Title: RBWA: An Efficient RandomBit Windowbased Authentication Protocol
1RBWA An Efficient Random-Bit Window-based
Authentication Protocol
- Fan Zhao
- zhaofa_at_cs.ucdavis.edu
- April 2, 2003
2Agenda
- Motivation
- Overview
- Protocol Design
- Anti-replay Window Scheme
- Security Analysis
- Simulation Results
- Conclusions
3PDA
Local Server
AP
Home Agent
Access Router
Laptop
LAN
Internet
Server
DSLAM
Desktop
AAA Server
Laptop
DSL Modem
PDA
Hub/Switch
AP
Laptop
Desktop
4Motivations
- Visitor Network
- LANs that are most often deployed in public
places and enable the public network access on an
ad-hoc basis. - Foreign Network
- A network other than home work which the mobile
node belongs to. - ISPs deploying visitor network and Foreign
Network services desires user authentication
before granting the right to access Internet and
hereafter charges users accordingly.
5Motivations
- Authentication
- Successful verification of credentials provided
by users is required. - A list of filter rules based on the device
identifier (IP/MAC address, etc) of authenticated
hosts is implemented in Access Router. - IETF PANA working group is working on such kind
of protocol, which we call initial user
authentication. - Vulnerability? On shared media, the attackers
have no technical difficulty to eavesdrop and
then spoof the authenticated device identifier
(IP/MAC address etc.), thus stealing the
bandwidth. - Per data packet authentication can counter that
attack.
6Motivations
- Accounting
- Flat rate accounting
- Usage-based accounting is preferred.
- Source authentication on per-packet basis is
critical to guarantee the correctness of
accounting. Otherwise, arguments will be caused
between ISPs and customers and no third party can
make a judgment.
7Motivations
- IPSec
- AH (Authentication Header)
AH HDR
IP HDR
TCP/UDP HDR
Payload
Transport Mode
Authenticated
8Motivations
- IPSec
- ESP (Encapsulating Security Payload)
Transport Mode
Encrypted
Authenticated
9Motivations
- Is AH sufficient?
- AH header is at least 24 bytes 192 bits A big
overhead especially in bandwidth-scarce
environment, such as wireless. - HMAC-MD5-96/HMAC-SHA-96 A big burden on the
power of light-weighted computing devices, such
as PDA. - Proactive method We have to do it for each
packet even if there is no attack, which is the
most frequent situation. - All of these will greatly deteriorate the
end-to-end performance.
10Motivations
Transport Mode
AH HDR
IP HDR
Transport Mode
Apparent redundancy shown when combined with
End-to-End protection. How can we improve the
performance?
11Motivation
- Tradeoff between the overhead and performance
- It may be unwise to use some strong cryptographic
algorithms to protect every data packet when no
attackers are really around. - ISPs may tolerant up to X bandwidth loss rather
than wasting more resource to resist every single
unauthorized packet. - But, when the degree of attacks passes certain
threshold, it will be detected and, maybe under
that special situation, a stronger security
mechanism can then be used to eliminate the
unauthorized traffic.
12Goals
- Secure An attacker should be able to gain the
access to the network only with a very low
probability. - Efficient The protocol must be efficient in term
of overhead, bandwidth and CPU cycles. - Robust The protocol must effectively resist the
attacks and the unexpected situations in IP
network, such as severe packet reordering and
packet loss. - Detectable If the attacker tries to steal too
much bandwidth, the protocol will be able to
detect it.
13Overview of RBWA
- Terminologies
- Client A network device used by a user to access
the network through Access Router, denoted by C. - Access Router A router that is present in the
same subnet as Client controls the network access
based on its policy and credentials associated
with each packet from Client, denoted by AR.
14Overview of RBWA
- IP layer protocol
- ACKless Sequence number is used to achieve the
synchronization between C and AR. The sequence
number field is separated into seg and
intra-seg two parts. Thus, within one segment,
the number of sequence numbers, which we call
segment size, is 2intra-seg. - C and AR share a session key, KAB and
Random/Pseudo-Random Number Generator, F.
Sequence Number
15Overview of RBWA
- C and AR share a session key, KAB and
Random/Pseudo-Random Number Generator, F. - For each segment, a identical random-bit stream
will be calculated by F(KAB, seg) at both C and
AR. Then F(KAB, seg) is separated into
2intra-seg random-bit blocks. - Each random-bit block and the corresponding
sequence number is attached to the packet sent
for the purpose of authentication.
16Overview of RBWA
- The 16-bit identifier field in IP header can be
used to store the random-bit block and sequence
number.
