donggang liu and peng ning department of computer science nc state university

CSC 774 Adv. Net. Security 1

Computer Science

Efficient Distribution of Key Chain Commitments for Broadcast Authentication in

Distributed Sensor Networks

Donggang Liu and Peng Ning

Department of Computer Science

NC State University

CSC 774 Adv. Net. Security 2Computer Science

Background

• Sensor Networks– One or a few more powerful base stations and a pot

entially large number of sensor nodes• Inexpensive

• Limited resources (computational power, memory space, energy, etc.)

– When security is a concern, it is necessary for the sensors to authenticate messages received from base stations.


Time

K1 K2 Kn-2Key Disclosure

TESLA

• A variation of TESLA– Based on symmetric cryptography

– Provide broadcast source authentication by delayed disclosure of authentication keys

– Authentication of messages depends on the authenticity of the key chain commits K0.

Ki=F(Ki+1), F: pseudo random function

…

Authentication Keys

K4FK3

FK2FK1

FK0F Kn= RF

commitment


Distribution of Key Chain Commits

• TESLA– Digital signatures: Too expensive for sensors– Use the current keys to authenticate the

commitment of the next key chain.• Attractive targets for attackers.• Loss of commitment distribution messages loss of the

next key chain bootstrap again.

Old key chain New key chain

New commit K0’ Old key Kn


Distribution of Key Chain Commits (Cont’d)

TESLA– Unicast-based secure communication with the base

station.– Do not scale to large networks


Techniques

• Multi-level TESLA– Predetermination and broadcast instead of unicast.– Use high-level key chain to authenticate commitments of

low-level key chains.– Tolerate communication failures and malicious attacks.

• Five Schemes– Each later scheme improves over the previous one by

addressing its limitations.– The final scheme

• Low overhead• Tolerate message losses• Scalable to large networks• Resistant to replay attacks and DOS attacks.


Scheme I: Predetermined Key Chain Commitment• Predetermine the TESLA parameters along w

ith the master key distribution– commitment– start time– other parameters

• Shortcomings– Long key chain or large time interval?– Difficulties in setting up start time


Scheme II: Naïve Two-Level Key Chains

• Two-level key chains– One high-level key chain and multiple low-level

key chains– High-level key chain

• Authenticate commitments of low-level key chains

• Done through broadcast of Commit Distribution Messages (CDM)

– Low-level key chains• Authenticate actual data messages


Scheme II (Cont’d)

Ki-1 Ki

...Ki-1,1 Ki-1,2 Ki-1,m Ki,1 Ki,2 Ki,m Ki+1,1 Ki+1,2...Ki-2,m

F0 F0F0

F1 F1 F1 F1 F1 F1 F1

......

Time

Ki-1,0 Ki,0 Ki+1,0

F1F1 F1

CDMi=i|Ki+1,0|H(Ki+2 ,0)|MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1

• The two-levels of key chains

CDMi-1=i|Ki,0|H(Ki+1, 0)|MACK’i-1(i|Ki, 0|H(Ki+1, 0 ))|K i-2


Scheme II (Cont’d)

Ii,1 Ii,2 Ii,m Ii+1,1 Ii+1,2 Ii+1,m... ...

...

...

Ii Ii+1

Ki+1,0 Ki+2,0

Ki-1,m-d+1...

...

Ki-1,m-d+2 Ki,m-d Ki,m-d+1 Ki,m-d+2 Ki+1,m-d

TimeDisclosure oflow-level keys

Disclosure ofhigh-level keys

Distribution oflow-level

commitments

Ki-1 Ki

• Key disclosure schedule


Scheme II (cont’d)

• Limitations– Loss of CDM message during high-level interval Ii

• unable to authenticate during Ii+1

– Loss of the last several low-level keys

• unable to authenticate the corresponding messages.

Ki-1 Ki

...Ki-1,1 Ki-1,2 Ki-1,m Ki,1 Ki,2 Ki,m Ki+1,1 Ki+1,2...Ki-2,m

F0 F0F0

F1 F1 F1 F1 F1 F1 F1

......

