Presentation is loading. Please wait.

Presentation is loading. Please wait.

Version Number Authentication and Local Key Agreement Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology.

Published byMyron Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "Version Number Authentication and Local Key Agreement Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology."— Presentation transcript:

1 Version Number Authentication and Local Key Agreement Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics this is joint work with Amit Dvir, Tamás Holczer, and László Dóra work supported by the WSAN4CIP Project (www.wsan4cip.eu) (funded by the European Comission within FP7) - to be on the safe side - w w w. c r y s y s. h u

2 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 2 Contents  DIO message (broadcast) authentication –prevents misbehaving (compromised) nodes to become DODAG roots by sending out a DIO message for DODAG update with an increased Version Number  Local key exchange –allows each node to establish a set of pairwise keys (shared with each of its local neighbor) and a cluster key (shared with all neighbors)

3 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 3 Motivations for DIO message authentication  lack of physical protection + unattended operation  nodes may be accessed physically and get compromised  by sending a well crafted DIO message, a compromised node can easily become the root of the DODAG and divert all traffic towards itself  as each node rebroadcasts DIO messages, a single crafted DIO message can generate a lot of traffic and increase overall energy consumption  pairwise keys shared between neighboring nodes as envisioned in the ROLL security framework does not solve the problem

4 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 4 Design considerations  requirements –broadcast authentication only the real DODAG root should be able to generate valid DIO messages, and all nodes should be able to authenticate them –efficiency use symmetric key cryptography as much as possible  trade-off –authenticate only the Version Number this ensures that (re)construction of the DODAG can only be initiated by the real DODAG root  approach –use a hash chain for authenticating the Version Number, and … –symmetric or asymmetric key message authentication for authenticating the root of the hash chain (and the static part of the DIO message)

5 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 5 Protocol overview  the DODAG root generates a random number r, and computes a hash chain h(r), h(h(r)) = h 2 (r), …, h n (r)  the DODAG root distributes the root h n (r) of the hash chain to all nodes in the network by –including h n (r) in a DIO message –authenticating h n (r) and the static fields of the DIO message, such that all other nodes can be sure that h n (r) originates from the DODAG root digital signature verifiable with the public key of the DODAG root MAC computed with a globally shared key K that can be assumed to be non-compromised at the time of distributing and authenticating h n (r)  when the DODAG root sends out a DIO message with a new Version Number, it also releases the next hash chain value –note that the next hash chain value h i-1 (r) cannot be computed from the last released value h i (r) due to the one-way property of the hash function h  each node verifies that the new hash chain value hashes into the last received one, and stores the new value as the latest received hash chain value  when the DODAG root runs out of hash chain values it generates a new chain and distributes its root as described before

6 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 6 The Broadcast Authentication option 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=10 | Option Length |C| H |Resvd | Security Alg | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | : Authentication Data : | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C – Continues bit if set then authentication data continues in the next option H – Type of data in the Authentication Data field 0: not a hash value (i.e., signature or MAC) 1: hash chain root 2: current hash chain value defines the algorithm that should be used to interpret the Auth Data field (hash fn, MAC fn, digital sig scheme)

7 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 7 Examples  Broadcast Authentication options carrying a hash chain root and a digital signature on the hash chain root and the static fields of the DIO message:  Broadcast Authentication option carrying the latest hash chain value: +--+---+-+--+-+-------+ |10| 34|0|1 |0| 0x01 | +--+---+-+--+-+-------+ |Hash Chain Root Value| +---------------------+ +--+---+-+--+-+-------+ |10|255|1|0 |0| 0xC0 | +--+---+-+--+-+-------+ | IProt part 1 | +---------------------+ +--+---+-+--+-+-------+ |10|136|0|0 |0| 0xC0 | +--+---+-+--+-+-------+ | IProt part 2 | +---------------------+ +--+---+-+--+-+----------+ |10| 34|0|2 |0| 0x01 | +--+---+-+--+-+----------+ |Current Hash Chain Value| +------------------------+

8 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 8 Motivation for pairwise key establishment  the RPL security framework envisions the use of cryptographic mechanisms on the links between neighboring nodes, but …  it does not specify a key exchange method to set up the necessary keys

