Tutorial: Wireless Multicast Security

Tutorial:Tutorial: Wireless Multicast SecurityWireless Multicast Security

Yan Sun

University of Rhode Island

May 15, 2006

Tutorial: Secure Wireless Multicast

Yan Sun

OutlineOutlinePart 1:

– Introduction on Secure Wireless Multicast Unicast vs. Multicast Security requirements for Multicast Challenges in Wireless Networks

Part 2:– Multicast Key Management

Generic Schemes Network-aware Key Management Application-aware Key Management New Security Concerns

– Multicast Authentication

Part 3: More on wireless multicast

Part 1. IntroductionPart 1. Introduction

Unicast vs. Multicast

Security requirements for Multicast– Key Management

– Multicast Authentication

Challenges in Wireless Networks


Yan Sun

Basic ConceptsBasic Concepts

Unicast: one-to-one

Multicast: one-to-many

Broadcast: one-to-all

WirelessMulticastSecurity


Yan Sun

UnicastUnicast

Point-to-point communication (Unicast) has been the dominant form of computer communication since the beginning of networking.

Distributing content, such as a popular movie, to a large audience over individual point-to-point connections is not efficient.– congestion

– wasting network resources

– Delay

Point-to-point communication faces scalability problem.


Yan Sun

MulticastMulticast

Orange circles represent endpoints, and green circles represent routing points.

Multicast

Multiple Unicast

Multicast is an essential mechanism to achieve scalable information distribution.


Yan Sun In unicast, there is a one-to-one association between network address and network endpoint: each destination address uniquely identifies a single receiver endpoint.

In multicast, there is a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, to which all information is replicated.


Yan Sun

Multicast ApplicationsMulticast Applications

Digital video and audio multicast over Internet, such as movie-on-demand and video conferences.

Widespread software distribution, such as anti-virus scanner update and security patch delivery.

Disseminating real-time financial market information to a large audience with various devices, including PDAs, cell phones, computers etc.

Transportation control where road traffic pattern or air traffic control information is distributed to many stations.

Multi-player games involving thousands of users simultaneously interacting in a virtual game world.


Yan Sun

Good News to Both SidesGood News to Both Sides

Advantage: Multicast can efficient distribute information to thousands or even millions of users.

However, multicast also creates opportunities for malicious packets to reach thousands or millions of users.

Challenge: how to maintain security with dynamic group membership



Yan Sun

Security in Group CommunicationsSecurity in Group Communications

Confidentiality: non-group members cannot read the data

Integrity: data cannot be modified or deleted in any unauthorized way

Authentication: claimed sender is the actual sender

Access Control: only authorized parties can access the group communications

Non-repudiation: The sender cannot deny sending the message

No denial-of-service


Yan Sun

Access Control and ConfidentialityAccess Control and Confidentiality

Among all those requirements, access control is the first line of defense.

Basic approach:– Service provider encrypt the content using a key

– This key is shared among all legitimated group members, but not known by non-group members.

Encryption

Key Management– Dynamic groups: users joining and leaving

– How to generate and update the group key

Access ControlData confidentiality


Yan Sun

Key ManagementKey Management

Security requirements– Group key secrecy - non-group members cannot

obtain any group key.

– Backward secrecy - the join user cannot decrypt the content that was sent before his join.

– Forward secrecy - the departure/revoked user cannot decrypt the content that is sent after his deletion from the group.

Performance requirements– Low communication, computation and storage

overhead

– Scalability for large dynamic groups

– Reliable distribution of key update messages


Yan Sun

AuthenticationAuthentication

Asymmetric: Digital Signature– The sender sign the communication data using his

private key.

– The receiver verify the communication data using the sender’s public key.

– Inefficient due to high computation overhead

Symmetric: Message Authentication Code (MAC)– The sender and the receiver share a secret key,

and compute a message authentication code (MAC) of all communicated data.

– When a message with a correct MAC arrives, the receiver is assured that the sender generated that message.

– Efficient, but not secure in Multicast.


