RBWA: An Efficient RandomBit Windowbased Authentication Protocol

1
RBWA An Efficient Random-Bit Window-based
Authentication Protocol

• Fan Zhao
• zhaofa_at_cs.ucdavis.edu
• April 2, 2003

2
Agenda

• Motivation
• Overview
• Protocol Design
• Anti-replay Window Scheme
• Security Analysis
• Simulation Results
• Conclusions

3
PDA
Local Server
AP
Home Agent
Access Router
Laptop
LAN
Internet
Server
DSLAM
Desktop
AAA Server
Laptop
DSL Modem
PDA
Hub/Switch
AP
Laptop
Desktop
4
Motivations

• Visitor Network
• LANs that are most often deployed in public
  places and enable the public network access on an
  ad-hoc basis.
• Foreign Network
• A network other than home work which the mobile
  node belongs to.
• ISPs deploying visitor network and Foreign
  Network services desires user authentication
  before granting the right to access Internet and
  hereafter charges users accordingly.

5
Motivations

• Authentication
• Successful verification of credentials provided
  by users is required.
• A list of filter rules based on the device
  identifier (IP/MAC address, etc) of authenticated
  hosts is implemented in Access Router.
• IETF PANA working group is working on such kind
  of protocol, which we call initial user
  authentication.
• Vulnerability? On shared media, the attackers
  have no technical difficulty to eavesdrop and
  then spoof the authenticated device identifier
  (IP/MAC address etc.), thus stealing the
  bandwidth.
• Per data packet authentication can counter that
  attack.

6
Motivations

• Accounting
• Flat rate accounting
• Usage-based accounting is preferred.
• Source authentication on per-packet basis is
  critical to guarantee the correctness of
  accounting. Otherwise, arguments will be caused
  between ISPs and customers and no third party can
  make a judgment.

7
Motivations

• IPSec
• AH (Authentication Header)

AH HDR
IP HDR
TCP/UDP HDR
Payload
Transport Mode
Authenticated
8
Motivations

• IPSec
• ESP (Encapsulating Security Payload)

Transport Mode
Encrypted
Authenticated
9
Motivations

• Is AH sufficient?
• AH header is at least 24 bytes 192 bits A big
  overhead especially in bandwidth-scarce
  environment, such as wireless.
• HMAC-MD5-96/HMAC-SHA-96 A big burden on the
  power of light-weighted computing devices, such
  as PDA.
• Proactive method We have to do it for each
  packet even if there is no attack, which is the
  most frequent situation.
• All of these will greatly deteriorate the
  end-to-end performance.

10
Motivations
Transport Mode
AH HDR
IP HDR
Transport Mode
Apparent redundancy shown when combined with
End-to-End protection. How can we improve the
performance?
11
Motivation

• Tradeoff between the overhead and performance
• It may be unwise to use some strong cryptographic
  algorithms to protect every data packet when no
  attackers are really around.
• ISPs may tolerant up to X bandwidth loss rather
  than wasting more resource to resist every single
  unauthorized packet.
• But, when the degree of attacks passes certain
  threshold, it will be detected and, maybe under
  that special situation, a stronger security
  mechanism can then be used to eliminate the
  unauthorized traffic.

12
Goals

• Secure An attacker should be able to gain the
  access to the network only with a very low
  probability.
• Efficient The protocol must be efficient in term
  of overhead, bandwidth and CPU cycles.
• Robust The protocol must effectively resist the
  attacks and the unexpected situations in IP
  network, such as severe packet reordering and
  packet loss.
• Detectable If the attacker tries to steal too
  much bandwidth, the protocol will be able to
  detect it.

13
Overview of RBWA

• Terminologies
• Client A network device used by a user to access
  the network through Access Router, denoted by C.
• Access Router A router that is present in the
  same subnet as Client controls the network access
  based on its policy and credentials associated
  with each packet from Client, denoted by AR.

14
Overview of RBWA

• IP layer protocol
• ACKless Sequence number is used to achieve the
  synchronization between C and AR. The sequence
  number field is separated into seg and
  intra-seg two parts. Thus, within one segment,
  the number of sequence numbers, which we call
  segment size, is 2intra-seg.
• C and AR share a session key, KAB and
  Random/Pseudo-Random Number Generator, F.

