RBWA: An Efficient RandomBit Windowbased Authentication Protocol - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

RBWA: An Efficient RandomBit Windowbased Authentication Protocol

Description:

32 bit source IP address. ver. length. 32 bits. 16-bit identifier. time to. live. head. len ... Unpredictability of the next random-bits block from the one sent before ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 50
Provided by: fanz1
Category:

less

Transcript and Presenter's Notes

Title: RBWA: An Efficient RandomBit Windowbased Authentication Protocol


1
RBWA An Efficient Random-Bit Window-based
Authentication Protocol
  • Fan Zhao
  • zhaofa_at_cs.ucdavis.edu
  • April 2, 2003

2
Agenda
  • Motivation
  • Overview
  • Protocol Design
  • Anti-replay Window Scheme
  • Security Analysis
  • Simulation Results
  • Conclusions

3
PDA
Local Server
AP
Home Agent
Access Router
Laptop
LAN
Internet
Server
DSLAM
Desktop
AAA Server
Laptop
DSL Modem
PDA
Hub/Switch
AP
Laptop
Desktop
4
Motivations
  • Visitor Network
  • LANs that are most often deployed in public
    places and enable the public network access on an
    ad-hoc basis.
  • Foreign Network
  • A network other than home work which the mobile
    node belongs to.
  • ISPs deploying visitor network and Foreign
    Network services desires user authentication
    before granting the right to access Internet and
    hereafter charges users accordingly.

5
Motivations
  • Authentication
  • Successful verification of credentials provided
    by users is required.
  • A list of filter rules based on the device
    identifier (IP/MAC address, etc) of authenticated
    hosts is implemented in Access Router.
  • IETF PANA working group is working on such kind
    of protocol, which we call initial user
    authentication.
  • Vulnerability? On shared media, the attackers
    have no technical difficulty to eavesdrop and
    then spoof the authenticated device identifier
    (IP/MAC address etc.), thus stealing the
    bandwidth.
  • Per data packet authentication can counter that
    attack.

6
Motivations
  • Accounting
  • Flat rate accounting
  • Usage-based accounting is preferred.
  • Source authentication on per-packet basis is
    critical to guarantee the correctness of
    accounting. Otherwise, arguments will be caused
    between ISPs and customers and no third party can
    make a judgment.

7
Motivations
  • IPSec
  • AH (Authentication Header)

AH HDR
IP HDR
TCP/UDP HDR
Payload
Transport Mode
Authenticated
8
Motivations
  • IPSec
  • ESP (Encapsulating Security Payload)

Transport Mode
Encrypted
Authenticated
9
Motivations
  • Is AH sufficient?
  • AH header is at least 24 bytes 192 bits A big
    overhead especially in bandwidth-scarce
    environment, such as wireless.
  • HMAC-MD5-96/HMAC-SHA-96 A big burden on the
    power of light-weighted computing devices, such
    as PDA.
  • Proactive method We have to do it for each
    packet even if there is no attack, which is the
    most frequent situation.
  • All of these will greatly deteriorate the
    end-to-end performance.

10
Motivations
Transport Mode
AH HDR
IP HDR
Transport Mode
Apparent redundancy shown when combined with
End-to-End protection. How can we improve the
performance?
11
Motivation
  • Tradeoff between the overhead and performance
  • It may be unwise to use some strong cryptographic
    algorithms to protect every data packet when no
    attackers are really around.
  • ISPs may tolerant up to X bandwidth loss rather
    than wasting more resource to resist every single
    unauthorized packet.
  • But, when the degree of attacks passes certain
    threshold, it will be detected and, maybe under
    that special situation, a stronger security
    mechanism can then be used to eliminate the
    unauthorized traffic.

12
Goals
  • Secure An attacker should be able to gain the
    access to the network only with a very low
    probability.
  • Efficient The protocol must be efficient in term
    of overhead, bandwidth and CPU cycles.
  • Robust The protocol must effectively resist the
    attacks and the unexpected situations in IP
    network, such as severe packet reordering and
    packet loss.
  • Detectable If the attacker tries to steal too
    much bandwidth, the protocol will be able to
    detect it.

