Notation and Background - SECURING WIRELESS SENSOR AND VEHICULAR NETWORKS

In this section, we present the notation used in this chapter. We also present an overview of TASS and PTASS protocols that are resistant against the delayed authentication compromise attack [18].

3.2.1 Notation

We summarize the notation used in this chapter in Table 3.1.

Symbol Definition

t Number of time intervals

c Maximum number of different commands

that the base station can send

m Maximum number of commands that the

base station can send in a time interval

kpriv_j Private key of the time interval j

sj_k,l Command signature used in time interval

j, with 1 ≤ k ≤ m and 1 ≤ l ≤ c

z_k,lj Checksum node used in time interval j, with 1 ≤ k ≤ m and 1 ≤ l ≤ c

F Hash function

3.2.2 Background

The protocols that we are going to introduce rely on Merkle Trees (also called Hash Trees) and Merkle-Winternitz Signatures.

Merkle-Tree

A Merkle Tree is a tree-based data structure generally used for authentication purposes. We will use binary trees, however our schemes can be easily adapted to use trees that have any ariety. The value of each inner node of the tree is the result of a hash function that receives in input the concatenation of the values of its children. For a leaf v of the Merkle Tree, the co-path of v is defined as the set of siblings of the vertices that lead on the path from v up to the root. We will use a cryptographic hash function such as SHA-1 for our purposes [141].

Merkle-Winternitz Signatures

Merkle-Winternitz signatures [78] rely on one-way functions to build a Direct Acyclic Graph to encode a signature. This scheme is efficient when it is used to sign low entropy messages. An edge between two nodes v₁ → v₂ represents an application of the one-way function, in other words: v₂= F (v₁), where F represents the one way function. If a node has multiple incoming edges, then its value will be equal to the hash value of the concatenation of all its predecessor nodes. Figure 3.1 shows an example of a Merkle-Winternitz signature graph. The signer selects a private key kpriv and uses a Pseudo Random Function (P RF ) to calculate sm and z1. Then, it uses the one-way function to calculate the other values. Finally, the public key k_pub is computed by hashing s₁ and z_m; that is: k_pub = F (s₁kz_m). The public key is distributed to the receivers in a secure way. The left chain is called signature chain, while the simple Merkle Winternitz signature scheme to sign m bits right one is the checksum chain and it is used to prevent forgeries. In our scenario, each node of the signature chain will represent a command, or a message, that the sender may sign. To sign the command i, where 1 ≤ i ≤ m, the signer sends the values siand zias a signature. To verify the signature, the receiver calculates the key k_pub = F (Fi(s_i)Fm−i(z_i)), and compares it with the public key of the signer: if it matches the signature is correct. Since the indices of the checksum chain run in direction opposite to the signature chain, an adversary that wants to forge a signature has to invert at least one one-way function.

The Merkle-Winternitz scheme is a secure one-time signature, but does not scale well to sign a large number of bits. However, it is worth noticing that more than two chains can be used, where each one can encode some number of bits of the signature. For example, one could encode an 8 bit number by using four chains of length 4 to encode two bits in each chain. Furthermore, the number of checksum chain can be further reduced as explained by Merkle [78]. It has to be considered that to sign 128 different commands, instead of two

chains (signature and checksum) with 128 values, we would only need one signature chain with 16 values, one signature chain with 8 values, and one checksum chain with 22 values. Note that this mechanism can be used to reduce the number of hash function evaluations that are required to authenticate a message.

K

_priv

K

_pub

S

₁

S

₂

S

_m-1

S

Z

_m-1

Z

₂

Z

₁

Figure 3.1. – Merkle Winternitz signature scheme to sign m bits

Totally Accountable Signature Scheme (TASS)

In order to be resilient against Delay Authentication Compromise (DAC) attacks, the authors in [18] propose TASS algorithm. The main idea in TASS is to relate the authentication key to the time interval and also to the message content. Thus, the adversary has to figure out what value of key it has to use to forge packets. The base station executes a

certain number of operations in the setup phase of the algorithm, and then builds a Direct Acyclic Graph (DAG), which is a Merkle Tree [78] and a set of hash chains. First, the base station selects randomly t private values k_{priv_1}, . . . , kpriv_t, one for each time interval. For each private value kpriv_i in a time interval, it uses a Pseudo Random Function (PRF) to generate m values si_1,c, . . . , si_m,c, and m values zi_1,1, . . . , zi_m,1. Then, the base station starts from the values si_1,c, . . . , si_m,c and z_1,1i , . . . , z_m,1i , to generate 2m hash chains. Each hash chain contains c + 1 items. The last element of each chain represents the leading node. To compute the authentication key ki in that time interval, the base station uses the hashed value of the 2m leading nodes.

ki ← F (F (si1,1)k . . . kF (sim,1)kF (zi1,c), . . . , F (zm,ci )).

