Version Number Authentication and Local Key Agreement Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology.

Slides:



Advertisements
Similar presentations
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Advertisements

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
A Survey of Secure Wireless Ad Hoc Routing
Digital Signatures and Hash Functions. Digital Signatures.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Lightweight Key Establishment and Management Protocol (KEMP) in Dynamic Sensor Networks draft-qiu-6lowpan-secure-router-01 Ying QIU, Jianying ZHOU, Feng.
Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.
ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Centre for Wireless Communications University of Oulu, Finland
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
Establishing Pairwise Keys in Distributed Sensor Networks Donggang Liu, Peng Ning Jason Buckingham CSCI 7143: Secure Sensor Networks October 12, 2004.
A Lightweight Hop-by-Hop Authentication Protocol For Ad- Hoc Networks Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date:2005/01/20.
LEAP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks By: Sencun Zhu, Sanjeev Setia, and Sushil Jajodia Presented By: Daryl Lonnon.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Security Considerations for Wireless Sensor Networks Prabal Dutta (614) Security Considerations for Wireless Sensor Networks.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 ELSEVIER Mar
Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September
1 A Location-ID Sensitive Key Establishment Scheme in Static Wireless Sensor Networks Proceedings of the international conference on mobile technology,applications,and.
Aggregation in Sensor Networks
GZ06 : Mobile and Adaptive Systems A Secure On-Demand Routing Protocol for Ad Hoc Networks Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG.
Security for the Optimized Link- State Routing Protocol for Wireless Ad Hoc Networks Stephen Asherson Computer Science MSc Student DNA Lab 1.
The Cryptographic Sensor FTO Libor Dostálek, Václav Novák.
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
.Sense A Secure Framework for Sensor Network Data Acquisition, Monitoring and Command Screenshots We present.Sense, an end-to-end security framework for.
Providing Transparent Security Services to Sensor Networks Hamed Soroush, Mastooreh Salajegheh and Tassos Dimitriou IEEE ICC 2007 Reporter :呂天龍 1.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
A Two-Layer Key Establishment Scheme for Wireless Sensor Networks Yun Zhou, Student Member, IEEE, Yuguang Fang, Senior Member, IEEE IEEE TRANSACTIONS ON.
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
Paper Review: On communication Security in Wireless Ad-Hoc Sensor Networks By Toni Farley.
Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.
Key management for wireless sensor networks Sources: ACM Transactions on Sensor Networks, 2(4), pp , Sources: Computer Communications, 30(9),
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Tufts Wireless Laboratory School Of Engineering Tufts University Paper Review “An Energy Efficient Multipath Routing Protocol for Wireless Sensor Networks”,
Shambhu Upadhyaya 1 Sensor Networks – Hop- by-Hop Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 22)
Project: Simulated Encrypted File System (SEFS) Omar Chowdhury Fall 2015CS526: Information Security1.
1 An Interleaved Hop-by-Hop Authentication Scheme for Filtering of Injected False Data in Sensor Networks Sencun Zhu, Sanjeev Setia, Sushil Jajodia, Peng.
A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.
Efficient Pairwise Key Establishment Scheme Based on Random Pre-Distribution Keys in Wireless Sensor Networks Source: Lecture Notes in Computer Science,
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Security Review Q&A Session May 1. Outline  Class 1 Security Overview  Class 2 Security Introduction  Class 3 Advanced Security Constructions  Class.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Draft-dvir-roll-security-authentication-01 and draft-dvir-roll-security-key-agreement Amit Dvir Laboratory of Cryptography and System Security (CrySyS)
Security of the Internet of Things: perspectives and challenges
A Secure Routing Protocol with Intrusion Detection for Clustering Wireless Sensor Networks International Forum on Information Technology and Applications.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Message Authentication Code
e-Health Platform End 2 End encryption
Understand Networking Services
SPINS: Security Protocols for Sensor Networks
Path key establishment using multiple secured paths in wireless sensor networks CoNEXT’05 Guanfeng Li  University of Pittsburgh, Pittsburgh, PA Hui Ling.
The Secure Sockets Layer (SSL) Protocol
SPINS: Security Protocols for Sensor Networks
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Presentation transcript:

Version Number Authentication and Local Key Agreement Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics this is joint work with Amit Dvir, Tamás Holczer, and László Dóra work supported by the WSAN4CIP Project ( (funded by the European Comission within FP7) - to be on the safe side - w w w. c r y s y s. h u

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 2 Contents  DIO message (broadcast) authentication –prevents misbehaving (compromised) nodes to become DODAG roots by sending out a DIO message for DODAG update with an increased Version Number  Local key exchange –allows each node to establish a set of pairwise keys (shared with each of its local neighbor) and a cluster key (shared with all neighbors)

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 3 Motivations for DIO message authentication  lack of physical protection + unattended operation  nodes may be accessed physically and get compromised  by sending a well crafted DIO message, a compromised node can easily become the root of the DODAG and divert all traffic towards itself  as each node rebroadcasts DIO messages, a single crafted DIO message can generate a lot of traffic and increase overall energy consumption  pairwise keys shared between neighboring nodes as envisioned in the ROLL security framework does not solve the problem

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 4 Design considerations  requirements –broadcast authentication only the real DODAG root should be able to generate valid DIO messages, and all nodes should be able to authenticate them –efficiency use symmetric key cryptography as much as possible  trade-off –authenticate only the Version Number this ensures that (re)construction of the DODAG can only be initiated by the real DODAG root  approach –use a hash chain for authenticating the Version Number, and … –symmetric or asymmetric key message authentication for authenticating the root of the hash chain (and the static part of the DIO message)

