Download A Communications Security Architecture and Cryptographic

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Network science wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Computer security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Who’s watching your network
A Communications Security Architecture and
Cryptographic Mechanisms for Distributed
Sensor Networks
DARPA SensIT Workshop
October 8, 1999
David Carman, Dr. Brian Matt,
David Balenson, and Peter Kruus
NAI Labs, The Security Research Division
Network Associates, Inc.
Sponsored by the
DARPA/ITO Sensor Information Technology (SensIT) Program
Through Air Force Research Laboratory (AFRL) Contract No. F30602-99-C-0185
Dr. Sri Kumar, DARPA, Program Manager
Scott Shyne, AFRL, COTR
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Presentation Outline
• Research Status
–
–
–
–
Goals and Objectives
Hard Problems
Related Work
New Ideas
• Support for Demonstration
–
–
–
–
Sensor Node Architecture
User Platform Architecture
Project Timeline
Demo 1 Security Software
SensIT-100799-2
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Goal and Objectives
• Goal
– Develop a communications security architecture incorporating
cryptographic security mechanisms that efficiently support the
provision of required integrity, authentication, and
confidentiality security services within distributed networks of
resource-limited sensors
• Objectives
– Identify practical cryptographic mechanisms and protocols that
can be selectively employed by resource-limited sensor nodes
– Design a communications security architecture suitable for
use by distributed networks of resource-limited sensor nodes
– Implement a prototype system and simulation that can be
used to demonstrate efficient and practical communications
security for distributed networks of resource-limited sensor in
a variety of environments and scenarios
SensIT-100799-3
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Hard Problems
• Resource-Limitations
– power budget, processing budget, continuous operation
• Range of Security Services Across Different Layers
– confidentiality, integrity, authentication (with varying
granularity), anti-replay, non-repudiation, anonymity, denial-ofservice, authorization
•
•
•
•
Minimal Preconfiguration
Intermittent Group Connectivity
Key Management for Multi-hop Routing
Keying and authenticating unattended sensors
SensIT-100799-4
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Related Work
• Wireless Security Research
– DARPA GloMo Program
– Bluetooth Technology
– Charon
• Smart Card Security Research
SensIT-100799-5
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
DARPA GloMo Program
• GloMo provides mobile users access to a range of
information services (e.g., email, www, video/voice
conferencing, whiteboard).
www.darpa.mil/ato/programs/glomo/index.htm
• GloMo network characteristics:
– Sporadic network connectivity.
– Wireless spread spectrum.
– Self-organizing, multi-hop,
heterogeneous networks.
– Security technologies and
techniques applied at the
application, networking, and
wireless link/node layers.
* Courtesy DARPA ATO GloMo Program website.
SensIT-100799-6
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
GloMo - Applicability to SensIT
• GloMo security research does
– allocate security services to various layers
– offer a scalable group key management scheme
– examine implementing crypto in mPs vs. ASICs vs. FPGAs
• GloMo security research does not provide solutions for
–
–
–
–
intermittent group connectivity
multi-hop routing
security with limited preconfiguration
continuous, unattended operation
SensIT-100799-7
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Bluetooth Technology
• Specification for wireless data/voice communication
– www.bluetooth.com
• Low-cost, short-range radio link facilitating protected ad
hoc connections for mobile communications
• Frequency-hopped transceiver with data rate of 1Mb/s
• Applicability to SensIT
– Does provide security solutions for link-level privacy (encryption)
and entity authentication using a challenge-response scheme
– Does not provide
•
•
•
•
protection for other network layers
intermittent group connectivity
multi-hop routing
unattended operation
SensIT-100799-8
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Charon
• Armando Fox and Steven Gribble - UC Berkeley
– www.cs.berkeley.edu/~gribble/cs294-7_wireless/Charon.html
• Kerberos-based protocol for indirect authentication and
secure communications with PDA-class mobile devices
• Uses a Kerberos-style trusted server to provide
confidentiality and authentication between end-entities
• Applicability to SensIT
– Does provide a solution to interactively authenticate
management nodes
– Does not provide
•
•
•
•
protection for other network layers
intermittent group connectivity
multi-hop routing
unattended operation
SensIT-100799-9
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Smart Card Characteristics
• Smart cards contain small (~25mm2) micro-controllers that
provide portable, relatively secure, low cost computing power and
data storage.
• Smart card characteristics:
– Main power provided by card readers (may
have battery-backed memory)
– Typically 8-bit CPUs with math / crypto coprocessor, low memory
– Limitations include small size / gate count
and card interface
– Physical vulnerabilities include fault analysis
and power analysis
•
Smart cards security applications include:
* Courtesy of cmpnet.com ©1997
– access control, secure peer-to-peer
communications, e-commerce, secure storage
SensIT-100799-10
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Smart Card Security - Applicability to SensIT
• Applicability to SensIT
– Provide some security solutions for resource-limited platforms
• math, crypto co-processors
• non-volatile data and key storage (EEPROM, FLASH, BBRAM)
• research in new protocols / algorithms for resource limited point-to
-point authentication, encryption, etc.
