Authentication Protocols for Low

guineanscarletElectronics - Devices

Nov 27, 2013 (3 years and 8 months ago)

60 views

Michael Fong

supervised by Dr. Wensheng Zhang

ComS 554

Authentication Protocols for Low
Power Device

Wireless Sensors

Telos
-
b mote

(
http://inst.eecs.berkeley.edu/~cs194
-
5/sp08/lab1/

)

Current WSN application



Environmental applications


forest fire detection


flood detection


tracking movement of birds


Pollution level


Monitoring freeway traffic


Military (surveillance) application


battlefield surveillance


NBC attack detection and reconnaissance


Smart Home systems for sensing temperature, light,
moisture, and motion

Resource Scarcity

Sensor Mote (Telosb)

RFID Tag (EPC Gen 2 Chip)

Processor

Speed


8 MHz msp
-
430 RISC CPU
from Texas Instrument

Microcontroller or a few
thousands of logic gates.

Memory


10k + 48k

No RAM

Storage Space

1024K flash storage

160k EEPROM

Power Supply

Battery Power

No (Passive Tags)

Limited (Active Tags)

Privacy Issues Arises



Exposure to Physical Attacks



Managed Remotely



Unreliable Transfer, Conflict, Latency


Packet
-
based Communication,



Subject to surreptitious scanning


No Authentication.


Data is not encrypted

Risks: Data Confidentiality

M = “Hi, I’m Alice!”

Alice

Bob

Eavesdropper (aka Eve)

Intercept

Decode


Secured Communication


A sensor network should not leak information to
unauthorized parties.


<Remedy> Encrypted message would help to strengthen
the security

M = “I am Bob!”

Risks: Privacy


Data Privacy


Leaking personal information.


Personal (Preference) Privacy


Tracking personal activities


Knowing whom just did what.


Consumer purchase habits


Location Privacy


With a few malicious sensors in various locations, a person’s location
may be tracked or be open to unauthorized disclosure .


radio

took 100 ms; Alice
must be


33 m away

Alice

Risks: Authentication

M = “Hi, I am Alice!”

Alice

Bob

Mallory

Intercept


Identity Spoofing

(Reply Attack )


Mallory reuses the communication from previous sessions to
perform a successful authentication between a tag and a reader.


The attacker does not necessarily need to know the secrecy in
the message.


<Remedy> Signature is used to verify sender’s identity (in
Public Key Infrastructure)

M = “HI, I am Bob!”

M = “Hi, I am Alice!”

M = “Hi, I am Bob!”

Resend

Alice thinks Mallory was Bob.

Bob thinks Mallory was Alice.

Risks: Data Integrity

M = “Hi, I am Alice!”

Alice

Bob

Mallory

Intercept

Modify


Man in the middle


Mallory could even modify the message content to either
parties.


<Remedy> Hash (MD5, SHA1) checksum and is used to check
the integrity of data.

M = “Yo, I am e Evil Bob!”

M = “Yo, I am the Evil Alice!”

M = “Hi, I am Bob!”

Resend

Risks: Data Availability



Denial
-
of
-
service


Frequency jamming


M = “Hi, I’m Alice!”

Bob

Attacker

M = “Hi, I’m Alice!”

M = “Hi, I’m Alice!”

Alice

Security

Goals



Goal for this project:


An authentication scheme without leaking user identity, like security entry
systems


Spoofing user identity should be difficult


Protection from reply attack.








Things not considered:


No eavesdropping allowed, ensure a secured

communication


Resist to Dos Attack



Availability

Confidentiality

Integrity

Preliminary

0
1
2
3
2
0
1
2
3
1
a
ˆ
y
a
ˆ
x
a
ˆ
xy
a
ˆ
)
y
,
x
(
A
a
y
a
x
a
xy
a
)
y
,
x
(
A









User is preloaded with



Reader is preloaded with


0
1
2
2
3
0
1
2
0
1
1
b
x
b
x
b
)
x
(
B
b
ˆ
x
b
ˆ
)
x
(
B
b
x
b
)
x
(
B








, such that

0
)
x
(
B
)
x
(
B
)
y
,
x
(
A
)
x
(
B
)
y
,
x
(
A
3
2
2
1
1





Proposed Protocol

Reader

at the door

User

Goal
: authenticate the user (sensor) at a security door (sensor)

<r1, A1(h, i), A2(h, i)>

Generate 16
-
bit random
r1

Compute hash

h = H(r0 | r1)

Compute
A1(h, i), A2(h, i)

Preloaded with secret

Identity parameter i

A1(x)

A2(x)

Knows secret function

B1(x)

B2(x)

B3(x)

User is authenticated, if

A1(h, i)*B1(h) +


A2(h, i) * B2(h) +



B3(h) = 0

Compute hash h = H(r0 | r1)

Compute B
1(h), B2(h), B3(h)


<r0>

Generate a 16
-
bit random value

r0

Security Analysis


Strong Authentication


Shows proving identity of a user without revealing it


User stays anonymous at all time, since the identity parameter i is never
exposed.


Immunity against Reply Attack


a challenge
-
response
-
authentication protocol, with temporary nonces is
used for each session, i.e. r0 and r1.


Resist to User Impersonation Attack


Authentication depends on the coefficients of the secret functions at
each party.


The attacker needs to compute valid coefficients
{a1, a2, a3}, {ˆa1, ˆa2,
ˆa3},
which were pre
-
computed onto user and stayed secret in
transmission.


Reader Compromise Attack


If a Reader
β

is compromised, (The results of B1(x), B2(x), and
B3(x) are known), then attacker could impersonate some valid tags
by finding out A1(x,y), A2(x,y) such that

A1(x,y)*B1(x) + A2(x,y)* B2(x) + B3(x) = 0


Countermeasure:


Reader can preload functions and obfuscate its output with an elliptic curve point
to convert the numeric output into another elliptic curve point: {
α

* B1,
α

* B2,
α

*
B3}


Thus, the authentication process:








Reference : http://en.wikipedia.org/wiki/Elliptic_curve




)
0
,
0
(
0
))
3
B
(
)
2
B
2
A
(
)
1
B
1
A
((
)
3
B
(
2
A
)
2
B
(
1
A
)
1
B
(





















Experiment Result

Basic

ECC

Authentication

< 200 ms


7000 ms

SHA1


6 ms


Conclusion & Future Work


Vulnerable to DoS attack


Miss
-
use of Anonimity


Attacker compromise the tag, and launch a DoS attack.


Need to smartly identify who the user was.


Ensured data communication, no eavesdropping
allowed.


Protect the secret function with more
sophisticated method. EC computation is too
expensive. Impractical on RFID device.



Reference


Papers:


A. Juels, RFID security and privacy: a research survey,
Selected Areas in
Communications, IEEE Journal
, pp. 381
--
394, 2006.


Levente Buttyan and Peter Schaffer and Istvan Vajda, , Resilient Aggregation
with Attack Detection in Sensor Networks, In Proceedings of the Fourth IEEE
International Conference on Pervasive Computing and Communications, 2002


Chiu Chiang Tan and Bo Sheng and Qun Li, , Secure and Serverless RFID
Authentication and Search Protocols, IEEE Transactions on Wireless
Communications, 2008



Presentations:


Vitaly Shmatikov,
RFID

Security

and
Privacy
, University of Texas Lecture,
2005.


Wensheng Zhang, Security Services, Iowa State University Lecture, 2009