Sequence Number
15
Overview of RBWA

• C and AR share a session key, KAB and
  Random/Pseudo-Random Number Generator, F.
• For each segment, a identical random-bit stream
  will be calculated by F(KAB, seg) at both C and
  AR. Then F(KAB, seg) is separated into
  2intra-seg random-bit blocks.
• Each random-bit block and the corresponding
  sequence number is attached to the packet sent
  for the purpose of authentication.

16
Overview of RBWA

• The 16-bit identifier field in IP header can be
  used to store the random-bit block and sequence
  number.

32 bits
type of service
head. len
ver
length
fragment offset
16-bit identifier
flgs
upper layer
time to live
Internet checksum
32 bit source IP address
17
Description
AR will authenticate each incoming packet based
on the sequence number and random-bit block. If
the random-bit block matches the corresponding
one AR has, AR assumes it is from the valid user.
KAB

• KAB

packet
S, RB,
18
Description

• An IPSec-alike anti-replay window is maintained
  at AR to prevent the replay attack.
• SSN means starting sequence number in the window.

SSN
W(window size)
Sequence

28
27
26

14
13

12
Random bit block

110
101
110

111
100

001
19
Description

• Case 1 s lt SSN
• In this case, Bob cannot determine whether it has
  received this packet before. Bob assumes that
  this packet is already received. So it just
  discards the packet.

W(window size)

000
101
110

111
010
100

s
SSN
20
Description

• Case 2 SSN lt s lt (SSN W)
• If Bob has already received this sequence number
  correctly, so Bob discards this packet.
• Otherwise, Bob checks the incoming random-bit
  block. If mismatch, Bob will discard the message.
  Otherwise, Bob accepts this message and marks
  that sequence number as received.

W(window size)

000
101
110

111
010
100

SSN
s
21
Description

• Case 3 (SSN W) lt s
• Given the segment size and s, we can get the seg
  and intra-seg. Assume the intra-seg is i, if
  match, AR determines that it has not received
  this packet before it slides the window so that
  s becomes the new right edge of the window.
  Otherwise, AR discards the packet silently.

22
Anti-replay window schemes

• Packet reordering
• route path changing
• A computer can switch from wireless channel to
  wired one if it has multiple interfaces. The
  different propagation delays can cause the
  reordering.
• Node mobility
• Move from one location to another
• Handover
• Move from one foreign network to another
• Packet reordering and dropping can dramatically
  deteriorate the end-to-end performance.

23
IPSec anti-replay sliding window

• Problem
• When packet reordering happens, a large sequence
  number will force the anti-replay window shift,
  potentially causing the late packet with the
  small sequence number dropped.
• Also with RBWA, the attacker can shift the
  window if he can guess the random-bit block
  correctly.

24
IPSec anti-replay sliding window
Window
13
7
Not received packet
25
Different sliding window schemes

• Increase the IPSec window size and drop the
  packet sequence number larger than the right edge
• Pros
• May catch more reordering packets
• Without frequent copy and paste operations
• Cons
• Memory inefficient
• How large is enough to catch all the reordered
  packets?
• When a lot of packets were dropped before
  reaching AR, the following packets will be
  dropped too.

26
Different sliding window schemes

• IPSec window with adaptive changed window size
• Pros
• Memory efficient
• Cons
• Frequent copy and paste operations
• If attacker successfully guesses the random-bit,
  a large sliding window may have to be allocated.

27
Different sliding window schemes

• IPSec window with controlled-shift
• C.-T. Huang, Mohamed G. Gouda, An Anti-Replay
  Window Protocol with Controlled Shift, Proc.
  ICCCN, 2001
• When the incoming sequence number, s, is more
  than W positions to the right of the window, do
  we sacrifice or deliver this new coming message?

