Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland."— Presentation transcript:

1 1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland

2 2 Introduction to Cryptography The idea is to protect data by transforming into a representation from which is hard to recover. This provide us with:  Confidentiality – only the sender and the receiver should know the message content  Authentication – sender and receiver can confirm the identity of each other  Integrity – sender and receiver can detect any alteration of the message  Non-repudiation – sender can not deny having created the message  Freshness – message is recent and not a replay Unless a message is properly protected unfriendly “agents” can capture or see it as it moves across the network and,  Insert messages into the connection  Impersonate – fake (spoof) source address  Hijack – take over connection a replacing the sender or receiver  Denial of service – by, for example, overloading the resources

3 3 Private (Symmetric) – Key systems In these systems the message M is encrypted using a key e which is known only to the sender and the receiver. To encrypt the message compute X = E(M, e), E being the encryption function. To decrypt X compute M = D(X, d), where d is the decryption key corresponding to e. There is usually a simple relationship between e and d. A widely known secret-key system is DES (Data Encryption Standard) M encryption algorithm decryption algorithm e – encryption key d – decryption key M = D(X, d) Alice X = E(M, e) Bob Unfriendly agent Eve

4 4 Public (Asymmetric)– Key systems In these systems the message M is encrypted using a key e which is public. To encrypt the message compute X = E(M, e), E being the encryption function. To decrypt X compute M = D(X, d), where d is the decryption key corresponding to e. Knowing e doesn’t help anyone to discover the decryption key d. M encryption algorithm decryption algorithm e – public encryption key d – private decryption key M = D(X, d) Alice X = E(M, e) Bob Unfriendly agent Eve

5 5 RSA – A Public-key Crypto-System RSA stands for its inventors Ron Rivest, Adi Shamir, and Len Ademan. We assume here that message is broken into parts of the right size, e.g. 1024 bits. Choosing Keys  Choose two large prime numbers p, q (e.g., 512 bits each)  Compute n = pq, z = (p-1)(q-1) = Ф(n)  Choose e, (e<n), such that it has no common factors with z, e.g. gcd(e,Ф(n)) = 1 (gcd stands for greatest common divisor)  Choose d such that ed-1 is exactly divisible by z (in other words, ed mod Ф(n) = 1)  Public key is (n,e)  Private key is (n,d) R.L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. of ACM, 21 (2), pp. 120-126, Feb. 1978.

6 6 RSA: Encryption - Decryption

7 7 Hash Algorithms A basic tool for cryptography is a secure hash algorithm. Given a variable length message x, a secure hash algorithm computes a function h(x) which has a fixed and often smaller number of bits. It is usually not possible to recover x from its hash function. Desirable properties of a secure hash function are:  A hash function h(x) is one-way if given y it is hard to find x such that h(x) = y  A hash function h(x) is weakly collision-free if given a message x 1 it is hard to find another message x 2 such that h(x 1 ) = h(x 2 )  A hash function h(x) is strong collision-free if it is hard to find any pair of messages x 1, x 2 such that h(x 1 ) = h(x 2 ) An important property of secure hash functions, like any hash function, is that they should uniformly cover their range. That is, for a uniform distribution of the inputs, the output probabilities from the hash function should be uniform.

8 8 Authentication via Digital Signatures Method I:  Bob encrypts entire message with his private key; this is Bob’s digital signature  Bob send both the message and his digital signature Similar to handwritten signatures Dear Alice, Bob Bob’s private key Ready for Transmission  Alice decrypts Bob’s message using Bob’s public key  If decrypted message matches the message, Alice knows that the signed message could only have come from Bob  Signing the entire document/message is computationally expensive Original Text Text encrypted with Bob’s private key

9 9 Authentication via Digital Signatures Method II:  Compute a hash on the document/message  The hash, also called a message digest, is much smaller than the document, resembles a CRC (Cyclic Redundancy Check)  Use private key to encrypt only the message digest  Encrypted digest is commonly called a digital signature  Computationally inexpensive  Send both the document and the digitally signed message digest At receiver  Hash the document → MD A and decrypt the digital signature → MD B  If MD A = MD B then receiver knows that:  the identity of sender correctly matches the advertiser of the public key (authentication)  that the document hasn’t been tampered with (data integrity)

10 10 Digital Signature - Signed message digest Bob sends digitally signed message Original Long Message Fixed-size message digest Encrypted message digest Bob’s private key Send to Alice Alice verifies signature and integrity of digitally signed message Many to one hash function Fixed-size message digest Original Long Message Many to one hash function Encrypted message digest Bob’s public key Fixed-size message digest Compare

