Professional Documents
Culture Documents
Light-Weight Cryptography - How Light Is Light?: Virgil D. Gligor
Light-Weight Cryptography - How Light Is Light?: Virgil D. Gligor
Light-Weight Cryptography - How Light Is Light?: Virgil D. Gligor
Virgil D. Gligor
gligor@umd.edu
Electrical and Computer Engineering Department
University of Maryland
College Park, Maryland 20742
Motivation
Examples
authenticated encryption (1 pass, 1 crypto primitive)
probabilistic key distribution
+ source authentication
key/node revocation
VDG 5-5-2005 2
What is it ?
Cryptography
primitives (e.g., algorithms, ciphers)
schemes (e.g., modes of encryption, authentication)
protocols (e.g., key distribution, authentication)
tailored to (extremely) constrained environments.
Constraints ?
power and energy consumption
size and complexity (e.g., storage, gate count, I/O pin count)
communication bandwidth
Examples
networks of PDAs; large arrays of sensors
VDG 5-5-2005 3
What it is not ?
Not Weak Cryptography
not the “weakest link”
and
Not Intended to Replace Traditional Cryptography
focus limited by operational constraints
but …
Not Intended for All-Powerful Adversaries
they do not exist … so why over-design ?
VDG 5-5-2005 4
Motivation
Economics
growing market for Ubicomp applications
VDG 5-5-2005 5
Example Area: Sensor Devices
Wide range but limited processing capabilities: > 10 x
Atmel Atmega 128L -> … MC68328 “DragonBall” … -> MIPS R4000
(8 bit, 4 Mhz, 4KB SRAM) (32 bit, 16 MHz) (64 bit, 80 MHz)
VDG 5-5-2005 6
Implications for Cryptography ?
Restricted cryptographic primitives
- SK block ciphers and hash functions: 100 - 10,000 x speed of PK systems
. .
. . XOR
x5
.
IND-CPA
K
... FK ...
Encryption Mode
z1 z2 z3 z4 z5
E1 op
. E2 op
. .. E3 op
E4 op
. E5 op
Receiver y= y1 y2 y3 y4 y5
Initialization
E1 op
. E2 op
. .. E3 op
E4 op
. E5 op
K FK FK FK FK FK
z1 z2 z3 z4 z5
Receiver
Initialization
IND-CPA
E1 op
. E2 op Encryption Mode
. . E3 op
. E4 op
. E5 op
Receiver
Initialization
x= x1 x2 x3 x4 x5 tag
VDG 5-5-2005 10
… Under What Conditions ?
3. V. Gligor and B. Lindsay: use CBC with MDC = any redundancy code
4. US Dept. of Commerce, NBS Proposed Standard: Use CBC with MDC = XOR
VDG 5-5-2005 12
How Dangerous (ctnd.)?
5. MIT Kerberos v.4: use PCBC with MDC = constant appended to last block
- proposed at 1987 - 1989
- broken by J. Kohl at CRYPTO ‘89
6. MIT Kerberos v.5 - confounder (i.e., unpredictable block) prepended to message data
- CRC-32 is computed over the counfounded data and inserted into message
before encryption
- proposed in 1991 Kerberos v.5 specs. (used within US DoD ?)
- broken by S. Stubblebine and V. Gligor (IEEE Security and Privacy 1992)
7. V. Gligor and P. Donescu: use iaPCBC with MDC = unpredictable constant appended
as the last block of message (not the XOR version)
- proposed at the 1999 Security Protocols Workshop, Cambridge, UK.
- actually the proposal had MDC = XOR
- broken by the “twofish gang” (D, Whiting, D. Wagner, N. Ferguson, J.Kelsey); and by C. Jutla
VDG 5-5-2005 13
Example 2: Key (Pre)distribution
Probabilistic key sharing
key pre-distribution
generation of a large pool of P keys
random drawing of k keys out of P w/o replacement
loading of the key ring into each sensor
shared-key discovery
upon initialization every node discovers its neighbors
with which it shares keys
path-key establishment (- - -)
assigns a path-key to neighbors w/o shared key
multiple disjoint paths exist between two nodes
B example (A,B)
A Consequences
node-to-node authentication ?
key revocation ? scope ?
node-capture detection ?
resilience to node capture ?
network extension
VDG 5-5-2005 node capture 14
Example 2: Consequences
Source Authentication => all nodes are trusted
Ki,j = hash (kij || IDi || IDj), where IDi > IDj, is “unique”
Node-Capture Detection
redundant sensor coverage; data cross-correlation ?
