ARC Special Research Centre for Ultra-Broadband Information Networks

Dept. of Electrical & Electronic Engineering

University of Melbourne

Sprint

2007-11-28

Improving Security with Network

DiversityPh.D. Confirmation

Tao Ye

Supervisors: Dr. Darryl Veitch, Dr. Jean Bolot, Prof. Rod Tucker

2

Data confidentiality in network always a problem

Many security components inadequate RSA backdoor Rivest: A math error in chip can lead to easy crypto break-in

Diverse networks are available Data capable cellular networks WiFi Hotspots Wired Internet, multi-home

Heterogeneity: bandwidth, security features

Improving Security using Network Diversity

Motivation

3

Divide information across diverse, heterogeneous links (physical or logical) to

increase confidentiality, on top of the availability or strength of underlying

encryption techniques.

4

Why not…

Solve the problem with strong end-to-end encryption Known and unknown security component failures

Known – upgrade problems: WEP Unknown – new weakness discovered all the time, good cipher might

fail in the future! Strong encryption can be too expensive

Small devices PKI too expensive to deploy

Might not be available

5

Goal

Design and implement an overlay system to increase communication confidentiality

Bandwidth aware but focused on security Low computation cost Set in today’s Internet environment

6

Outline

Motivation and goals Related Work Multichannel Encryption Overlay Towards Provable Security

7

Related Work

Multipath Secure Transmission in MANET Mobile Ad hoc NETwork has frequent topology change, reliability

must be coupled with security Use redundancy to provide reliability Preprocess message into n pieces, send on m node-disjoint

paths, only need t (<= n) pieces to recover Examples:

SPREAD ([Lou04]) uses Shamir’s (t,n) Secret Sharing Scheme: bandwidth inefficient – n*(message size)

SMT ([Papadimitratos03]) uses Rabin Information Dispersal: O(n2)

Security guarantee: Secret Sharing best, <t cannot recover

8

Related Work (cont.)

Relevance of MANET Set in today’s Internet environment Reliability handled by a different layer, redundancy not a focus Want more efficient (space and time) algorithms Want better security guarantee

9

Related Work (cont.) All-or-Nothing Transforms (AON)

Rivest: Transformation of blocks Computationally infeasible to reverse one block without all blocks Reversible and efficiently computable Package transform to be used with block cipher

Secure Bulk Transfer [Byers04] Sparse parity checking code spc2 has AON property Running time O(dn), d >10, n ~ file size

Still want more efficient algorithm Not for real time or streaming applications

10

Related Work (cont.)

Selective Encryption in Multimedia Degrade MPEG2 streams: pay-per-view For example, encrypt I-Frames, perhaps also I-Blocks Transmit encrypted data and unencrypted data together Nice application of using special data structure Not a high security criterion

11

Outline

Motivation and goals Related Work Multichannel Encryption Overlay (MEO) Towards Provable Security

12

Multichannel Encryption Overlay

• E0 is an encryption in a very general sense.

• Packet based, bits removed at random positions

• Can easily be extended to multiple channels

13

MEO Security Corruption by information removal Information rate reduction In order to crack the MEO, must either

Crack Channel 1, O1 S, or

Crack channel 2, O2 T, recombine correctly, then crack S’ S

• Assume adversary has access to all channels

14

MEO Properties Definitions:

λi, pi, ri: packet arrival rate, fixed packet size, data rate on Channel i Use Channel 0 for source S’ b: bits removed from S’ per packet to form O1

Traffic rate Rate on Channel 1 slows by a little: r1= r0 – bλ0

8p2/b packets from S’ a packet for Channel 2

λ2 = bλ0 /8p2 : low rate on channel 2

15

Assume exhaustive search attacks to crack Channel 1 For n packets, total combinations are: 1 bit removed, 240B packet -> 3,820 3 bits removed, 240B packet -> 9,422,443,520

Cracking encrypted Channel 2 Assume can be broken by cipher text only attacks Number of packets needed to crack is an r.v. N Using stationarity, define cracking time T = N/λ Average cracking time on channel 2: Assume ,

Average cracking time of MEO: Gain factor 1 bit, 1500B packet size, takes 12890 times longer to crack!!