11 11 Non-Repudiation via Digital Signatures Fixed-size message digest Original Long Message Many to one hash function Encrypted message digest Bob’s public key Fixed-size message digest Compare MD A MD B  Digital Signatures provide authentication, integrity, and non-repudiation  At receiver, if MD A = MD B then receiver knows that:  Only the sender’s private key could have created this signature (Non-repudiation & Authentication)  Sender can’t deny sending message

12 12 One-Way Hash Chains Construction  Pick random r N and a public one-way function F  r i = F(r i+1 )  Secret value: r N  Public value: r 0 F r8r8 r5r5 r6r6 r7r7 FFF r4r4 Properties  Use in reverse order of construction, i.e. r 1, r 2,…, r N  It is not feasible to derive r i from r j (j<i)  Good for authenticating r i knowing r j (j<i), e.g. verify if r j = F i-j (r i )  Robust to missing values

13 13 Message Authentication Codes (MAC)  It is a code – MAC(K,M)  Calculated by some function MAC that requires little computation  Inputs are the message M to be sent and K, the symmetric key known only by the two parties  The code is appended to each packet, i.e. {M, MAC(K,M)} Bob Alice Compute C = MAC(K,M) { M | C } It’s Alice not Alice YesNo Compute C’ = MAC(K,M) C = C’ Alice and Bob know in advance K and the MAC function

14 14 Unicast Source Authentication Bob Dave Carol Alice K a-b {M|MAC(K a-b, M)} K a-b K a-c K a-d M is duplicated and sent separately to each intended receiver with it a different MAC High overhead and consumes network resources Internet {M|MAC(K a-c, M)} {M|MAC(K a-d, M)}

15 15 Multicast Source Authentication Internet Bob Dave Carol Alice KaKa {M|MAC(K a, M)} KaKa KaKa KaKa K a is known to all receivers. Any receiver can forge a packet Low overhead and less network resources when compared with unicast method

16 16 TESLA Timed Efficient Stream Loss-Tolerant Authentication  Uses symmetric key cryptography  Asymmetric key cryptography via time  Based on initial loose time synchronization  MAC is attached to each packet  Delayed-disclosure of keys MAC( K i,M) M time t i-1 titi t i+1 F(K i ) Authentic Commitment K i is disclosed 1- Verify K i 2- Verify MAC 3- M is authentic A. Perrig, R. Canetti, J.D. Tygar, D. Song, “Efficient authentication and signing of multicast streams over lossy channels,” IEEE Symposium on Security and Privacy, May 2000.

17 17 TESLA – Sender Setup Alice time interval i -1interval iinterval i +1interval N K i+1 KiKi K i-1 KNKN  Use F' to derive the key to compute MAC K‘ i = F’(K i ) K’ i+1 K’ i K’ i-1 K’ N F’  Break time in intervals of same duration  Determine key chain length N, picks the last key K N randomly  Using a One Way Pseudo Random Function F compute K i = F(K i+1 ), assign one key to each interval Key generation

18 18 TESLA – Authentication K i+1 KiKi K i-1 K’ i+1 K’ i K’ i-1 F’ M i-1, K i-2 MAC(K’ i-1, D i-1 ) D i-1 M i, K i-1 MAC(K’ i, D i ) DiDi M i+1, K i MAC(K’ i+1, D i+1 ) D i+1 P i-1 PiPi P i+1 authenticatedauthenticated after reception of P i+1 not yet authenticated  When the receiver gets packet P i, it can not verify the MAC since it does not yet know K i from which it can compute K’ i  Packet P i+1 discloses K i and allows the receiver to:  verify that K i is correct, e.g., F(K i ) = K i-1  compute K’ i and check the authenticity of packet P i by verifying the MAC of P i

19 19 TESLA – Dynamic Packet Rates DjDj K’iK’i D j+1 K’ i+2 ii +5i +4i +3i +2i +1 D j+3 K’ i+3 D j+4 K’ i+3 D j+4 K’ i+5 M j+4 K i+1 M j+3 K i-1 M j+2 K i-1 MjMj K i-4 M j+1 K i-2 TΔTΔ d=4  The MAC key and the disclosed key depend of the time interval  The authentication key of P j is K i which is disclosed by packets sent in interval (i + d )  In this example packet P j+4 discloses key K i+1 which allows the receiver to compute K i and to authenticate packet P j PjPj P j+2 P j+1 P j+3 P j+4