grand challenge problem
Centralized Revocation (=/=> node-to-node authentication)
A controller node broadcasts signed list of k key identifiers to be revoked
disables all connectivity of the compromised node
affects other nodes on a small part of their key ring
All-trusted-node assumption for Source Authentication =>
Node-Capture Detection + Revocation
Resilience (w/o node shielding)
Capture of a key ring affects few links (k * no. links/P)
VDG 5-5-2005 15
Example 2: Improvement
q-composite key extension of Basic Scheme [CPS03]
MOTIVATION
Improve Resilience to Node Capture
fraction of compromised communication; network size
multipath key reinforcement
Node-to-Node (not Source) Authentication
nodes need not trust each other
IDEA
decrease pool size P s.t. ≥ q keys are shared between any two nodes
K
i,j = hash (k ij || k ij ||…|| k ij) is “unique”
1 2 q
VDG 5-5-2005 16
Example 2: Other Schemes
q-composite key + multipath key
0.45 0.9
q=2
0.4 q=3 q=2 0.8
0.35 0.7
q=2 mp
0.3 0.6
0.25 0.5
basic
basic
0.2 0.4
0.15 0.3
0.1 0.2
basic +mp
0.05 0.1
IDEA
For every possible node (ID), pick k random neighbors (IDs)
Generate k pair-wise shared keys
Scatter nodes and discover neighbors; multi-hop extension
Distributed revocation via threshold voting scheme.
vote authentication (e.g., session, source, replication detection, count integrity)
policy (e.g., session start/end times, revocation quotas)
Replication detection: limit d for every node, integrity of neighbor counts
VDG 5-5-2005 18
Multiple Key Spaces - Motivation
aijxiyj ,
f (x,y) =i,j=0 with property f(x,y) = f(y,x).
• for each sensor i, pre-distribute polynomial share f(i,y) in (t+1)logq space;
• sensors i and j compute shared key kij = f(i,j);
- sensor i evaluates f(i,y) at point j, and sensor j evaluates f(j,y) at point i;
• unconditionally secure but resiliency limited to a threshold of t captured nodes
• limited scalability for SN
- storage cost per node is exponential in group size
- computation intensive for |q| = 64 bits in 8-bit processors
(e.g., ATMEL Atmega 128) even for relatively small t
- 27 - 64 multiplication operations per two 64-bit integers
- 16 multiplication operations for one 64 bit and one16 bit integer
Generalization: t=0 => Basic Scheme; |F|=1 => Single Key-Space for Group Keying [Blundo’91]
VDG 5-5-2005 20
Other Primitives
Hash Functions (one-way, collision-resistant)
Hash trees R
H13 H14
H1 H2 H3 H4 H5 H6 H7 H8
V1 V3 V4 V5 V6 V7
V2 V8 Vi = (q(xi),xi)
Policy:
1. Local neighbors of a revocation target make the revocation decision
- threshold-based decision [CPS03]
• t votes to revoke (t > node degree, d) => delete keys shared with target
14
5 10
8
11 1
9
7 13
12 6
VDG 5-5-2005 22
Distributed Revocation
Advantages Disadvantages
Faster than centralized Need for Vote (not just
scheme node-tonode message)
Authenticity
Only inexpensive
neighborhood comm. More complex (e.g.,
required adversary may be a protocol
participant)
No single point of failure
Revocation Policy
Agreements
VDG 5-5-2005 23
Adversary Goals
VDG 5-5-2005 24
Node Revocation by an Adversary
Neighborhood Target
3 4
2
14
5 10
8
11 1
9
7 13
12 6
VDG 5-5-2005 25
Distributed Revocation - Protocol Properties
A. Correctness
1. Complete Revocation
If a compromised node is detected by t or more uncompromised neighbors,
then the node is revoked from the entire network permanently
2. Sound Revocation
If a node is revoked from the network, then at least t nodes must have agreed on its
revocation
3. Bounded-Time Revocation Completion
Revocation decision and execution occur within a bounded time from the sending of the
first revocation vote
4. Unitary Revocation
Revocations of nodes are unitary (all-or-nothing, everywhere-or-nowhere) in the network
A. Adversary Model
1. Universal Communication Presence
B. Protocol Assumptions
1. Network is quiescent during deployment of new nodes
Distributed Revocation
Needs node-to-node authentication? distributed consensus? revocation control ?
Needs Policies: when do we really want to revoke the keys of a node ?
VDG 5-5-2005 29