– Does not offer solutions for group keying
• Smart card client/server security model not applicable to group
security - does not provide routing security
• Smart card systems do not provide security with limited
preconfiguration
SensIT-100799-11
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
New Ideas
• Multi-Layer Protection
– Varying Authentication Granularity by Security Layer
– Varying Confidentiality Keying Granularity by Security Layer
• Confidential Query/Tasking with Minimal
Preconfiguration
• Anonymous Addressing with Minimal Preconfiguration
• Location-Dependent Cryptography
– Security for geo-routing
• Rippled Key Cryptography
SensIT-100799-12
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Multi-Layer Protection
• Provide confidentiality and authentication with varying
levels of granularity at different network layers
• Provides progressively stronger key binding with
minimal use of public key cryptography
Confidentiality
Application Layer
Ephemeral
Ad hoc Key
Ad hoc Key
Network Layer
Link Layer
Mission Key
Device Key
Authentication
Public/Private
Keypair
Ad hoc Key
Mission Key
Device Key
SensIT-100799-13
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Sensor Network Key Management (for Demo?)
Super Node
- Distributes Mission Key
- Signs Mobile Code
Kdevice
Kmission1
Kadhoc
Kmission2
SensIT-100799-14
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Confidential Query/Tasking with
Minimal Preconfiguration
Kquery = OWF(Attribute, KMission, Nonce)
Attribute Type = ID or Capability or Location
Sensor
Nodes
EKquery(Query or Task Message), Nonce,
Attribute Type
Management
Node
SensIT-100799-15
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Anonymous Addressing with
Minimal Preconfiguration
Does Nonce2 = OWF(Attribute(s), KMission, Nonce1) ?
Attribute Type = ID, Capability, and/or Location, etc.
Sensor
Nodes
EKquery(Query or Task Message), Nonce1,
Nonce2, Attribute Type
Management
Node
SensIT-100799-16
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Location-Dependent Cryptography
Kadhoc = OWF(Location attributes, KMission, Nonce)
Sensor
Nodes
Continuing research is
addressing how best to express
complex closed polygons and
multiple areas
SensIT-100799-17
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Rippled Key Cryptography
• Intelligent Key Sharing Between Groups
– eliminates inefficiencies of translation (decryption/re-encryption)
– defines scheme for wrapping of session keys, application keys,
mission keys, and attribute keys
logical keying relationships
SensIT-100799-18
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Near-Term Project Tasks (Task 1 only)
• Architecture and Mechanisms Study and Specification
– Study sensor environment, communications, security
requirements and constraints
– Develop an appropriate communications security architecture
comprised of selected cryptographic mechanisms
• Deliverables:
– Requirements and Constraints REPORT; Month 06
– Draft Design and Specification REPORT; Month 18
– Final Design and Specification REPORT; Month 28
SensIT-100799-19
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Support for SensIT Demonstration
•
•
•
•
•
Sensor Node Architecture
User Platform Architecture
Sensor Network Key Management
Project Timeline
Demo 1 Security Software
SensIT-100799-20
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Sensor Node Strawman Architecture
= security functionality
HI
DC
T/S
DM
DM
DM
Mobile
Code
DM
IP
S/P
Functional
DB
Security
Manager
Data Acq.
Data Acq. API
Tamper Sensor
Sensor HW
Message Handling
Data Req.
Mgr.
handles internal msg. traffic
Func.
Mgr.
Network Routing
handles external msg. traffic
GPS
Comm API
Comm H/W
Time,
Loc
Initialization
- Network address
- Functionality
- Security parameters
SensIT-100799-21
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
User Platform Strawman Architecture
GUI
Display
= security functionality
Security
Mgmt.
Mobile
Code
Device
Status
DM
DB Language
query generator
DM
DM
Time
Series
Detection/
Classification
DM
High
Level
DM
DM
Message Handling
Network Routing
Security
Manager
Communications Link
Nodes
SensIT-100799-22
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
GPS
Time,
Loc
Initialization
- Security parameters
Who’s watching your network
Project Timeline
Draft
Design &
Specification
REPORT
Requirements
& Constraints
REPORT
Jun
1999
Apr Jun
2000 2000
Dec
1999
1
2
3
4
5
6
7
8
9
Dec
2000
10 11 12 13 14 15 16 17 18 19 20 21
Preliminary
SOFTWARE
for Demo 1
Final
Design &
Specification
REPORT
Apr Jun
2001 2001
Dec
2001
Final
Report
Jun
2002
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Preliminary
SOFTWARE
for Demo 2
Demo
Prototype
Toolkit
SOFTWARE
SensIT-100799-23
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Who’s watching your network
Demo 1 Security Software
• Demo 1 Approach:
– Embed (hide) security functionality beneath Network API
– Low-risk, very little integration (only with Sensor.com?)
• Link Layer Security Software
– Embedded beneath the WINS Network API on all nodes
– Provides confidentiality, integrity, coarse authentication, and
anti-replay
• Network/Mission Layer Security Software
– Embedded beneath the WINS Network API on all nodes
– Provides confidentiality, integrity, mission group authentication
SensIT-100799-24
http://www.nai.com/nai_labs/asp_set/crypto/crypt_senseit.asp
Related documents
C# and ASP.net - East Tennessee State University
C# and ASP.net - East Tennessee State University
Amanda Lopatin B`nai Amoona
Amanda Lopatin B`nai Amoona
Traditional Judaism
Traditional Judaism
Gan/Kass Phys 416 LAB 4
Gan/Kass Phys 416 LAB 4
Durkin Phys 416 LAB 4
Durkin Phys 416 LAB 4
Gan/Kass Phys 416 LAB 4
Gan/Kass Phys 416 LAB 4
Gan/Kass Phys 3700 LAB 4
Gan/Kass Phys 3700 LAB 4
Cen 312 Web Programming - Department of Information
Cen 312 Web Programming - Department of Information
Gan/Kass Phys 416 LAB 4
Gan/Kass Phys 416 LAB 4