20 20 Attacks to Ad-Hoc Networks Passive  Only eavesdrop  Threats against privacy/anonymity Active  Injects packets and eavesdrops  Characterized based on the number of controlled nodes in the network Routing disruption attacks  Causes legitimate data packets to be routed dysfunctionally (e.g., routing loop, black hole, gray hole, detour, partition) Resource consumption attacks  Consumes valuable network resources or node resources (e.g., injecting data packets, injecting control packets)

21 21 ARIADNE: A Secure On-Demand Routing Protocol for Ad Hoc Networks  Withstands node compromise  Relies on highly efficient symmetric cryptography  Does not require trusted hardware or powerful processors Authenticate routing messages using one of:  Shared secrets between each pair of nodes  Avoids need for synchronization  Shared secrets between communicating nodes combined with broadcast authentication  Requires loose time synchronization  Digital signatures Y-C Hu, A. Perrig, D. B. Jonson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” 8th ACM International Conference on Mobile Computing and Networking, MobiCom 2002, pp. 12-23.

22 22 ARIADNE: Key Setup  Shared secret keys  Key distribution center  Bootstrapping from a Public Key Infrastructure (PKI)  Pre-loading at initialization  Initial TESLA keys  Embed at initialization  Assume PKI and embed Certifications Authority’s public key at each node  Digital signatures  A mechanism distribute one authentic public key for each node Each node also has an authentic element from the Route Discovery chain of every node initiating Route Discoveries

23 23 ARIADNE: Route Discovery  Takes after DSR  Assume sender and receiver share secret (non-TESLA) keys for message authentication  Target authenticates ROUTE REQUESTS  Sender includes a MAC computed with end-to-end key  Target verifies authenticity and freshness of request using shared key  Data authentication using TESLA keys  Each hop authenticates new information in the REQUEST  Target buffers REPLY until intermediate nodes release TESLA keys o TESLA security condition is verified at the target o Target includes a MAC in the REPLY to certify the condition was met  Attacker can remove a node from node list in a REQUEST, but  One-way hash functions verify that no hop was omitted (per-hop hashing)

24 24 ARIADNE: Route Discovery  Assume all nodes know an authentic key of the TESLA one-way key chain of every other node  Securing ROUTE REQUEST  Target can authenticate the sender (using their additional shared key)  Initiator can authenticate each path entry in the ROUTE REPLY  No intermediate node can remove any other node in the REQUEST or REPLY  ROUTE REQUEST packet contains eight fields:  ROUTE REQUEST: label  initiator: address of the sender  target: address of the recipient  id: unique identifier  time interval: TESLA time interval of the pessimistic arrival time  hash chain: sequence of MAC hashes  node list: sequence of nodes on the path  MAC list: MACs of the message using TESLA keys

25 25 ARIADNE: Route Discovery  Upon receiving ROUTE REQUEST, a node: 1.Processes the request only if it is new 2.Processes the request only if the time interval is valid (not too far in the future, but not for an already disclosed TESLA key) 3.Modifies the request and rebroadcasts it – Appends its address to the node list, replaces the hash chain with H[A, hash chain], appends MAC of entire REQUEST to MAC list using K Ai where i is the index for the time interval specified in the REQUEST  When the target receives the route request: 1.Checks the validity of the REQUEST (determining that the keys from the time interval have not been disclosed yet and that hash chain is correct) 2.Returns ROUTE REPLY containing eight fields – ROUTE REPLY, target, initiator, time interval, node list, MAC list – target MAC: MAC computed over above fields with key shared between target and initiator – key list: disclosable MAC keys of nodes along the path

26 26 ARIADNE: Route Discovery  Node forwarding ROUTE REPLY  Waits until it can disclose TESLA key from specified interval o Appends that key to the key list o This waiting does delay the return of the ROUTE REPLY but does not consume extra computational power  When initiator receives ROUTE REPLY 1.Verifies each key in the key list is valid 2.Verifies that the target MAC is valid 3.Verifies that each MAC in the MAC list is valid using the TESLA keys The ROUTE MAINTENACE mechanism has similar features, e.g.,  Based on DSR  Node forwarding a packet to the next hop returns a ROUTE ERROR to the original sender  Prevent unauthorized nodes from sending errors, e.g. sender we authenticates errors

Download ppt "1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.

Timed Efficient Stream Loss-Tolerant Authentication. (RFC 4082) Habib Moukalled 1/29/08.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google