Time

Ki-1,0 Ki,0 Ki+1,0

F1F1 F1


Scheme III: Fault Tolerant Two-Level Key Chains• Tolerate CDM message loss:

– Periodically broadcast CDM messages

– Assume • Probability that a receiver lose a CDM message: pf

• Broadcast frequency: F,

• Duration of a high-level interval: 0

– Reduce loss rate to

– Increase overhead by F0 times

• Tolerate normal message loss: – Connect the low-level key chains and the high-level key

chain

p fF 0


Scheme III (Cont’d)

Ki-1 Ki

...Ki-1,1 Ki-1,2 Ki-1,m Ki,1 Ki,2 Ki,m Ki+1,1...Ki-2,m

F01 F01 F01

F1 F1 F1 F1 F1 F1 F1

......

Time

Ki-1,0 Ki,0 Ki+1,0

F1F1 F1

CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1


DOS attacks

• CDM messages are more attractive to attackers• DOS attacks against CDM messages

– Selective jamming– Smart attacks: only change certain fields in CDM

messages • A receiver cannot discard the messages until it gets the

corresponding disclosed key

CDMi=i|Ki+1,0|H(Ki+2 ,0) |MACK’i(i|Ki+1 ,0|H(Ki+2 ,0 ))|K i-1

Low-level Key Chain Commitment for Ii+1

Image ofLow-level Key Chain Commitment for Ii+1

Disclosed High-level Key for Ii-1

MAC


Scheme IV: (Final) Two-Level Key Chains

• Randomize CDM distribution to mitigate selective jamming attacks– We assume there are other methods to deal with

constant jamming.

• Random selection strategy to mitigate smart DOS attacks– Single buffer random selection– Multiple buffer random selection


Scheme IV (Cont’d)

• Single buffer random selection– Assume each sensor has one buffer for CDM– Initial verification to discard forged CDMi

• Authenticate disclosed high-level key.• Authenticate Ki+1,0 if CDMi-1 is authenticated.

– For the k-th copy of CDMi that passes the initial verification

• Save it in the buffer with probability 1/k.• All such copies have equal probability to be saved.

– The probability that a sensor has an authentic CDM

• P(CDMi) = 1 p, where

p# forged copies

# total copies


Scheme IV (Cont’d)

• Multiple buffer random selection– Assume each sensor has m buffers for CDM– Initial verification to discard forged CDMi

• Same as before.

– For the k-th copy of a CDMi that passes the initial verification

• k m save it in one available buffer.• k > m save it in a randomly selected buffer with

probability m/k; • All such copies have equal probability to be saved.

– The probability that the sensor has an authentic CDM

• P(CDMi) = 1 pm, where

p# forged copies

# total copies


Scheme V: Multi-Level Key Chains

• m levels of key chains, arranged from level 0 to level m-1 from top down.– Keys in level m-1 are used for authenticating data– Each higher-level key chain is used to authenticate

the commitments for its immediately lower-level key chains.

– Every two adjacent levels work in the same way as in Scheme IV.


Simulation Study

• Network model– Emulate broadcast channel over IP multicast

– One base station

– One attacker

– Multiple sensor nodes

– Sensors are one-hop neighbors of the base station and the attacker

• Parameters– Channel loss rate

– Percentage of forged CDM packets

– Buffer size at sensors (data packets and CDM packets)


Simulation Study (Cont’d)

• Metrics– %authenticated data packets at a sensor node

(#authenticated data packets/received data packets)– Average data authentication delay (the average

time between the receipt and the authentication of a data packet).


Experimental Results

• Buffer allocation schemes

1 CDM buffers

1 CDM buffers

95% forged CDM


Experimental Results (Cont’d)

• %authenticated data packets

95% forgedCDM

39 CDM buffers3 data buffers


Experimental Results (Cont’d)

• Average data packet authentication delay39 CDM buffers3 data buffers


Conclusion

• Developed a multi-level key chain scheme to efficiently distribute commitments for TESLA– Low overhead

– Tolerance of message loss

– Scalable to large networks

– Resistant to replay attacks and DOS attacks

• Future work– Reduction of the long delay after complete loss of CDM

– Broadcast authentication involving multiple base stations

– Adaptive approach to dealing with the DOS attacks


Thank You!

donggang liu and peng ning department of computer science nc state university

Documents