ARC Special Research Centre for Ultra-Broadband Information Networks Dept. of Electrical &...
-
Upload
isaac-george -
Category
Documents
-
view
216 -
download
1
Transcript of ARC Special Research Centre for Ultra-Broadband Information Networks Dept. of Electrical &...
ARC Special Research Centre for Ultra-Broadband Information Networks
Dept. of Electrical & Electronic Engineering
University of Melbourne
Sprint
2007-11-28
Improving Security with Network
DiversityPh.D. Confirmation
Tao Ye
Supervisors: Dr. Darryl Veitch, Dr. Jean Bolot, Prof. Rod Tucker
2
Data confidentiality in network always a problem
Many security components inadequate RSA backdoor Rivest: A math error in chip can lead to easy crypto break-in
Diverse networks are available Data capable cellular networks WiFi Hotspots Wired Internet, multi-home
Heterogeneity: bandwidth, security features
Improving Security using Network Diversity
Motivation
3
Divide information across diverse, heterogeneous links (physical or logical) to
increase confidentiality, on top of the availability or strength of underlying
encryption techniques.
4
Why not…
Solve the problem with strong end-to-end encryption Known and unknown security component failures
Known – upgrade problems: WEP Unknown – new weakness discovered all the time, good cipher might
fail in the future! Strong encryption can be too expensive
Small devices PKI too expensive to deploy
Might not be available
5
Goal
Design and implement an overlay system to increase communication confidentiality
Bandwidth aware but focused on security Low computation cost Set in today’s Internet environment
6
Outline
Motivation and goals Related Work Multichannel Encryption Overlay Towards Provable Security
7
Related Work
Multipath Secure Transmission in MANET Mobile Ad hoc NETwork has frequent topology change, reliability
must be coupled with security Use redundancy to provide reliability Preprocess message into n pieces, send on m node-disjoint
paths, only need t (<= n) pieces to recover Examples:
SPREAD ([Lou04]) uses Shamir’s (t,n) Secret Sharing Scheme: bandwidth inefficient – n*(message size)
SMT ([Papadimitratos03]) uses Rabin Information Dispersal: O(n2)
Security guarantee: Secret Sharing best, <t cannot recover
8
Related Work (cont.)
Relevance of MANET Set in today’s Internet environment Reliability handled by a different layer, redundancy not a focus Want more efficient (space and time) algorithms Want better security guarantee
9
Related Work (cont.) All-or-Nothing Transforms (AON)
Rivest: Transformation of blocks Computationally infeasible to reverse one block without all blocks Reversible and efficiently computable Package transform to be used with block cipher
Secure Bulk Transfer [Byers04] Sparse parity checking code spc2 has AON property Running time O(dn), d >10, n ~ file size
Still want more efficient algorithm Not for real time or streaming applications
10
Related Work (cont.)
Selective Encryption in Multimedia Degrade MPEG2 streams: pay-per-view For example, encrypt I-Frames, perhaps also I-Blocks Transmit encrypted data and unencrypted data together Nice application of using special data structure Not a high security criterion
11
Outline
Motivation and goals Related Work Multichannel Encryption Overlay (MEO) Towards Provable Security
12
Multichannel Encryption Overlay
• E0 is an encryption in a very general sense.
• Packet based, bits removed at random positions
• Can easily be extended to multiple channels
13
MEO Security Corruption by information removal Information rate reduction In order to crack the MEO, must either
Crack Channel 1, O1 S, or
Crack channel 2, O2 T, recombine correctly, then crack S’ S
• Assume adversary has access to all channels
14
MEO Properties Definitions:
λi, pi, ri: packet arrival rate, fixed packet size, data rate on Channel i Use Channel 0 for source S’ b: bits removed from S’ per packet to form O1
Traffic rate Rate on Channel 1 slows by a little: r1= r0 – bλ0
8p2/b packets from S’ a packet for Channel 2
λ2 = bλ0 /8p2 : low rate on channel 2
15
Assume exhaustive search attacks to crack Channel 1 For n packets, total combinations are: 1 bit removed, 240B packet -> 3,820 3 bits removed, 240B packet -> 9,422,443,520
Cracking encrypted Channel 2 Assume can be broken by cipher text only attacks Number of packets needed to crack is an r.v. N Using stationarity, define cracking time T = N/λ Average cracking time on channel 2: Assume ,
Average cracking time of MEO: Gain factor 1 bit, 1500B packet size, takes 12890 times longer to crack!!