Yan Sun

Multicast AuthenticationMulticast Authentication

Design Goals:– Using symmetric authentication methods

– Ensure security


Yan Sun

Re-visit Security RequirementsRe-visit Security Requirements

Confidentiality: non-group members cannot read the data

Integrity: data cannot be modified or deleted in any unauthorized way

Authentication: claimed sender is the actual sender

Access Control: only authorized parties can access the group communications

Non-repudiation: The sender cannot deny sending the message

No denial-of-service


D1


Yan Sun

Wireless MulticastWireless Multicast

Many future multicast services will take place in the wireless domain.

Challenges:

Communication aspects:– Resource limitation: bandwidth, power, etc.

– Diverse devices

– Packet loss due to transmission errors

– Mobility

Security aspects– Ease of snooping on wireless transmissions

– DoS attacks: Jamming, Fake collisions



Yan Sun

Wireless Wireless Multicast Multicast

Unique Feature:

Broadcast nature of wireless media

D2


Yan Sun

History of Wireless TechnologiesHistory of Wireless Technologies

Marconi’s wireless telegraphy (Patented in 1896 in the UK.)

American inventor Reginald Fessenden completed the first true radio broadcast in 1906

AM radio, the first real wireless industrial, in 1920s. FM radio in 1930s.

First wireless phone system appears in US in 1970s.

First commercial GSM network began offering service in 1991.

Late 90s, Wireless LAN and Bluetooth. 802.11 standard was finalized in 1997.

……


Yan Sun

Design ConsiderationsDesign Considerations

Communication aspects:– Resource limitation: bandwidth, power, etc.

– Diverse devices

– Packet loss due to transmission errors

– Mobility

Security aspects– Ease of snooping on wireless transmissions

– DoS attacks: Jamming, Fake collisions

A potential powerful tool– Broadcast nature of wireless media


Part 2(a). Group Key Management Part 2(a). Group Key Management

Generic Key Management Schemes Network-aware Key Management Application-aware Key Management New Security Concerns


Yan Sun

Key ManagementKey Management

Centralized schemes: relying on a trusted Key Distribution Center (KDC)

Contributory schemes: generating/updating keys in a distributed manner.

Generic KM

Network-aware KM

Application-aware KM

Other security concerns


Yan Sun

Centralized Key Management Centralized Key Management


Yan Sun

Simplest Centralized Key ManagementSimplest Centralized Key Management

KsSession

Key (SK)

u000 u001 u110 u111Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110 K111User

private keys

Ownership of the keys:KDC: knows all keysA User: the session key and its own private key

Data Distribution:Communication data is encrypted by the session key


Yan Sun

Key Update for User joinKey Update for User join

KsSession

Key (SK)

u000 u001 u110 u111Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110 K111User

private keys

When a user joins the service, The current group members receive rekeying messages

olds

news KK }{

The joining user receives through a secure unicast channel during registration.

newsK


Yan Sun

Key Update for User DepartureKey Update for User Departure

KsSession

Key (SK)

u000 u001 u110 u111Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110 K111User

private keys

)O(~ size message Rekeying N

110010001000

111

}{ ...,. , }{ ,}{, }{

service theleaves user

KKKKKKKK

unews

news

news

news


Yan Sun

Tree-based Key ManagementTree-based Key Management

An important class of centralized key management protocols employ logical tree structures to maintain keying materials

Tree-based KM protocols are considered to be scalable in terms of communication, computation and storage overhead


Yan Sun

Tree-based Centralized Key ManagementTree-based Centralized Key Management

KsSession

Key (SK)

u000 u001 u110 u111Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110 K111User

private keys

K00 K01 K10 K11

K0 K1

Key Encrypted

Keys(KEKs)

Keys: session key; users’ private key; key encrypted keys

Ownership of the keys:A user: the keys on the branch from itself to the root


Yan Sun

Operation for User JoinOperation for User Join

KsSession

Key (SK)

u000 u001 u110Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110User

private keys

K00 K01 K10 K11

K0 K1

Key Encrypted

Keys(KEKs)

u111

K111

Key server • generates new versions of Ks, K1 and K11, • encrypted them using old versions• send encrypted keys to all current users.


