from their (chain) generation  Result: receiver needs only to read one key to authenticate all past msg – hence tolerating losses Kn = random Kn-1 = H(Kn) K0 = H(K1)

Giuseppe Bianchi Technical details  Not presented for reasons of time shortage   Key chain: differs from key used in auth  Synchro protocols  Hash chain efficient computation and maintenance, o(log^2 N)  Refer to RFC or papers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.