MEO Preliminary Security Analysis
16
WEP Example Simulation on cracking corrupted WEP
Illustrate the corruption property of the MEO in example WEP is known to be weak, software cracking tool available
Generate 200 keys to be recovered Generate one encrypted stream of ‘packets’
corresponding to each key Normal stream v.s. MEO corrupted stream
Feed through Aircrack set timeout to (1min,10min), (2min, 20min)
Observe keys recovered v.s. packets used
17
WEP Example (cont.) CDF of N Insensitive to timeout MEO corrupted streams are
not cracked, for b=1, 2! Example demonstrates
potential of MEO Does not prove general case
18
Outline
Motivation and goals Related Work Multichannel Encryption Overlay Towards Provable Security
19
Weaknesses of MEO
Lack provable security Not sure if corruption on Channel 1 is sufficient E0 is an existing network element
Might not be suitable for corruption We should include E0 as a part of design
Leads to richer design space But reduces modularity benefits
20
Towards Provable Security
Information theoretic approach Perfect secrecy
Zero Mutual information between transmitted code X and message M Wyner’s Wiretap channel
Different from computation complexity approach of cryptography
Use compression as encryption An old idea, Roger Bacon in the 13th century Surprisingly difficult to break
21
Wiretap Channel Wyner’s Wiretap channel framework
Use source coding and channel coding, exploit channel errors, to guarantee that an eavesdropper cannot decode message.
Legitimate receiver can decode message without error
22
Wiretap Channel Wiretap channel definitions
U, X, Y, Z are random variables A sequence of n input symbols is Xn
Objectives
Secrecy Capacity If U X (Y, Z) is a Markov chain
If both main and wiretapper’s channels are additive Gaussian, or I(X;Y) and I(X;Z) individually max by the same p(x)
23
MEO Modeled in Wiretap Channel Main channel:
Both Channel 1 and Channel 2 in MEO Initially noiseless
Wiretapper’s Channel: Corruption process X = S’, Z = O1
Now we view corruption as channel error by design Eavesdropper’s uncertainty H(S|O1) to evaluate coding
Select coding scheme to force corrupted O1 to be unbreakable
24
Compression as Encryption
Rivest et al.: Huffman can be difficult to break if codebook is unknown
Shannon-Fano-Elias can be made exponentially difficult to break
Recall: not sure if corruption is sufficient Compression
Compress to entropy No redundancy, removed cannot recover Many algorithms are O(n)
How do we formally study it?
25
Compression and Deletion Channel Connecting deletion with bit removal
Erasure channel Every bit with a erasure probability e where 1110001 -> 11?0?01
Deletion channel Every bit with a deletion probability p 1110001 -> 11001
Bit removal is close to deletion but not the same Bit removal removes fixed number of bits per packet Deletion does not guarantee that, but has nice i.i.d. properties
Tie them together: Compression as coding, deletion channel as wiretapper’s channel Can we achieve I(U;Z)/n 0?
26
Huffman Code
Widely used due to good compression property Kraft’s inequality of prefix codes
Integer codewords lengths {li} For any uniquely decodable code C over binary alphabet {0,1}, I
is the total number of codewords
Does deletion shorten the length of codes? If so, C not uniquely decodable How much does this increase eavesdropper’s uncertainty?
27
A System View
Composability of a security system Usually assume adversary controls network Design end system components Network channels play an active role?
Massey93: A cascade of ciphers is at least as difficult to break as the first one A cascade of additive binary stream ciphers, known to contain at
least one computationally secure cipher, is computationally secure
Do properties exist for ciphers in parallel?
28
Conclusion
Consider using multiple links to improve security Introduced MEO system Problem is lack of provable security Propose to use the wiretap channel model
Prove we can use wiretap channel to model MEO Incorporate channel error as part of design Use uncertainty to guide encoding/encryption design
Compression as encryption Security System
Thanks!!
29
Applications
Secure download Security enhancement