Then, the base station selects randomly t values of checksum nodes z_i, with 1 ≤ i ≤ t. The values k1, . . . , kt and z1, . . . , zt are the leaves of the Merkle Tree. After the creation of the Merkle tree, the base station signs the root and sends it to the receivers.

For each time interval, the base station broadcasts the co-path of k_i (see Figure 3.2). Then, it will be able to send at most m authenticated messages during the time interval. When it wants to send a command, the base station sends a tuple composed by three values: the index of the command that it wants to send, one hash value selected among the nodes

si_j,l, and one hash value selected among the nodes z_j,li , with 1 ≤ j ≤ m and 1 ≤ l ≤ c. In particular, j indicates that it is sending the jth command in that time interval, and l specifies which command the base station wants to send. At the end of the time interval, the base station sends the values of leading nodes of non used chains. The two used chains are si_j,l, and zi_j,l. On the receiver side, the sensor receiving the message < j, si_j,l, zi_j,l >,

will store it on its buffer until the expiration of the time interval, and the base station transmits the hash values of the first nodes of the not used chains. In that moment, it can authenticate the buffered messages by executing some operations:

• It rebuilds the hash chains up to recover the leading node of each chain, that is

F (si_1,1), . . . kF (si_m,1), F (z_1,ci ), . . . , F (z_m,ci ).

• By knowing all the values of these nodes, it can compute k_i = F (F (si_1,1)k . . . k

F (si_m,1)kF (z_1,ci ), . . . , F (zi_m,c)).

• It authenticates k_i by using its co-path up to the root. If the computed root matches the one verified at the beginning of the session, then all the messages are correct and therefore authenticated.

Figure 3.2 illustrates the DAG created by TASS in the Set up phase, for four time intervals. This DAG represents a Merkle tree of eight leaves, and a set of 2m hash chains. For each time interval, the authentication key is computed using the values of the leading nodes.

S m-1,c z1,1 z_1,c k_{priv_1} S_2,c S_1,c z_2,c k1 z1 Root k4 z4 1 1 1 1 S1_1,1 S_2,1 1 S_m,c 1 1 1 z_m,1 zm-1,1 z2,1 zm-1,c zm,c S_m-1,11 _S m,1 1 1 1 1 1 1

Figure 3.2. – TASS Direct Acyclic Graph (t = 4)

PTASS

In TASS scheme, the receiver proceeds to authenticate a message after the reception of the leading nodes of not used chains, at the end of the time interval. In order to resolve this limitation, the authors in [18] propose PTASS. The main goal of PTASS is to authenticate immediately the messages, with using different levels of priorities of messages. In particular, when the base station needs to transmit low priority messages, their authentication can be delayed until the end of the time interval as in TASS. However, when the base station transmits high priority messages, these messages should be immediately authenticated. In order to provide immediate authentication, the base station extends the DAG used by TASS, by adding one more layer. In particular, a new Merkle tree is added between the leading nodes of the hash chains and the authentication keys k_i, for 1 ≤ i ≤ t (t is the number of time intervals). It is straightforward to note that the overhead of creation of

the DAG on PTASS is much higher than the overhead needed to create the DAG of TASS. When transmitting a message, the behavior of the base station depends on the priority of the message. If the message has low priority there is no change with respect to TASS. If it has high priority, the base station will send two nodes of the Merkle Winternitz hash chains (one for the key chain and the other for the checksum chain), together with the hash values belonging to the co-path that are needed to immediately authenticate the key of that time interval. It is interesting to note, that the transmission and authentication cost added by PTASS is not negligible.

In the following section, we give the limitations and attacks for the state of the art.

In document SECURING WIRELESS SENSOR AND VEHICULAR NETWORKS (Page 82-87)