MEO Preliminary Security Analysis

16

WEP Example Simulation on cracking corrupted WEP

Illustrate the corruption property of the MEO in example WEP is known to be weak, software cracking tool available

Generate 200 keys to be recovered Generate one encrypted stream of ‘packets’

corresponding to each key Normal stream v.s. MEO corrupted stream

Feed through Aircrack set timeout to (1min,10min), (2min, 20min)

Observe keys recovered v.s. packets used

17

WEP Example (cont.) CDF of N Insensitive to timeout MEO corrupted streams are

not cracked, for b=1, 2! Example demonstrates

potential of MEO Does not prove general case

18

Outline

Motivation and goals Related Work Multichannel Encryption Overlay Towards Provable Security

19

Weaknesses of MEO

Lack provable security Not sure if corruption on Channel 1 is sufficient E0 is an existing network element

Might not be suitable for corruption We should include E0 as a part of design

Leads to richer design space But reduces modularity benefits

20

Towards Provable Security

Information theoretic approach Perfect secrecy

Zero Mutual information between transmitted code X and message M Wyner’s Wiretap channel

Different from computation complexity approach of cryptography

Use compression as encryption An old idea, Roger Bacon in the 13th century Surprisingly difficult to break

21

Wiretap Channel Wyner’s Wiretap channel framework

Use source coding and channel coding, exploit channel errors, to guarantee that an eavesdropper cannot decode message.

Legitimate receiver can decode message without error

22

Wiretap Channel Wiretap channel definitions

U, X, Y, Z are random variables A sequence of n input symbols is Xn

Objectives

Secrecy Capacity If U X (Y, Z) is a Markov chain

If both main and wiretapper’s channels are additive Gaussian, or I(X;Y) and I(X;Z) individually max by the same p(x)

23

MEO Modeled in Wiretap Channel Main channel:

Both Channel 1 and Channel 2 in MEO Initially noiseless

Wiretapper’s Channel: Corruption process X = S’, Z = O1

Now we view corruption as channel error by design Eavesdropper’s uncertainty H(S|O1) to evaluate coding

Select coding scheme to force corrupted O1 to be unbreakable

24

Compression as Encryption

Rivest et al.: Huffman can be difficult to break if codebook is unknown

Shannon-Fano-Elias can be made exponentially difficult to break

Recall: not sure if corruption is sufficient Compression

Compress to entropy No redundancy, removed cannot recover Many algorithms are O(n)

How do we formally study it?

25

Compression and Deletion Channel Connecting deletion with bit removal

Erasure channel Every bit with a erasure probability e where 1110001 -> 11?0?01

Deletion channel Every bit with a deletion probability p 1110001 -> 11001

Bit removal is close to deletion but not the same Bit removal removes fixed number of bits per packet Deletion does not guarantee that, but has nice i.i.d. properties

Tie them together: Compression as coding, deletion channel as wiretapper’s channel Can we achieve I(U;Z)/n 0?

26

Huffman Code

Widely used due to good compression property Kraft’s inequality of prefix codes

Integer codewords lengths {li} For any uniquely decodable code C over binary alphabet {0,1}, I

is the total number of codewords

Does deletion shorten the length of codes? If so, C not uniquely decodable How much does this increase eavesdropper’s uncertainty?

27

A System View

Composability of a security system Usually assume adversary controls network Design end system components Network channels play an active role?

Massey93: A cascade of ciphers is at least as difficult to break as the first one A cascade of additive binary stream ciphers, known to contain at

least one computationally secure cipher, is computationally secure

Do properties exist for ciphers in parallel?

28

Conclusion

Consider using multiple links to improve security Introduced MEO system Problem is lack of provable security Propose to use the wiretap channel model

Prove we can use wiretap channel to model MEO Incorporate channel error as part of design Use uncertainty to guide encoding/encryption design

Compression as encryption Security System

Thanks!!

29

Applications

Secure download Security enhancement