13
Overview of RBWA
  • Terminologies
  • Client A network device used by a user to access
    the network through Access Router, denoted by C.
  • Access Router A router that is present in the
    same subnet as Client controls the network access
    based on its policy and credentials associated
    with each packet from Client, denoted by AR.

14
Overview of RBWA
  • IP layer protocol
  • ACKless Sequence number is used to achieve the
    synchronization between C and AR. The sequence
    number field is separated into seg and
    intra-seg two parts. Thus, within one segment,
    the number of sequence numbers, which we call
    segment size, is 2intra-seg.
  • C and AR share a session key, KAB and
    Random/Pseudo-Random Number Generator, F.

Sequence Number
15
Overview of RBWA
  • C and AR share a session key, KAB and
    Random/Pseudo-Random Number Generator, F.
  • For each segment, a identical random-bit stream
    will be calculated by F(KAB, seg) at both C and
    AR. Then F(KAB, seg) is separated into
    2intra-seg random-bit blocks.
  • Each random-bit block and the corresponding
    sequence number is attached to the packet sent
    for the purpose of authentication.

16
Overview of RBWA
  • The 16-bit identifier field in IP header can be
    used to store the random-bit block and sequence
    number.

32 bits
type of service
head. len
ver
length
fragment offset
16-bit identifier
flgs
upper layer
time to live
Internet checksum
32 bit source IP address
17
Description
AR will authenticate each incoming packet based
on the sequence number and random-bit block. If
the random-bit block matches the corresponding
one AR has, AR assumes it is from the valid user.
KAB
  • KAB

packet
S, RB,
18
Description
  • An IPSec-alike anti-replay window is maintained
    at AR to prevent the replay attack.
  • SSN means starting sequence number in the window.

SSN
W(window size)
Sequence

28
27
26

14
13

12
Random bit block

110
101
110

111
100

001
19
Description
  • Case 1 s lt SSN
  • In this case, Bob cannot determine whether it has
    received this packet before. Bob assumes that
    this packet is already received. So it just
    discards the packet.

W(window size)

000
101
110

111
010
100

s
SSN
20
Description
  • Case 2 SSN lt s lt (SSN W)
  • If Bob has already received this sequence number
    correctly, so Bob discards this packet.
  • Otherwise, Bob checks the incoming random-bit
    block. If mismatch, Bob will discard the message.
    Otherwise, Bob accepts this message and marks
    that sequence number as received.

W(window size)

000
101
110

111
010
100

SSN
s
21
Description
  • Case 3 (SSN W) lt s
  • Given the segment size and s, we can get the seg
    and intra-seg. Assume the intra-seg is i, if
    match, AR determines that it has not received
    this packet before it slides the window so that
    s becomes the new right edge of the window.
    Otherwise, AR discards the packet silently.

22
Anti-replay window schemes
  • Packet reordering
  • route path changing
  • A computer can switch from wireless channel to
    wired one if it has multiple interfaces. The
    different propagation delays can cause the
    reordering.
  • Node mobility
  • Move from one location to another
  • Handover
  • Move from one foreign network to another
  • Packet reordering and dropping can dramatically
    deteriorate the end-to-end performance.

23
IPSec anti-replay sliding window
  • Problem
  • When packet reordering happens, a large sequence
    number will force the anti-replay window shift,
    potentially causing the late packet with the
    small sequence number dropped.
  • Also with RBWA, the attacker can shift the
    window if he can guess the random-bit block
    correctly.

24
IPSec anti-replay sliding window
Window
13
7
Not received packet
25
Different sliding window schemes
  • Increase the IPSec window size and drop the
    packet sequence number larger than the right edge
  • Pros
  • May catch more reordering packets
  • Without frequent copy and paste operations
  • Cons
  • Memory inefficient
  • How large is enough to catch all the reordered
    packets?
  • When a lot of packets were dropped before
    reaching AR, the following packets will be
    dropped too.

