Forward Secure Delay-Tolerant Networking Signe R usch, Dominik Sch - - PowerPoint PPT Presentation

forward secure delay tolerant networking
SMART_READER_LITE
LIVE PREVIEW

Forward Secure Delay-Tolerant Networking Signe R usch, Dominik Sch - - PowerPoint PPT Presentation

Apr 09, 2023 261 likes •639 views

Forward Secure Delay-Tolerant Networking Signe R usch, Dominik Sch urmann, R udiger Kapitza, Lars Wolf October 20, 2017 Motivation FSE Forward Secure DTNs Evaluation Conclusion Motivation Delay-Tolerant Networks Communication for

slide-1
SLIDE 1

Forward Secure Delay-Tolerant Networking

Signe R¨ usch, Dominik Sch¨ urmann, R¨ udiger Kapitza, Lars Wolf

October 20, 2017

slide-2
SLIDE 2

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Motivation

Delay-Tolerant Networks

Communication for different kinds of environments Use store-carry-forward approach Bundle Protocol (BP):

End-to-end message-oriented overlay

Bundle Security Protocol (BSP):

Defines bundle types for end-to-end and hop-to-hop security Offers confidentiality, integrity, authenticity

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 2

slide-3
SLIDE 3

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Motivation

Forward Secrecy

DTN communication vulnerable to attack:

Eavesdropping adversary records encrypted bundles When key is leaked, then she can decrypt them

Leakage highly probable due to exploits, design flaws, . . . FS provides protection of past communication up to certain time Difficult to achieve in asynchronous communication (Unger et al., 2015)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 3

slide-4
SLIDE 4

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Motivation

Forward Secrecy

Na¨ ıve countermeasure:

Encrypt each message with different ephemeral key No common key for bundles

But: complex key management, e. g. highly available infrastructure DTN includes highly mobile nodes, ad-hoc connections, . . . Proposed solution: use Puncturable Encryption (FSE) Scheme

  • M. D. Green and I. Miers, “Forward Secure Asynchronous Messaging from

Puncturable Encryption”, 2015

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 4

slide-5
SLIDE 5

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Approach

Asymmetric encryption scheme Messages are encrypted with a tag and a time interval value Update private key:

Revoke decryption capabilities for certain messages Based on tag or time value No new key exchange required

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 5

slide-6
SLIDE 6

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturing

On receiving ciphertext CT with tag t Decryption key SKi-1 = [sk0, …, ski-1]

Puncture SKi-1 on tag t

Decryption key SKi = [sk0, …, ski-1,ski] t

Tags

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 6

slide-7
SLIDE 7

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturing

On receiving ciphertext CT with tag t Decryption key SKi-1 = [sk0, …, ski-1]

Puncture SKi-1 on tag t

Decryption key SKi = [sk0, …, ski-1,ski] t t Decryption not possible, already punctured with tag t

Tags

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 6

slide-8
SLIDE 8

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Key Forwarding Time

Key lifetime is divided into time intervals Deriving new private key for a new interval Deleting interval key: remove decryption capabilities for this interval Buffer period: store keys for certain duration for late arrivals time

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 7

slide-9
SLIDE 9

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Key Forwarding

Decryption time and key storage cost (Green & Miers, 2015):

Grows with puncturing during interval Linearly in number of messages received within time period

Performed at start of each interval to “reset” the private key Duration of interval optimal with one message per interval

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 8

slide-10
SLIDE 10

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Forward Secure DTNs

Bundle Security Protocol

No changes to bundle types Integrate FSE scheme as alternative cipher suite

t Tags

Every bundle should be unique in tag Decrypted only once by receiver, then punctured → Highest level of forward secrecy Hash of node’s EID, timestamp, timestamp sequence number

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 9

slide-11
SLIDE 11

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Forward Secure DTNs

Parameters

n: time interval length d: amount of time intervals

231 intervals supported by library (Green & Miers, 2015) After this, new keys have to be exchanged

N: interval keys N for buffer period

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 10

slide-12
SLIDE 12

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Microbenchmarks: Key Generation

Evaluation

IBR-DTN: www.ibr.cs.tu-bs.de/ projects/ibr-dtn Dell OptiPlex 7010 Desktop-PC Intel Core i7-2770 CPU @ 4(8) x 3.4 GHz 16 GB RAM Ubuntu 14.04 LTS library call full 100 200 300

102.9 104.7 89.3 91.1

Time in ms RSA FSE

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 11

slide-13
SLIDE 13

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Microbenchmarks: Cryptographic Operations

