Beruflich Dokumente
Kultur Dokumente
Introduction Issues Design Goals Classifications TCP Over Ad Hoc Wireless Networks Other Transport Layer Protocols
Security in Ad Hoc Wireless Networks Network Security Requirements Issues and challenges in security Network security attacks Key Management Secure Routing 1
Introduction
The objectives of a transport layer protocol include setting up of:
End-to-end connection End-to-end delivery of data packets Flow control Congestion control
These traditional wired transport layer protocols are not suitable for ad hoc wireless networks.
2
Issues
Issues while designing a transport layer protocol for ad hoc wireless networks:
Induced traffic refers to the traffic at any given link due to the relay traffic through neighboring links. Induced throughput unfairness refers to the throughput unfairness at the transport layer due to the throughput/delay unfairness existing at the lower layers such as the network and MAC layers. Separation of congestion control, reliability, and flow control could improve the performance of the transport layer. Power and bandwidth constraints affects the performance of a transport layer protocol. Misinterpretation of congestion occurs in ad hoc wireless networks. Completely decoupled transport layer needs to adapt to the changing network environment. Dynamic topology affects the performance of a transport layer.
3
Design Goal
The protocol should maximize the throughput per connection. It should provide throughout fairness across contending flows. It should minimize connection setup and connection maintenance overheads. The protocol should have mechanisms for congestion control and flow control in the network. It should be able to provide both reliable and unreliable connections. The protocol should be able to adapt to the dynamics of the network. One of the important resources must be used efficiently. The protocol should be aware of resource constraints. The protocol should make use of information from the lower layer. It should have a well-defined cross-layer interaction framework. 4 The protocol should maintain end-to-end semantics.
Split Approach
Split-TCP
Disadvantages It requires modifications to TCP protocol. The end-to-end connection handling of traditional TCP is violated. The failure of proxy nodes can lead to throughput degradation.
12
15
16
17
Security Threats
Four types of security threats:
Interception refers to the situation that an unauthorized party has gained access to a service or data. Interruption refers to the situation in which services or data become unavailable, unusable, or destroyed. Modifications involve unauthorized changing of data or tampering with a service. Fabrication refers to the situation in which additional data or activity are generated that would normally not exist.
18
Other Attacks
Multi-layer attacks could occur in any layer of the network protocol stack. Denial of service: An adversary attempts to prevent authorized users from accessing the service. Jamming: Transmitting signals on the frequency of senders and receivers to hinder the communication. SYN flooding: An adversary send a large number of SYN packets to a victim node. Distributed DoS attack: Several adversaries attack a service at the same time. Impersonation: An adversary pretends to be other node. Device tampering: Mobile devices get damaged or stolen easily.
20
Active Attacks
Blackhole attack
Byzantine attack Information disclosure Resource consumption attack
Routing attacks
Key Management
Cryptography is one of the most common and reliable means to ensure security. The purpose of cryptography is to take a message or a file, called the plaintext (P), and encrypt it into the ciphertext (C) in such a way that only authorized people know how to convert it back to the plaintext. The secrecy depends on parameters to the algorithms called keys. The four main goals of cryptography are confidentiality, integrity, authentication, and non-repudiation. Usually, the encryption method E is made public, but let the encryption as a whole be parameterized by means of a key k (same for decryption). Three types of intruders:
Passive intruder only listens to messages. Active intruder can alter messages. Active intruder can insert messages.
22
Cryptography
Cryptography
There are two major kinds of cryptographic algorithms:
Symmetric (secret-key) system: Use a single key to (1) encrypt the plaintext and (2) decrypt the ciphertext. Requires that sender and receiver share the secret key. Asymmetric (public-key) system: Use different keys for encryption and decryption, of which one is private, and the other public.
Hashing system: Only encrypt data and produce a fixedlength digest. There is no decryption; only comparison is possible.