26
Different sliding window schemes
  • IPSec window with adaptive changed window size
  • Pros
  • Memory efficient
  • Cons
  • Frequent copy and paste operations
  • If attacker successfully guesses the random-bit,
    a large sliding window may have to be allocated.

27
Different sliding window schemes
  • IPSec window with controlled-shift
  • C.-T. Huang, Mohamed G. Gouda, An Anti-Replay
    Window Protocol with Controlled Shift, Proc.
    ICCCN, 2001
  • When the incoming sequence number, s, is more
    than W positions to the right of the window, do
    we sacrifice or deliver this new coming message?

W
d
W


6
5
4

s
SSN
28
Controlled-shift
  • First, Bob estimates the current True message
    ratio in IP
  • Count the of T(true) in the current window
    of T
  • Divide of T by window size the current true
    message ratio
  • Second, Bob multiplies the current true message
    ratio by the in d
  • This is the estimated of True messages Bob will
    lose in d
  • Third, E_M estimated of True messages Bob
    will lose in d
  • S_M of consecutively sacrificed messages.
  • Max threshold value.
  • If of consecutively sacrificed messages is
    larger than Max value, Then Bob determines that
    the chance of the arrival of the earlier message
    is small and shift the window to the right.
  • If ((E_M gt S_M 1) and ( S_M 1 lt Max))
  • then discard message and do not slide the
    window
  • S_M 1
  • else
  • Deliver the message and slide the window such
    that SSN s W S_M 0

29
Double window scheme
  • Gouda, M. G., C.-T. Huang, E. Li, Anti-Replay
    Window Protocols for Secure IP, Proceedings of
    ICCCN 2000.
  • Split the Window W into two windows (W1 and W2)
    of half the size of W
  • The sequence numbers between W1 and W2 have to be
    kept as unreceived.
  • The behaviors of W1 and W2 are same as IPSec
    sliding window.

30
Different Window Schemes
  • IPSec anti-replay window can be formalized as an
    array of small windows (called sub-window), where
    each sub-window contains only one sequence number
    that is either received or not received and the
    two adjacent sub-windows contain the consecutive
    sequence numbers.

31
Receiving Window
  • Every sub-window only contains one received
    sequence number.
  • Assume the max of sub-window in Receiving
    window, W, is 4.

Silently drop packet 3
3
4
5
7
8
5
7
Replayed packet 7
9
10
32
  • Claim1 Assume W is the number of sub-windows in
    the IPSec anti-replay window, sequence number i
    will be dropped due to packet reordering if and
    only if there is at least one sequence number, j,
    received before, where j gt i W.
  • Claim2 Assume W is the number of sub-windows in
    the receiving window, sequence number i will be
    dropped due to packet reordering if and only if
    there are at least W different sequence numbers,
    j, received before, where j gt i.
  • Claim3 Assume receiving window and IPSec sliding
    window have the same number of sub-windows, if
    sequence number i is dropped due to packet
    reordering by the receiving window, it will be
    dropped by the IPSec anti-replay window too.

33
Range Window
  • If the receiving sub-windows containing the
    consecutive sequence numbers can be merged into
    one sub-window denoted by minseq, maxseq, the
    Receiving Window will become what we call Range
    Window.
  • Similar with TCP SACK option.

95
34
Hybrid (Receiving/Range) Window
  • Combined with IPSec sliding window
  • Less memory cost when no much reordering
  • Description
  • 1) At the beginning, the anti-replay window is
    organized as IPSec sliding window.
  • 2) When the incoming sequence number, s, is not
    larger than the right edge of IPSec sliding
    window, it will be processed the same as it is in
    IPSec window.
  • 3) When s is larger than the right edge of
    IPSec sliding window, a new receiving sub-window
    will be generated to record s. The sub-windows of
    the receiving window are sorted in the ascending
    order of the sequence number.
  • 4) When the number of receiving sub-windows is
    larger than the predefined threshold, IPSec
    sliding window will be shifted until its right
    edge reaches the lowest sequence number of
    receiving window, which is in the first receiving
    sub-window and it will be freed after that.