9 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 9 The LEAP protocol  main assumptions: –any node will not be compromised within time T after its deployment –any node can discover its neighbors and set up keys with them within time T kex < T typically, T kex is a few seconds, so these assumptions make sense in practice  protocol phases: –key pre-distribution phase –neighbor discovery phase –link key establishment phase –key erasure phase

10 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 10 The LEAP protocol  key pre-distribution phase –before deployment, each node is loaded with a master key K –each node u derives a node key K u as K u = f(K, u), where f is a one- way function  neighbor discovery phase –when a node deployed, it tries to discover its neighbors by broadcasting a “HELLO” message u  *: u –each neighbor v replies with v  u: v, MAC(K v, u|v) –u can compute f(K, v) = K v, and verify the authenticity of the reply

11 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 11 The LEAP protocol  link key establishment phase –u computes the link key K uv = f(K v, u) –v computes the same key –no messages are exchanged –note: u does not authenticate itself to v, but … only a node that knows K can compute K uv a compromised node that tries to impersonate u cannot know K (see below)  key erasure phase –time T after its deployment, each node deletes K and all keys it computed in the neighbor discovery phase

12 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 12 Integration into the RPL protocol  LEAP protocol messages: u  * (local broadcast message): u v  u (response message): v, MAC(K v, u|v)  no explicit HELLO message is needed, any locally broadcasted RPL message from u can serve as the LEAP HELLO message  LEAP response message can be piggy-backed as an option on a RPL message: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=11 | Option Length | Comp Algo | MAC Function | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | : Response MAC : | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | : Compressed Address : | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

13 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 13 Integration options  S1:u  * DAO Multicast v  u DAO Unicast Ack  S2: u  * DAO Multicast v  u DAO Multicast Ack  S3: u  * DAO Multicast v  u DAO Multicast  S4: u  * DIO Multicast v  u DIO Unicast  S5: u  * DIS Multicast v  u DIO Unicast  S6: u  * DIS Multicast or DIO Multicast v  u DIO Multicast  S7: u  * New RPL Base Message v  u New RPL Base Message

14 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 14 Selection criteria RPLM: The scheme should not introduce a new RPL message type. RPLF: The scheme should not change RPL functionality. EFFI: The scheme should be efficient (low communication and computation overhead). STP: The local key agreement must be completed before the safe time period expires. BN: The scheme must work when the network boots and when a new node joins the DODAG. NEI: The scheme must find all of a node's neighbors. MAND: The scheme should prefer mandatory RPL message types (i.e., DIO, DIS). RELY: The scheme should not rely on DODAG or DODAGID.

15 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 15 Setting up a cluster key  protocol: –node u generates a random key –for each neighbor, node u encrypts this random key with the pairwise key shared with that neighbor –node u sends the encrypted random key to each of its neighbors  LEAP cluster key option: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=12 | Option Length | Key Length | ENC Function | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | : Encrypted Cluster Key : | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

16 To be on the safe side. Laboratory of Cryptography and System Security Adat- és Rendszerbiztonság Laboratórium A biztonság kedvéért. www.crysys.hu 16 Status of implementation  we implemented the RPL protocol on two platforms –Linux 2.6.36, user space –TinyOS 2.x  we implemented the security extensions on Linux using the OpenSSL library  the TinyOS implementation will use the TinyECC library  our implementations will be used in the demos of the WSAN4CIP project –monitoring power grid lines and substations (Linux + WiFi) –monitoring a drinking water pipeline (TinyOS + TDMA based MAC)  results of our experiments can be expected in the second half of 2011

Download ppt "Version Number Authentication and Local Key Agreement Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology."

Similar presentations

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Lightweight Key Establishment and Management Protocol (KEMP) in Dynamic Sensor Networks draft-qiu-6lowpan-secure-router-01 Ying QIU, Jianying ZHOU, Feng.

Lightweight Key Establishment and Management Protocol (KEMP) in Dynamic Sensor Networks draft-qiu-6lowpan-secure-router-01 Ying QIU, Jianying ZHOU, Feng.
Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.

Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.
ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.

ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Centre for Wireless Communications University of Oulu, Finland

Centre for Wireless Communications University of Oulu, Finland
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.

INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit

Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.

Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

Similar presentations

Ads by Google