Yan Sun

Operation for User DepartureOperation for User Departure

KsSession

Key (SK)

u000 u001 u110 u111Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110 K111User

private keys

K00 K01 K10 K11

K0 K1

Key Encrypted

Keys(KEKs)

))(logO(2~ size message Rekeying 2 N

service theleaves user 111u 11011 }{ KK new

101 }{ KK new newnew KK 111 }{

0}{ KK news

newnews KK 1}{

D3


Yan Sun

Security Security

Security Goal: only authorized parties can access group comm.

Security Assumption:– No insiders are compromised. – Attackers cannot obtain other users’

private keys.– Attackers (who are non-group members)

cannot break the encryption.


Yan Sun

Variations of Tree-based SchemesVariations of Tree-based Schemes

VersaKey Framework improves the user joining operation.– new keys can be calculated through a one-way function

without sending rekeying messages.

– Key structure

{key ID, version number, revision number, key content}

One-way Function Tree (OFT)– the keys on the key tree are generated through one-way

functions, rather than arbitrarily determined by the KDC.

– This approach reduces the rekeying overhead from O(2 log(n)) to O(log(n)).

ELK– Instead of using one-way functions, ELK uses pseudo-

random functions to build and manipulate the keys. It also introduces hints, a small piece of information that improves reliability of rekeying.


Yan Sun Clustering– members are organized into a hierarchical

clustering structure. The cluster leaders are selected from group members and perform partial key management.


Yan Sun

Contributory Key ManagementContributory Key Management

In many scenarios, it is not preferred to rely on a centralized key server. – group members do not explicitly trust a single

entity;

– there are no servers or group members who have sufficient resources to maintain, generate and distribute keying information.

Contributory Key Management– Every group member participates key

establishment

– The group key contains contributions from all group members.

– The members’ personal keys are not disclosed to any other entities.


Yan Sun

Two-Party Diffie-HellmannTwo-Party Diffie-Hellmann

– Alice and Bob select a large prime number p and a primitive root α (mod p). Both p and α can be made public.

– Alice choose a secrete : x with 1 x p-2Bob choose a secrete: y with 1 x p-2

– Alice send αx (mod p) to BobBob send αy (mod p) to Alice

– Alice Calculates K = ( αy )x (mod p)– Bob Calculates K = ( αx )y (mod p)

Alice Bobαx (mod p)

αy (mod p)

K = αyx (mod p) K = αyx (mod p)

x y


Yan Sun

Group Diffie-HellmannGroup Diffie-Hellmann

Ingemarsson et al. first introduced a conference key distribution system based on a ring topology.

Steiner et al. extended the two-party Diffie-Hellman (DH) protocol and proposed group Diffie-Hellman protocols GDH.1/2/3

Logical tree structure is also used in the contributory setting by Kim et al in TGDH, and by Dondeti et al in DISEC.


Yan Sun

Tree-based Contributory SchemeTree-based Contributory Scheme


Yan Sun

Network-aware Key ManagementNetwork-aware Key Management

Wireless Multicast

In the future, many group communications will take place in the wireless domain.

Wireless scenario poses additional challenges on the key management,

High error rate Limited bandwidth

Rekeying messages need to be delivered reliably and in a timely manner.

Communication-efficient key management schemes are motivated.

Generic KM

Network-aware KM




Yan Sun

Re-Visit Tree-based ApproachRe-Visit Tree-based Approach

KsSession

Key (SK)

u000 u001 u110 u111Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110 K111User

private keys

K00 K01 K10 K11

K0 K1

))O(log(~ size message Rekeying N

service theleaves user 111u

11011 }{ KK new

101 }{ KK new newnew KK 111 }{

0}{ KK news

newnews KK 1}{

Key Encrypted

Keys(KEKs)


Yan Sun

Topology-aware Key Management Topology-aware Key Management

Observation– Most rekeying messages are only

useful for a subset of users. Ideas

– To match the key tree with the network topology,

– To localize the transmission of rekeying messages.

Goal:– To reduce the communication overhead– To improve reliability of key distribution


Yan Sun

Cellular Network TopologyCellular Network Topology


Yan Sun

Topology-Matching Key TreeTopology-Matching Key Tree

Step1: user-subtrees

Step2: BS-subtrees

Step3: SH-subtree


Yan Sun

Handoff Scheme for TMKMHandoff Scheme for TMKM

In mobile environment, the user will handoff to different BSs while maintaining his subscription to the group.