Puncturing included in decryption (18.6 ms) Encrypt Decrypt 20 40 60 80 100

1.2 4.4 18.4 62.7

Time in ms RSA FSE

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 12

slide-14
SLIDE 14

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Microbenchmarks: Latency

dtnping None RSA FSE 50 100 150 200

3.1 12.7 142.7

Latency in ms

(a) Latency introduced by FSE

1 2 3 4 5 6 7 100 200 300 # consecutive bundles

FSE RSA None

(b) Latency during interval progression

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 13

slide-15
SLIDE 15

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

Scenarios

Choice of parameters for FSE scheme in DTNs:

InterPlanetary network (Apollonio et al., 2013) Rural village (Grasic & Lindgren, 2014) Vehicular network (Doering et al., 2010)

Chosen for varying delays and traffic loads Interval duration n: typically mean transmission time Buffer period: N = ⌈Max/Mean⌉ + 1

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 14

slide-16
SLIDE 16

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

InterPlanetary Network

Streaming scenario Moon lander sends bundles to Earth via multiple hops 5 kB bundles every 10 s Fully known contact plan of nodes Transmission time: mean ∼ 124 s, max ∼ 153 s

  • (Apollonio et al., 2013)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 15

slide-17
SLIDE 17

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

InterPlanetary Network

Interval length n = 124 s N = ⌈153/124⌉ + 1 = 3 ∼ 5 − 11 bundles/interval → decryption time ∼ 170 − 250ms/bundle

  • (Apollonio et al., 2013)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 16

slide-18
SLIDE 18

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

Rural Village

Communication services to remote village Provided via data mule helicopter Direct connection to DTN Facebook, messaging 13 end-user nodes (Grasic & Lindgren, 2014)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 17

slide-19
SLIDE 19

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

Rural Village

115 bundles/day → 9 bundles/day/device Transmission time: mean ∼ 1 day, max ∼ 2 days Parameters:

n = 1 day N = ⌈2/1⌉ + 1 = 3

Decryption time ∼ 225 ms → acceptable performance (Grasic & Lindgren, 2014)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 18

slide-20
SLIDE 20

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

Vehicular Networks

Public transportation system 54 bus stops, 28 vehicles Vehicle positions, traffic information: ∼ 2 bundles/s Routing algorithm RUTS: fixed network with high traffic Transmission time: mean ∼ 13 min, max ∼ 98 min (Doering et al., 2010)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 19

slide-21
SLIDE 21

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

Vehicular Networks

Parameters:

n = 13 min N = ⌈98/13⌉ + 1 = 9 1560 bundles/interval Decryption time ∼ 21.6 s

(Doering et al., 2010)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 20

slide-22
SLIDE 22

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FSE Parameters

Vehicular Networks

Parameters:

n = 13 min N = ⌈98/13⌉ + 1 = 9 1560 bundles/interval Decryption time ∼ 21.6 s

Alternative parameters:

n = 1 min N = 99 120 bundles/interval Decryption time ∼ 1.8 s

Trade-off: performance vs. memory usage → impractical! (Doering et al., 2010)

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 20

slide-23
SLIDE 23

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Conclusion

Forward Secure Delay-Tolerant Networking

DTN communication previously not forward secure Integrate FSE scheme by Green and Miers into IBR-DTN Ensures forward secrecy of bundles using puncturing Acceptable performance overhead, but high latency Remedy with suitable parameters, analyze scenario requirements

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 21

slide-24
SLIDE 24

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Conclusion

Forward Secure Delay-Tolerant Networking

DTN communication previously not forward secure Integrate FSE scheme by Green and Miers into IBR-DTN Ensures forward secrecy of bundles using puncturing Acceptable performance overhead, but high latency Remedy with suitable parameters, analyze scenario requirements

Questions?

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 21

slide-25
SLIDE 25

Motivation FSE Forward Secure DTNs Evaluation Conclusion

References I

  • P. Apollonio, C. Caini, and V. Fiore. “From the Far Side of

the Moon: Delay/Disruption-Tolerant Networking Communications via Lunar”. In: China Communications 10.10 (Oct. 2013), pp. 12–25. issn: 1673-5447.

  • R. Canetti, S. Halevi, and J. Katz. “A Forward-Secure

Public-Key Encryption Scheme”. In: Advances in Cryptology — EUROCRYPT 2003. Proceedings. Ed. by Eli Biham. Berlin, Heidelberg: Springer, 2003, pp. 255–271. isbn: 978-3-540-39200-2.

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 22

slide-26
SLIDE 26

Motivation FSE Forward Secure DTNs Evaluation Conclusion

References II

  • M. Doering, T. P¨
  • gel, and L. Wolf. “DTN Routing in

Urban Public Transport Systems”. In: Proceedings of the 5th ACM Workshop on Challenged Networks. CHANTS ’10. Chicago, Illinois, USA: ACM, 2010, pp. 55–62. isbn: 978-1-4503-0139-8.

