Node compromise and failure

Reliance on other nodes for authentication also reduces an approach's tolerance to node com- promise or failure. TESLA and one MAC per receiver have perfect tolerance to node compro- mises or failures. An attacker controlling a compromised node can only spoof message values that would be sent from that node. A node failure would not prevent any other messages from being authenticated other than ones transmitted by the failed node.

Validity voting (Section 4) can only tolerate a fixed number of compromised nodes, specified at design time. An attacker might use a compromised node to assist in a message forgery attempt by casting a positive vote for that message. By tolerating w votes are compromised out of a z to- tal votes, the per-packet assurance is defined by z - w useable votes (see equation (3) in Section 4). If an attacker is able to compromise more than w voting nodes in the system, they might be able to cause message forgeries to succeed more often than defined failure requirements for the system.

Comparisons to other multicast authentication techniques 118 Baseline validity voting as described in Section 4 does not account for permanent node fail- ures. Tolerance to failed nodes needs to be added. Section 8 describes how to tolerate failed nodes, using methods like group membership.

Master-slave authentication's tolerance to node compromise relies primarily on the master node remaining uncompromised. The master node is a single point of failure. If an attacker com- promises the master node, the attacker has complete control over the network and can transmit any value it wishes. However, if the master node remains uncompromised, the approach retains perfect tolerance to compromise of any slave node. A compromised slave node can only spoof messages that would be sent from that node.

Permanent node failures have a more severe impact on master-slave authentication. In the event the master node fails, no authentication is possible. If a slave node fails, it will not release the MAC tags necessary for other nodes in the network to validate previous message rounds. To resolve this, a master node might periodically broadcast the current set of nodes it believes to be operating correctly. Thus, receivers can recompute the master's hash value over the tags released by correctly operating nodes.

5.5

Discussion

Table 5.2 summarizes the results of this chapter, discussing characteristics of each technique and types of embedded networks they best apply to.

Our analysis shows that the most bandwidth efficient approach depends primarily on the number of receivers, and is influenced to a lesser extent by per-packet assurance levels in net- works where no trusted master is available. For example, one MAC per receiver and validity vot- ing are the most bandwidth efficient approaches for networks characterized by few receivers and

Comparisons to other multicast authentication techniques 119 weak per-packet assurance levels. TESLA and validity voting using many votes are the most bandwidth efficient approaches for very large numbers of receivers or strong per-packet assur- ance levels. A master-slave approach is also very bandwidth efficient, assuming a trusted master node is available. We also show that despite some approaches being more sensitive to transient packet losses, all approaches recover automatically within one to three message rounds. Lastly we find approaches with no inter-node dependencies for authentication, such as one MAC per receiver and TESLA, are most robust to node compromises or failures.

Comparisons to other multicast authentication techniques 120

Table 5.2. Summary of authentication technique characteristics

Summary One MAC

per receiver

•Best applied to embedded control networks characterized by very few receivers and weak per-packet assurance levels.

•Perfect tolerance to transient packet losses.

•Nodes resume authentication immediately after transient network failures cease.

•Perfect tolerance to node compromise or failure.

Validity voting •Best for systems with few receivers; can provide strong per-packet assur- ance by increasing votes. Enables authentication to more receivers or stronger per-packet assurances than one MAC per receiver using the same number of bits. If using many votes, validity voting is competitive with TESLA for scalability even to strong per-packet assurance levels.

•Increasing voting also makes this approach more sensitive to packet losses.

•Authentication resumes within one message round after transient network faults cease.

•Only tolerates a fixed number compromised nodes. Node failures might require network reconfiguration.

TESLA •Best for systems characterized by many receivers and very strong per- packet assurance levels.

•Has higher per-packet authentication overhead than one MAC per receiv- er and validity voting when applied to few receivers and weak per-packet assurance levels.

•Time-delayed key release slightly decreases loss tolerance due to inter- packet dependencies.

•Authentication can resume within one message round.

•Perfect tolerance to node compromise or failure. Master-slave •Requires a trusted master node.

•Scales well to any number of receivers (so long as none are silent receiv- ers). Also scales well with respect to per packet assurance levels.

•Very sensitive to packet losses, because all nodes participate in verifying each message round.

•Recovers from transient packet losses within three message rounds.

•Master node is a single point of failure. Perfect tolerance to node com- promise so long as only slave nodes are compromised. Failed slave nodes require reconfiguration out of the system by the master node.

Evaluation - Simulated elevator control network 121