Handoffs cause users’ relocation on the TMKM tree.

A simple solutions: – when a user moves from cell i to cell j, he can

be treated as if he leaves the service from cell i, and join the service again to cell j.

Handoff can be done efficiently – Do not update keys immediately after handoffs.– Allow users to have more than one set of valid

keys– When a user leaves the service, update all his

keys.


Yan Sun

Two Effects of TMKMTwo Effects of TMKM

Marching Key tree to Network Topology

Localizing transmission of rekeying messages – reducing the comm. cost of sending one rekeying message.

Handoff – may need to update more than one set of keys when a user leaves


Yan Sun

Performance MeasurementPerformance Measurement

SH

BS BS BS BS

wireline-message-size :

the amount of the rekeying messages multicast to the BSs;

wireless-message-size :

the amount of the rekeying messages broadcast by BSs.(broadcast nature)


Yan Sun

1 2 3 4 5 6 7 8 90

2

4

6x 10

7

wir

ele

ss c

ost

multiple SH, R=4 mile, Vmax

=50 mile/hr, 1/ = 20 minute

1 2 3 4 5 6 7 8 90

2

4

6x 10

6w

ire

line

cost

1 2 3 4 5 6 7 8 90.2

0.3

0.4

0.5

the number of SH

per

form

anc

e ra

tio

TIKMTMKM

TIKMTMKM

= TMKM/TIKM

PerformancePerformance


Yan Sun

ScalabilityScalability

Scalability: when the number of SH (N) increases

Reliability is also improved.

NMp NMp)-(1-1

messages) rekeying all receivenot doesuser oneleast at Pr(


Yan Sun

Application-aware Key ManagementApplication-aware Key Management

Generic KM

Network-aware KM



Applications: many multimedia group communications contains multiple data streams. For example, – a multicast program containing several related

services. Users can subscribe one or multiple services.

– In military applications, access privilege depends on the rank.

How to management keys when group members have different levels of access privilege?


Yan Sun

Example 1Example 1

Basic Comm. Advanced Comm.

Top Secret Comm.

Lowest Access Level

Moderate Access Level Highest Access Level

Data Group (DG): users that receive the same single multicast data stream

Service Group (SG): users that have the same access privilege


Yan Sun How many multicast sessions?

How to encrypt the multicast content?

How to manage keys?

Ks

Session Key (SK)

u000 u001 u110 u111Users u010 u011 u100 u101

K000 K001 K010 K011 K100 K101 K110 K111

User private keys

K00 K01 K10 K11

K0 K1


Yan Sun

Another Application ExampleAnother Application Example

Data Group (DG): Channel 1, channel 2 and channel 3

Service Group (SG): users who subscribe channel-- {1}, {2}, {3}, {1,2}, {1,3}, {2, 3}, {1,2,3}


Yan Sun

A Simple SolutionA Simple Solution

DK3

DK2

DK1

A separate tree is constructed for each DG

},,{ have some

};,{ have users some };{ have users some

secrete. pencrypt to toused is

comm. advancedencrypt toused is

comm. basicencrypt toused is

321

211

3

2

1

DDD

DDD

D

D

D

KKK

KKK

K

K

K


Yan Sun

A Better SolutionA Better Solution

Construct Key tree/graph based on SGs

SK }100{SK }110{

SK }111{

STEP 2. For each SG, construct a SG-subtree

STEP 1. For each DG, generate an data group key

DK3DK2

DK1

DK2DK3

DK1STEP 3. Connect the root of SG-subtrees and the data group keys

SK }100{SK }110{

SK }111{


Yan Sun

Key Update AlgorithmKey Update Algorithm

DK1DK2

DK3

SK }100{SK }110{

SK }111{

secrecy

forward

ensure to

keys update

secrecy

backward ensure

tokeys update1D 3D2D

}111{S}110{S}100{S


Yan Sun

Advantages of Key GraphAdvantages of Key Graph

Reduce storage overhead

Reduce communication overhead

Improve scalability

2

1

managementkey group-multi of overhead Storage

managementkey based- treeof overhead Storagelim0

M

N


Yan Sun

Other Security ConcernsOther Security Concerns

Key Management:

Protect multicast content from unauthorized access

Meanwhile, key management can disclose the information about dynamic group membership.