  • S. Grasic and A. Lindgren. “Revisiting a Remote Village

Scenario and its DTN Routing Objective”. In: Computer Communications 48 (2014), pp. 133–140. issn: 0140-3664.

  • M. D. Green and I. Miers. “Forward Secure Asynchronous

Messaging from Puncturable Encryption”. In: 2015 IEEE Symposium on Security and Privacy. May 2015,

  • pp. 305–320.

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 23

slide-27
SLIDE 27

Motivation FSE Forward Secure DTNs Evaluation Conclusion

References III

  • F. G¨

unther et al. “0-RTT Key Exchange with Full Forward Secrecy”. In: Advances in Cryptology - EUROCRYPT

  • 2017. Proceedings, Part III. Ed. by Jean-S´

ebastien Coron and Jesper Buus Nielsen. Cham: Springer, 2017,

  • pp. 519–548. isbn: 978-3-319-56617-7.
  • I. Miers. Libforwardsec. Forward Secure Encryption for

Asynchronous Messaging. 2015. url: https://github.com/imichaelmiers/libforwardsec.

  • R. Ostrovsky, A. Sahai, and B. Waters. “Attribute-Based

Encryption with Non-Monotonic Access Structures”. In: ACM CCS ’07. 2007, pp. 195–203.

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 24

slide-28
SLIDE 28

Motivation FSE Forward Secure DTNs Evaluation Conclusion

References IV

  • E. Rescorla. The Transport Layer Security (TLS) Protocol

Version 1.3. https://tools.ietf.org/html/draft- ietf-tls-tls13-18. Mar. 2016.

  • S. Schildt et al. “IBR-DTN: A Lightweight, Modular and

Highly Portable Bundle Protocol Implementation”. In: Electronic Communications of the EASST 37 (Jan. 2011),

  • pp. 1–11.
  • N. Unger et al. “SoK: Secure Messaging”. In: IEEE

Symposium on Security and Privacy. May 2015,

  • pp. 232–249.

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 25

slide-29
SLIDE 29

Backup Slides

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 26

slide-30
SLIDE 30

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Algorithms of FSE Scheme

KeyGen(1d, k) → (PK, SK 0) Encrypt(PK, M, t1, . . . , tk) → ciphertext CT Decrypt(PK, SK i, CT, t1, . . . , tk) → {M} ∪ {⊥} Puncture(PK, SK i−1, t) → SK i NextInterval(SK n) No signing or signature verification

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 27

slide-31
SLIDE 31

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Utilized Schemes

FSE scheme combines two schemes:

PKE scheme with forward secrecy by Canetti, Halevi, and Katz Non-Monotonic Attribute Based Encryption by Ostrovsky, Sahai, and Waters

Private keys of both schemes cryptographically bound to each other

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 28

slide-32
SLIDE 32

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Synchronous Communication

Online and interacting partners:

Use authenticated key exchange protocol (Diffie-Hellman) Create new ephemeral keys for every connection Used by OTR, TextSecure, ...

Other na¨ ıve approach for asynchronous communication (Signal):

Key server for ephemeral pre-keys

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 29

slide-33
SLIDE 33

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Performance (Green & Miers, 2015)

Assume one message per interval for best performance Only encrypt symmetric key (AES256) → max. message size 32 B Puncture: 15.6 ms (initial), 9.8 ms (subsequent) Key forwarding: 50 ms Decryption: 13.8 ms Encryption: 5.49 ms Private key size: 14 kB − 890 kB, normally < 50 kB

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 30

slide-34
SLIDE 34

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Puncturable Encryption

Puncturing & Key Forwarding

Puncture: 18.6 ms Key forwarding: 15.5 ms

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 31

slide-35
SLIDE 35

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Microbenchmarks: Key Generation

library call full 100 200 300

102.9 104.7 89.3 91.1

Time in ms RSA FSE

(a) Key Generation

w/o pre-keys w/ pre-keys 100 200 300

105 0.2 106 35.1

RSA FSE

(b) Start-up time of SecurityKeyManager

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 32

slide-36
SLIDE 36

Motivation FSE Forward Secure DTNs Evaluation Conclusion

FS-DTN

Buffer Period

Assume bundles are delayed or dropped by attacker Corresponding decryption key is deleted after buffer period has passed → Forward secrecy is still provided

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 33

slide-37
SLIDE 37

Motivation FSE Forward Secure DTNs Evaluation Conclusion

Related Work

“0-RTT Key Exchange with Full Forward Secrecy” (G¨ unther et al., 2017):

Reduce number of messages necessary for TLS key exchange Uses puncturable encryption to provide forward secrecy to first RTT message

R¨ usch, Sch¨ urmann, Kapitza, Wolf | Forward Secure DTN | 34