32 bits
type of service
head. len
ver
length
fragment offset
16-bit identifier
flgs
upper layer
time to live
Internet checksum
32 bit source IP address
17Description
AR will authenticate each incoming packet based
on the sequence number and random-bit block. If
the random-bit block matches the corresponding
one AR has, AR assumes it is from the valid user.
KAB
packet
S, RB,
18Description
- An IPSec-alike anti-replay window is maintained
at AR to prevent the replay attack. - SSN means starting sequence number in the window.
SSN
W(window size)
Sequence
28
27
26
14
13
12
Random bit block
110
101
110
111
100
001
19Description
- Case 1 s lt SSN
- In this case, Bob cannot determine whether it has
received this packet before. Bob assumes that
this packet is already received. So it just
discards the packet.
W(window size)
000
101
110
111
010
100
s
SSN
20Description
- Case 2 SSN lt s lt (SSN W)
- If Bob has already received this sequence number
correctly, so Bob discards this packet. - Otherwise, Bob checks the incoming random-bit
block. If mismatch, Bob will discard the message.
Otherwise, Bob accepts this message and marks
that sequence number as received.
W(window size)
000
101
110
111
010
100
SSN
s
21Description
- Case 3 (SSN W) lt s
- Given the segment size and s, we can get the seg
and intra-seg. Assume the intra-seg is i, if
match, AR determines that it has not received
this packet before it slides the window so that
s becomes the new right edge of the window.
Otherwise, AR discards the packet silently.
22Anti-replay window schemes
- Packet reordering
- route path changing
- A computer can switch from wireless channel to
wired one if it has multiple interfaces. The
different propagation delays can cause the
reordering. - Node mobility
- Move from one location to another
- Handover
- Move from one foreign network to another
- Packet reordering and dropping can dramatically
deteriorate the end-to-end performance.
23IPSec anti-replay sliding window
- Problem
- When packet reordering happens, a large sequence
number will force the anti-replay window shift,
potentially causing the late packet with the
small sequence number dropped. - Also with RBWA, the attacker can shift the
window if he can guess the random-bit block
correctly.
24IPSec anti-replay sliding window
Window
13
7
Not received packet
25Different sliding window schemes
- Increase the IPSec window size and drop the
packet sequence number larger than the right edge - Pros
- May catch more reordering packets
- Without frequent copy and paste operations
- Cons
- Memory inefficient
- How large is enough to catch all the reordered
packets? - When a lot of packets were dropped before
reaching AR, the following packets will be
dropped too.
26Different sliding window schemes
- IPSec window with adaptive changed window size
- Pros
- Memory efficient
- Cons
- Frequent copy and paste operations
- If attacker successfully guesses the random-bit,
a large sliding window may have to be allocated.
27Different sliding window schemes
- IPSec window with controlled-shift
- C.-T. Huang, Mohamed G. Gouda, An Anti-Replay
Window Protocol with Controlled Shift, Proc.
ICCCN, 2001 - When the incoming sequence number, s, is more
than W positions to the right of the window, do
we sacrifice or deliver this new coming message?
W
d
W
6
5
4
s
SSN
28Controlled-shift
- First, Bob estimates the current True message
ratio in IP - Count the of T(true) in the current window
of T - Divide of T by window size the current true
message ratio - Second, Bob multiplies the current true message
ratio by the in d - This is the estimated of True messages Bob will
lose in d - Third, E_M estimated of True messages Bob
will lose in d - S_M of consecutively sacrificed messages.
- Max threshold value.
- If of consecutively sacrificed messages is
larger than Max value, Then Bob determines that
the chance of the arrival of the earlier message
is small and shift the window to the right. - If ((E_M gt S_M 1) and ( S_M 1 lt Max))
- then discard message and do not slide the
window - S_M 1
- else
- Deliver the message and slide the window such
that SSN s W S_M 0
29Double window scheme
- Gouda, M. G., C.-T. Huang, E. Li, Anti-Replay
Window Protocols for Secure IP, Proceedings of
ICCCN 2000. - Split the Window W into two windows (W1 and W2)
of half the size of W - The sequence numbers between W1 and W2 have to be
kept as unreceived. - The behaviors of W1 and W2 are same as IPSec
sliding window.
30Different Window Schemes
- IPSec anti-replay window can be formalized as an
array of small windows (called sub-window), where
each sub-window contains only one sequence number
that is either received or not received and the
two adjacent sub-windows contain the consecutive
sequence numbers.
31Receiving Window
- Every sub-window only contains one received
sequence number. - Assume the max of sub-window in Receiving
window, W, is 4.