-- Number of users in a multicast group

-- Number of joining and departure users in a certain time interval.

Generic KM

Network-aware KM




Yan Sun

Is this a security problem?Is this a security problem?

Group communication content and Group dynamic information (GDI) are two different types of information.

In commercial applications, GDI helps the competitors to analyze the audience behavior and develop efficient competition strategies.

In some other applications, GDI may represent network deployment information.


Yan Sun

Application Example 1Application Example 1

GDI has commercial value in future multicast services.

Because of efficient key management, a user can have flexibility to subscribe to an arbitrary set of programs, and changes his subscription at any time. The user will pay for what exactly he/she gets.

Viewers’ statistics, i.e. GDI, has commercial value.

Service provider A knows its own GDI, but does not wants to reveal GDI to its competitor service provider B.

GDI should also be protected against insiders.


Yan Sun

Application Example 2Application Example 2

GDI may represent sensitive information

The base station sends many broadcast messages to sensors.

GDI represents the number of sensors deployed in an area.

Broadcast content contains mostly control messages.

Malicious users should not be able to acquire GDI from compromised sensors.


Yan Sun

Group Dynamic InformationGroup Dynamic Information

Group Dynamic Information (GDI)

– N(t): the number of users in the group at time t

– J(t0, t1) : the number of users who join the group in time interval [t0, t1].

– L(t0, t1) : the number of users who leave the group in time interval [t0, t1].

D4


Yan Sun

Attack 1 Attack 1

[A1] Obtain J(t0, t1) and L(t0, t1) from the format of rekeying messages.

Ks

K

u000 u001 u110 u111...

K000K001 K010

K011K100 K101 K110 K111

K00K01 K10 K11

K0 K1

Session

Key (SK)

Key Encrypted

Keys(KEKs)

Users private

keys

}{ 1111newold KK

}{ 11newold KK

}{ newold KK

}{ news

new KK

u111 join

u111 leave

}{ 11110newKK

}{ 110newKK

}{ news

new KK

}{ 111newnew KK

}{0newKK }{1

newnew KK


Yan Sun

Assumptions:– N(t) do not vary much in a short time period

– The joining users are always put on the shortest branch of the key tree.

– The key tree is full loaded and has the fixed degree d.

– A user’s departure behavior is independent of others.

– The leaving users are uniformly distributed on the key tree.

Notations:– The attacker has W observations: {m1, m2, … mw}

Maximum Likelihood estimator

Attack 2Attack 2

})(|},...,,Pr{{maxarg)( 21 ntNmmmtN Wn

ML

[A2] Estimate N(t) directly from the size of the rekeying messages.


Yan Sun

It is an effective attack!It is an effective attack!

(a)(b)(c) simulated multicast groups; (d) a real MBone audio session.


Yan Sun

Attack 3Attack 3

Key IDs are send in clear text

{Kx}Ky

[ y, version_num(Ky), revision-number(Ky),

{x, version_num(Kx), revision_num(Kx), Kx }Ky ]

Key ID can tell the structure of the key tree

The frequency of a key ID appears can tell the number of users under this node.


Yan Sun

Key ID-based Reveals Group SizeKey ID-based Reveals Group Size

P(K00) = P(K01) P(K10) = P(K11)


Yan Sun

Key ID-based Reveals Group SizeKey ID-based Reveals Group Size

P(K00) = P(K01) P(K10) = P(K11)

P(K1) = 1 - ( 1 - P(K11)) ( 1 - P(K00))

>P(K00)


Yan Sun

ComparisonComparison

A1 – format of rekeying messages

A2 – size of the rekeying messages

A3 – ID of the keys

D5


Yan Sun

Vulnerability of Popular SchemesVulnerability of Popular Schemes

Centralized Key Management Schemes Straight- forward?