Notation
Description
KA, B
K A K A
Cryptography Functions
Cryptography functions
Secret key (symmetric cryptography, e.g., DES) Public key (asymmetric cryptography, e.g., RSA) Hashing (one-way function - message digest, e.g., MD5)Security services
Security services
Privacy (Secrecy): preventing unauthorized release of information Authentication: verifying identity of the remote participant Integrity: making sure message has not been altered
Security Cryptography algorithms Secret key (e.g., DES) Public key (e.g., RSA) Message digest (e.g., MD5) Privacy Security services Authentication Message integrity 25
Symmetric Cryptosystems
Substitute Cipher: each letter or group of letter is replaced by another letter or group of letters
Caesar cipher: rotate the letter (a D, b E, c F, z C). Example: attack DWWDFN Monoalphabetic substitution Each letter replaced by different letter Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM Disadvantage: It does not smooth out frequencies in the cipher text. Polyalphabatic cipher use multiple cipher alphabets.
26
Secret-Key Cryptography
Transposition cipher: reorder the letters, but don't disguise them.
Select a key MEGABUCK 74512836 plea se tr ansfe ron ehundred afnsedtoelnhesurndpaeerr Plain text cipher text
27
Transposition Ciphers
A transposition cipher.
28
One-Time Pads
The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad.
29
Data Data Encryption Standard (DES) was developed by IBM and adopted as a US national standard in 1977.
The encryption function maps a 64-bit plaintext input into a 64-bit encrypted output using a 56-bit master key. The DES algorithm is difficult to break using analytical methods ((the rationale behind the design has never been clearly explained). Using a bruteforce attack will do the job because the key length is 56 bits. In June 1997, it was successfully cracked. Only used for the protection of low-value information.
Triple-DES: apply DES three times with another two different keys. Give strength against brute-force attacks. Advanced Encryption Standard (AES).
In 1997, the US NIST (National Institute of Standards and Technology) issued an invitation for Advanced Encryption Standard (AES). NIST announced the approval of the Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard, FIPS-197. This standard specifies Rijndael algorithm (blocks of 128 bits) as a FIPSapproved symmetric encryption algorithm that may be used by U.S. Government organizations (and others) to protect sensitive information. The algorithm has been designed to be fast enough so that it can even be 30 implemented on smart cards.
31
Triple DES
(a) Triple encryption using DES. (b) Decryption.
32
33
Cryptanalysis
Some common symmetric-key cryptographic algorithms.
34
Public-Key Cryptography
Asymmetric (Public-key) cryptography uses an encryption algorithm E and a decryption algorithm D such that deriving D is effectively impossible even with a complete description of E. You can encrypt without knowing how to decrypt. Requirements:
D (E(P)) = P It is extremely difficult to deduce the decryption key from the encryption key. E cannot be broken by a plaintext attack.
36
Group P into blocks such that C=Pe (mod n) and P=Cd(mod n) where 0 <= P < n
37
Public-Key Cryptography
Example:
p=13 q=17 n = 13 x 17 = 221 z = (13 1) x (17 1) = 192. let d=5 (prime to z) e x d = 1 mod 192 = 1, 193, 385, ... 385 is divisible by d e = 385/5 = 77
Example:
p=3 q=11 n = 3 x 11 = 33 z = (3 1) x (11 1) = 20. let d=7 (prime to z) 7 x e mod 20 = 1 e=3 C = P3 (mod 33), P = C7 (mod 33)
38
RSA
An example of the RSA algorithm.
39
Hashing system
Hashing System
Oneway function: Given some output mout of ES , it is (analytically or) computationally infeasible to find min Weak collision resistance: Given an input m and its associated output h = H(m) it is computationally infeasible to find an m such that H(m) = H(m). Strong collision resistance: given only H, it is computationally infeasible to find any two different inputs m and m such that H(m) = H(m).
Digital Signatures
Digital signatures make it possible to sign email messages and other digital documents in such a way that they cannot be repudiated by the sender later. Steps to use digital signatures:
The sender runs the document through a one-way hashing algorithm The sender applies his private key to the hash to get D(hash). This is called the signature block. The receiver computes the hash of the document using MD5 or SHA and then applies the senders public key to the signature block to get E(D(hash)). Compare hash and E(D(hash)).