35
Security Analysis
  • Random/Pseudorandom Bit Generator
  • Replay attacks
  • Denial-of-Service attacks
  • Spoofing
  • Malicious dropping
  • Eavesdropping

36
Random/Pseudo-Random Bit Generator
  • The outputs of a good RNG must be unpredicted
    without the knowledge of seeds.
  • The outputs of a good RNG should be significantly
    different when the input is different.
  • Any b-bit portion of a m-bit random bit stream
    should have 1/(2b) probability to be guessed
    correctly given that m-bit random bit stream has
    1/(2m) probability to be guessed correctly.

37
Random/Pseudo-Random Bit Generator
  • NIST Statistical Test reports the following
    flawless RNGs
  • ANSI X9.17 Synchronization required in RBWA.
  • G-DES, G-SHA, BBS, MS, LCG, QCG2
  • Threat model
  • Exhaustively search the session key
  • Heuristic trying
  • Cryptanalytic attack

38
Security Analysis
  • Replay attacks resisted by anti-replay window
    scheme.
  • Denial-of-Service attacks
  • Flooding at AR
  • Forcing the anti-replay window shift
  • Spoofing
  • Low probability to guess the random bit block
    correctly
  • Easily detected

39
Security Analysis
  • Malicious Dropping
  • Statistically detecting the packet loss through
    observing the sequence number.
  • Eavesdropping
  • Unpredictability of the next random-bits block
    from the one sent before
  • Reusing a random-bit block will cause the
    mismatch
  • The protection of integrity and privacy of data
    payload is left as the responsibility and choice
    of the user by end-to-end security.
  • Man-in-Middle attack
  • Prevented by end-to-end protection
  • It is much harder to comprise the intermediate
    router.

40
Simulations
  • The number of sub-windows of each scheme is 32
    and the maximum number of receiving/range
    sub-windows is defined as 16 in hybrid
    receiving/range window scheme.
  • Random Packet Reordering (RPR)
  • The whole packet stream is separated into blocks.
  • The packets within each block arrive randomly
    while the blocks as a whole are in order.
  • This pattern can be formalized as B, S where B
    is the number of blocks and S is the size of
    block.
  • In order to simplify this pattern, we assume that
    each block has the same size here.

41
Random Packet Reordering (RPR)
42
Exponential Distribution Based Packet Reordering
(EPR)
  • The propagation time for each packet arriving is
    based on Exponential distribution, F(t)1-e-?t.
  • It is denoted as N, ?, where N is the number of
    packets involveded and ? is the expected
    propagation time.
  • The packets are assumed to be sent by the
    constant interval. We generate the propagation
    time for each sequence number, and then sort the
    sequence numbers in the ascending order of total
    time. After that we feed the sorted sequence of
    sequence numbers into our simulation program.

43
Exponential Distribution Based Packet Reordering
(EPR)
0
0
0
2
1
2
4
2
1
6
3
4
8
4
3
44
Exponential Distribution Based Packet Reordering
(EPR)
45
Burst Packer Reordering (BPR)
  • Blocks can arrive out of order while packets
    within each block can be random or in order.
  • It is formalized as B, S, where B is the number
    of blocks reordered and S is the size of block.
  • In our experiment, we assume that each block size
    is the same and within each block, the packets
    arrive in the random order.

46
Burst Packer Reordering (BPR)
47
Conclusion
  • Statistically control the network access
  • Much less overhead introduced
  • It fulfills the requirement of being secure,
    efficient, robust and detectable.

48
Thank you!
49
Questions?
Write a Comment
User Comments (0)
About PowerShow.com