A2 effective?

A1 Effective?

Key Graph [1] No Yes Yes Wallner [2] No Yes Yes Tree-based VersaKey [3][4] No Yes Yes One-way function tree [5] No Yes No Improve Key Revocation [6] No Yes No ELK[7] No Yes --

Tree Based

Trappe: Embedding [8] No Yes Yes Security lock [9] Yes -- --

No No No Flat

Flat VersaKey [3][4] Not resist to collusion attacks

Iolus [10] No Local Local No No No

Local security agents

Cluster [11] GDI is transparent to cluster leaders, who compose about ¼ of total users. No No No Others Subset differences Extremely inefficient when T>>N


Yan Sun

Anti-attack techniquesAnti-attack techniques

Batch Rekeying – remove GDI in time domain

update keys periodically– Reducing the communication overhead

– Resistant to attack [A1], but not resistant to attack [A2] and [A3]

Phantom Users – remove GDI in message domain

Phantom users as well as their join and departure behavior, are created by the KDC.– Generate the artificial GDI

– The observed rekey process only reveals artificial GDI.


Yan Sun

Anti-attack techniquesAnti-attack techniques

Real GDI Artificial GDI Rekeying Process


Yan Sun

Real GDI and Artificial GDIReal GDI and Artificial GDI

N0

L0

L0


Yan Sun

Communication OverheadCommunication Overhead

Communication overhead– L0 : the total number of real and phantom join/departure users.

– N0 : the total number of real the phantom users.


Yan Sun

SecuritySecurity

Leakage of GDI:– Mutual information between the real GDI and artificial GDI.


Yan Sun

OptimizationOptimization

Choose L0 and N0 such that the leakage of GDI is minimize given the communication overhead constraint.


Yan Sun

TradeoffTradeoff


Yan Sun

GDI in Distributed EnvironmentsGDI in Distributed Environments

In many distributed key management schemes, group members must know GDI to perform

admission control key chain/ring/tree generation. group key establishment

The inside/outside attackers can also obtain GDI from the size of messages containing key materials.

General Suggestion: Contributory Schemes are not suitable for applications with confidential GDI.

Part 2(b). Multicast AuthenticationPart 2(b). Multicast Authentication

Review Digital Signature and MAC

Security problem of using MAC in Multicast

TESLA


Yan Sun

Public Key and Privacy KeyPublic Key and Privacy Key

Bob

(Bob's public key) (Bob's private key)

Bob has been given two keys. One of Bob's keys is called a Public Key, the other is called a Private Key.

Bob's Co-workers:

Pat Doug Susan

Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself

Digital Signature

MAC

TESLA


Yan Sun

Signature GenerationSignature Generation

Step 1:

Step 2:


Yan Sun

Step 3:


Yan Sun

Signature VerificationSignature Verification


Yan Sun

Message Authentication CodeMessage Authentication Code

MAC is an authentication tag derived by applying an authentication scheme, together with a secret key, to a message.

Unlike digital signatures, MACs are computed and verified with the same key.

Hash function-based MACs (often called HMACs) use a key or keys in conjunction with a hash function to produce a checksum that is appended to the message

Digital Signature

MAC

TESLA


Yan Sun

Authentication in UnicastAuthentication in Unicast

In unicast,– Alice is going to send many packets to Bob. Bob

wants to make sure that these packets are really from Alice.

– Alice and Bob first establish a shared key K.

– For each packet, Alice generates a MAC using key K. Alice send the packet together with the MAC.

– Bob verifies

The received MAC is generated based on the received packet.

The MAC is generated using key K.– Since Alice is the only one (besides Bob) who has

the key K, the packet must be from Alice and has not been modified by others.


Yan Sun

Authentication in UnicastAuthentication in Unicast

Alice

Bob

K

K

M, MAC(K,M)


Yan Sun

Authentication for MulticastAuthentication for Multicast

Alice

Bob

K

KEve

K

M, MAC(K,M) M, MAC(K,M)

M', MAC(K,M')

Append MAC, computed using a shared key, to Append MAC, computed using a shared key, to each packet. each packet.

any receiver that has the shared key can any receiver that has the shared key can impersonate the senderimpersonate the sender


Yan Sun

TESLA OverviewTESLA Overview

Use “symmetric cryptography”, using MAC

Delay disclosure of keys by the sender

Sender

- attach to each packet, MAC computed using a key ‘k’ known only to itself.