41
Digital Signatures
(b)
Digital Signatures
The most popular hashing functions used are:
MD5 (Message Digest) which produces a 16-byte result. SHA (Secure Hash Algorithm) which produces a 20-byte result.
The public key is usually published. To avoid altering, message senders can attach a certificate to the message, which contains:
The users name The public key Digitally singed by a trusted third party
43
Hash Functions
Secure Hash Algorithm (SHA),
which produces a 256-bit message digest. This provides protection of the integrity of encrypted files as well as public key files. SHA was developed by the NIST in the United States, who announced the approval of FIPS 180-2, Secure Hash Standard, containing the specifications for the Secure Hash Algorithm SHA-256.
MD5
MD5 (Message Digest 5) is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input which may be a message of any length. MD5, which was developed by Professor Ronald L. Rivest of MIT, is intended for use with digital signature applications, which require that large files must be compressed by a secure method before being encrypted with a secret key, under a public key cryptosystem. MD5 is currently a standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 1321.
44
Certificates
A possible certificate and its signed hash.
45
X.509
X.509 is the ITU-T (International Telecommunications Union-T) standard for Digital Certificates. The basic fields of an X.509 certificate.
46
Public-Key Infrastructures
A Public Key Infrastructure (PKI) integrates software, hardware, encryption technologies and services for managing the cryptographic infrastructure and users' public keys.
47
48
IPsec (2)
Firewalls
Rest of the Internet Firewall Local site
A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks.
50
Firewalls
A firewall consisting of two packet filters and an application gateway.
51
802.11 Security
Packet encryption using WEP.
53
Authentication Protocols
Authentication Based on a Shared Secret Key Establishing a Shared Key: Diffie-Hellman Authentication Using a Key Distribution Center Authentication Using Kerberos Authentication Using Public-Key Cryptography
54
56
Authentication (1)
Authentication based on a shared secret key. Two-way authentication using a challenge-response protocol.
57
Authentication (2)
Authentication based on a shared secret key, but using three instead of five messages. A shortened two-way authentication protocol
58
59
Authentication (3)
The reflection attack.
60
61
62
Solution: Pass KB,KDC ( KA,B ) to Alice and let Alice send it to Bob. The message KB,KDC ( KA,B ) is known as a ticket.
63
64
65
66
67
68
69
70
71
72
Cryptography Practice
Compare RSA to DES:
Encrypting message using RSA is much slower than DES RSA is most used for exchange only shared keys
Pretty Good Privacy (PGP) is a popular program used to encrypt and decrypt e-mail over the Internet.
It can also be used to send an encrypted digital signature that lets the receiver verify the sender's identity and know that the message was not changed en route. Available both as freeware and in a low-cost commercial version, PGP is the most widely used privacy-ensuring program by individuals and is also used by many corporations. Developed by Philip R. Zimmermann in 1991, PGP has become a de facto standard for e-mail security. PGP can also be used to encrypt files being stored so that they are unreadable by other users or intruders. .
73
Cryptography Example
Pretty Good Privacy (PGP) is a popular program used to encrypt and decrypt e-mail over the Internet. Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web 74 server.
75
76
77
SSL (2)
A simplified version of the SSL connection establishment subprotocol.
78
SSL (3)
79
80
Threshold Cryptography
Public key infrastructure (PKI) enables the easy distribution of keys and is a scalable method. Each node has a public/private key pair, and a certifying authority (CA) can be bind the keys to the particular node. A scheme based on threshold cryptography by which n servers exist out of which any (t + 1) servers can jointly perform any arbitration or authorization successfully, but t server cannot perform the same. So up to t compromised severs can be tolerated.
83
84
Covert Channels
Pictures appear the same but information is hidden in the image. It is called steganography. Picture on right has text of 5 Shakespeare plays
encrypted, inserted into low order bits of color values
Zebras