Silently drop packet 3
3
4
5
7
8
5
7
Replayed packet 7
9
10
32- Claim1 Assume W is the number of sub-windows in
the IPSec anti-replay window, sequence number i
will be dropped due to packet reordering if and
only if there is at least one sequence number, j,
received before, where j gt i W. - Claim2 Assume W is the number of sub-windows in
the receiving window, sequence number i will be
dropped due to packet reordering if and only if
there are at least W different sequence numbers,
j, received before, where j gt i. - Claim3 Assume receiving window and IPSec sliding
window have the same number of sub-windows, if
sequence number i is dropped due to packet
reordering by the receiving window, it will be
dropped by the IPSec anti-replay window too.
33Range Window
- If the receiving sub-windows containing the
consecutive sequence numbers can be merged into
one sub-window denoted by minseq, maxseq, the
Receiving Window will become what we call Range
Window. - Similar with TCP SACK option.
95
34Hybrid (Receiving/Range) Window
- Combined with IPSec sliding window
- Less memory cost when no much reordering
- Description
- 1) At the beginning, the anti-replay window is
organized as IPSec sliding window. - 2) When the incoming sequence number, s, is not
larger than the right edge of IPSec sliding
window, it will be processed the same as it is in
IPSec window. - 3) When s is larger than the right edge of
IPSec sliding window, a new receiving sub-window
will be generated to record s. The sub-windows of
the receiving window are sorted in the ascending
order of the sequence number. - 4) When the number of receiving sub-windows is
larger than the predefined threshold, IPSec
sliding window will be shifted until its right
edge reaches the lowest sequence number of
receiving window, which is in the first receiving
sub-window and it will be freed after that.
35Security Analysis
- Random/Pseudorandom Bit Generator
- Replay attacks
- Denial-of-Service attacks
- Spoofing
- Malicious dropping
- Eavesdropping
36Random/Pseudo-Random Bit Generator
- The outputs of a good RNG must be unpredicted
without the knowledge of seeds. - The outputs of a good RNG should be significantly
different when the input is different. - Any b-bit portion of a m-bit random bit stream
should have 1/(2b) probability to be guessed
correctly given that m-bit random bit stream has
1/(2m) probability to be guessed correctly.
37Random/Pseudo-Random Bit Generator
- NIST Statistical Test reports the following
flawless RNGs - ANSI X9.17 Synchronization required in RBWA.
- G-DES, G-SHA, BBS, MS, LCG, QCG2
- Threat model
- Exhaustively search the session key
- Heuristic trying
- Cryptanalytic attack
38Security Analysis
- Replay attacks resisted by anti-replay window
scheme. - Denial-of-Service attacks
- Flooding at AR
- Forcing the anti-replay window shift
- Spoofing
- Low probability to guess the random bit block
correctly - Easily detected
39Security Analysis
- Malicious Dropping
- Statistically detecting the packet loss through
observing the sequence number. - Eavesdropping
- Unpredictability of the next random-bits block
from the one sent before - Reusing a random-bit block will cause the
mismatch - The protection of integrity and privacy of data
payload is left as the responsibility and choice
of the user by end-to-end security. - Man-in-Middle attack
- Prevented by end-to-end protection
- It is much harder to comprise the intermediate
router.
40Simulations
- The number of sub-windows of each scheme is 32
and the maximum number of receiving/range
sub-windows is defined as 16 in hybrid
receiving/range window scheme. - Random Packet Reordering (RPR)
- The whole packet stream is separated into blocks.
- The packets within each block arrive randomly
while the blocks as a whole are in order. - This pattern can be formalized as B, S where B
is the number of blocks and S is the size of
block. - In order to simplify this pattern, we assume that
each block has the same size here.
41Random Packet Reordering (RPR)
42Exponential Distribution Based Packet Reordering
(EPR)
- The propagation time for each packet arriving is
based on Exponential distribution, F(t)1-e-?t. - It is denoted as N, ?, where N is the number of
packets involveded and ? is the expected
propagation time. - The packets are assumed to be sent by the
constant interval. We generate the propagation
time for each sequence number, and then sort the
sequence numbers in the ascending order of total
time. After that we feed the sorted sequence of
sequence numbers into our simulation program.
43Exponential Distribution Based Packet Reordering
(EPR)
0
0
0
2
1
2
4
2
1
6
3
4
8
4
3
44Exponential Distribution Based Packet Reordering
(EPR)
45Burst Packer Reordering (BPR)
- Blocks can arrive out of order while packets
within each block can be random or in order. - It is formalized as B, S, where B is the number
of blocks reordered and S is the size of block. - In our experiment, we assume that each block size
is the same and within each block, the packets
arrive in the random order.
46Burst Packer Reordering (BPR)
47Conclusion
- Statistically control the network access
- Much less overhead introduced
- It fulfills the requirement of being secure,
efficient, robust and detectable.
48Thank you!
49Questions?