Receiver

- buffers packet without being able to authenticate

- a short while later, sender discloses ‘k’ and the receiver is able to authenticate the packet.

- packets that are received too late are discarded.

Comments A single MAC per packet suffices to produce “source

authentication” Both sender and receivers are time synchronized.

Digital Signature

MAC

TESLA


Yan Sun

TESLA DetailsTESLA Details

One-way key chain– Each sender chooses random initial key KN,

generates one-way key chain as

KN-1 = H (KN); KN-2 = H (KN-1), ….

Schedule for disclosing keys– Sender pre-determines the schedule

– For example, disclose Ki at Ti = T0 + i t

Receiver can determine which key is disclosed– Based on loose time synchronization()

– Sender picks Ki which will not be disclosed until + 2 time passes and add MAC using Ki

– Receiver discard the packet if security condition fails


Yan Sun

TESLA Security ConditionTESLA Security Condition

The receiver will reject a packet whose MAC is generated using Ki if security condition fails.

TESLA security condition

– Ki used to authenticate a packet cannot have been disclosed yet

– For example, if arrival time is tr and earliest time to disclose Ki is t0 + i t, then tr t0 + i t - implies Ki is not disclosed yet

– t is small may discard some packetst is large long delay for authenticationt does not affect security


Yan Sun

ExampleExample

tTime 4 Time 5 Time 6 Time 7

P2

K5

P1Receiververify MAC

K4 K5 K6 K7K3FF FF


Yan Sun

Robustness Against Packet LossRobustness Against Packet Loss

tTime 4 Time 5 Time 6 Time 7

P5

K5

P3P2P1

Verify MACs

P4

K4

K4 K5 K6 K7K3FF FF

Receivers derive K4 from K5

Part 3. More on Wireless MulticastPart 3. More on Wireless Multicast

More on Wireless Multicast,

More on Research,and a Future Research Direction


Yan Sun

Research OpportunitiesResearch Opportunities

Wireless

Unicast

Multicast

Security

Application


Yan Sun

Wireless Multicast with TDWireless Multicast with TD

Using adaptive antenna array can provide Transmit diversity.

Transmit Diversity (TD) is well known for improving performance in point-to-point communication between two wireless devices

A question initiated a research topic:

Can adaptive antenna array improves the performance of wireless multicast?


Yan Sun

Performance of Multicast Performance of Multicast BeamformingBeamforming

N , BER M , BER


Yan Sun

Wireless Multicast with TDWireless Multicast with TD

Transmit Diversity (TD) – Close loop method: Beamforming,

– Open loop method: Space time coding

For unicast communication– When perfect channel information is available at

the transmitter, beamforming is better.

– When channel information is not available/accurate, STC is better.

More questions– How can transmit antenna array help wireless

multicast?

– Comparison among Transmit Diversity (TD) techniques.


Yan Sun

Space-time coding vs. BeamformingSpace-time coding vs. Beamforming

Decoding BER vs. Transmission SNR

M=2N=2,4,6,8,12,20


Yan Sun

ResultsResults

Beamforming can improve performance of wireless multicast.

Two TD techniques: Beamforming and Space-time-coding– When the group size exceed a certain

threshold, using STC. Otherwise, using beamforming

What can be done– Jointly apply both TD technqiues

– Joining design beamforming and STC.


Yan Sun

Profound ImpactProfound Impact

The physically layer TD techniques will pose important influence on multicast routing in ad hoc networks.

How will this affects security?


Yan Sun

A Future Research DirectionA Future Research Direction

How does the physical layer techniques influent upper layer protocols?

Adaptive antenna array new requirement for MAC and Routing

Collaborative communication …..

Security is always a concern

Antenna array hurting or helping?

in terms of security

Tutorial: Wireless Multicast Security

Documents

Transcript of Tutorial: Wireless Multicast Security