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 5 Protocol overview  the DODAG root generates a random number r, and computes a hash chain h(r), h(h(r)) = h 2 (r), …, h n (r)  the DODAG root distributes the root h n (r) of the hash chain to all nodes in the network by –including h n (r) in a DIO message –authenticating h n (r) and the static fields of the DIO message, such that all other nodes can be sure that h n (r) originates from the DODAG root digital signature verifiable with the public key of the DODAG root MAC computed with a globally shared key K that can be assumed to be non-compromised at the time of distributing and authenticating h n (r)  when the DODAG root sends out a DIO message with a new Version Number, it also releases the next hash chain value –note that the next hash chain value h i-1 (r) cannot be computed from the last released value h i (r) due to the one-way property of the hash function h  each node verifies that the new hash chain value hashes into the last received one, and stores the new value as the latest received hash chain value  when the DODAG root runs out of hash chain values it generates a new chain and distributes its root as described before

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 6 The Broadcast Authentication option | Type=10 | Option Length |C| H |Resvd | Security Alg | | + | : Authentication Data : | + | C – Continues bit if set then authentication data continues in the next option H – Type of data in the Authentication Data field 0: not a hash value (i.e., signature or MAC) 1: hash chain root 2: current hash chain value defines the algorithm that should be used to interpret the Auth Data field (hash fn, MAC fn, digital sig scheme)

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 7 Examples  Broadcast Authentication options carrying a hash chain root and a digital signature on the hash chain root and the static fields of the DIO message:  Broadcast Authentication option carrying the latest hash chain value: |10| 34|0|1 |0| 0x01 | |Hash Chain Root Value| |10|255|1|0 |0| 0xC0 | | IProt part 1 | |10|136|0|0 |0| 0xC0 | | IProt part 2 | |10| 34|0|2 |0| 0x01 | |Current Hash Chain Value|

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 8 Motivation for pairwise key establishment  the RPL security framework envisions the use of cryptographic mechanisms on the links between neighboring nodes, but …  it does not specify a key exchange method to set up the necessary keys

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. 9 The LEAP protocol  main assumptions: –any node will not be compromised within time T after its deployment –any node can discover its neighbors and set up keys with them within time T kex < T typically, T kex is a few seconds, so these assumptions make sense in practice  protocol phases: –key pre-distribution phase –neighbor discovery phase –link key establishment phase –key erasure phase

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért The LEAP protocol  key pre-distribution phase –before deployment, each node is loaded with a master key K –each node u derives a node key K u as K u = f(K, u), where f is a one- way function  neighbor discovery phase –when a node deployed, it tries to discover its neighbors by broadcasting a “HELLO” message u  *: u –each neighbor v replies with v  u: v, MAC(K v, u|v) –u can compute f(K, v) = K v, and verify the authenticity of the reply

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért The LEAP protocol  link key establishment phase –u computes the link key K uv = f(K v, u) –v computes the same key –no messages are exchanged –note: u does not authenticate itself to v, but … only a node that knows K can compute K uv a compromised node that tries to impersonate u cannot know K (see below)  key erasure phase –time T after its deployment, each node deletes K and all keys it computed in the neighbor discovery phase

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért Integration into the RPL protocol  LEAP protocol messages: u  * (local broadcast message): u v  u (response message): v, MAC(K v, u|v)  no explicit HELLO message is needed, any locally broadcasted RPL message from u can serve as the LEAP HELLO message  LEAP response message can be piggy-backed as an option on a RPL message: | Type=11 | Option Length | Comp Algo | MAC Function | | : Response MAC : | | : Compressed Address : |

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért Integration options  S1:u  * DAO Multicast v  u DAO Unicast Ack  S2: u  * DAO Multicast v  u DAO Multicast Ack  S3: u  * DAO Multicast v  u DAO Multicast  S4: u  * DIO Multicast v  u DIO Unicast  S5: u  * DIS Multicast v  u DIO Unicast  S6: u  * DIS Multicast or DIO Multicast v  u DIO Multicast  S7: u  * New RPL Base Message v  u New RPL Base Message

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért Selection criteria RPLM: The scheme should not introduce a new RPL message type. RPLF: The scheme should not change RPL functionality. EFFI: The scheme should be efficient (low communication and computation overhead). STP: The local key agreement must be completed before the safe time period expires. BN: The scheme must work when the network boots and when a new node joins the DODAG. NEI: The scheme must find all of a node's neighbors. MAND: The scheme should prefer mandatory RPL message types (i.e., DIO, DIS). RELY: The scheme should not rely on DODAG or DODAGID.

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért Setting up a cluster key  protocol: –node u generates a random key –for each neighbor, node u encrypts this random key with the pairwise key shared with that neighbor –node u sends the encrypted random key to each of its neighbors  LEAP cluster key option: | Type=12 | Option Length | Key Length | ENC Function | | : Encrypted Cluster Key : |

To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért Status of implementation  we implemented the RPL protocol on two platforms –Linux , user space –TinyOS 2.x  we implemented the security extensions on Linux using the OpenSSL library  the TinyOS implementation will use the TinyECC library  our implementations will be used in the demos of the WSAN4CIP project –monitoring power grid lines and substations (Linux + WiFi) –monitoring a drinking water pipeline (TinyOS + TDMA based MAC)  results of our experiments can be expected in the second half of 2011

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.