W
d
W


6
5
4

s
SSN
28
Controlled-shift

• First, Bob estimates the current True message
  ratio in IP
• Count the of T(true) in the current window
  of T
• Divide of T by window size the current true
  message ratio
• Second, Bob multiplies the current true message
  ratio by the in d
• This is the estimated of True messages Bob will
  lose in d
• Third, E_M estimated of True messages Bob
  will lose in d
• S_M of consecutively sacrificed messages.
• Max threshold value.
• If of consecutively sacrificed messages is
  larger than Max value, Then Bob determines that
  the chance of the arrival of the earlier message
  is small and shift the window to the right.
• If ((E_M gt S_M 1) and ( S_M 1 lt Max))
• then discard message and do not slide the
  window
• S_M 1
• else
• Deliver the message and slide the window such
  that SSN s W S_M 0

29
Double window scheme

• Gouda, M. G., C.-T. Huang, E. Li, Anti-Replay
  Window Protocols for Secure IP, Proceedings of
  ICCCN 2000.
• Split the Window W into two windows (W1 and W2)
  of half the size of W
• The sequence numbers between W1 and W2 have to be
  kept as unreceived.
• The behaviors of W1 and W2 are same as IPSec
  sliding window.

30
Different Window Schemes

• IPSec anti-replay window can be formalized as an
  array of small windows (called sub-window), where
  each sub-window contains only one sequence number
  that is either received or not received and the
  two adjacent sub-windows contain the consecutive
  sequence numbers.

31
Receiving Window

• Every sub-window only contains one received
  sequence number.
• Assume the max of sub-window in Receiving
  window, W, is 4.

Silently drop packet 3
3
4
5
7
8
5
7
Replayed packet 7
9
10
32

• Claim1 Assume W is the number of sub-windows in
  the IPSec anti-replay window, sequence number i
  will be dropped due to packet reordering if and
  only if there is at least one sequence number, j,
  received before, where j gt i W.
• Claim2 Assume W is the number of sub-windows in
  the receiving window, sequence number i will be
  dropped due to packet reordering if and only if
  there are at least W different sequence numbers,
  j, received before, where j gt i.
• Claim3 Assume receiving window and IPSec sliding
  window have the same number of sub-windows, if
  sequence number i is dropped due to packet
  reordering by the receiving window, it will be
  dropped by the IPSec anti-replay window too.

33
Range Window

• If the receiving sub-windows containing the
  consecutive sequence numbers can be merged into
  one sub-window denoted by minseq, maxseq, the
  Receiving Window will become what we call Range
  Window.
• Similar with TCP SACK option.

95
34
Hybrid (Receiving/Range) Window

• Combined with IPSec sliding window
• Less memory cost when no much reordering
• Description
• 1) At the beginning, the anti-replay window is
  organized as IPSec sliding window.
• 2) When the incoming sequence number, s, is not
  larger than the right edge of IPSec sliding
  window, it will be processed the same as it is in
  IPSec window.
• 3) When s is larger than the right edge of
  IPSec sliding window, a new receiving sub-window
  will be generated to record s. The sub-windows of
  the receiving window are sorted in the ascending
  order of the sequence number.
• 4) When the number of receiving sub-windows is
  larger than the predefined threshold, IPSec
  sliding window will be shifted until its right
  edge reaches the lowest sequence number of
  receiving window, which is in the first receiving
  sub-window and it will be freed after that.

35
Security Analysis

• Random/Pseudorandom Bit Generator
• Replay attacks
• Denial-of-Service attacks
• Spoofing
• Malicious dropping
• Eavesdropping

36
Random/Pseudo-Random Bit Generator

• The outputs of a good RNG must be unpredicted
  without the knowledge of seeds.
• The outputs of a good RNG should be significantly
  different when the input is different.
• Any b-bit portion of a m-bit random bit stream
  should have 1/(2b) probability to be guessed
  correctly given that m-bit random bit stream has
  1/(2m) probability to be guessed correctly.

37
Random/Pseudo-Random Bit Generator

• NIST Statistical Test reports the following
  flawless RNGs
• ANSI X9.17 Synchronization required in RBWA.
• G-DES, G-SHA, BBS, MS, LCG, QCG2
• Threat model
• Exhaustively search the session key
• Heuristic trying
• Cryptanalytic attack

38
Security Analysis

• Replay attacks resisted by anti-replay window
  scheme.
• Denial-of-Service attacks
• Flooding at AR
• Forcing the anti-replay window shift
• Spoofing
• Low probability to guess the random bit block
  correctly
• Easily detected

39
Security Analysis

• Malicious Dropping
• Statistically detecting the packet loss through
  observing the sequence number.
• Eavesdropping
• Unpredictability of the next random-bits block
  from the one sent before
• Reusing a random-bit block will cause the
  mismatch
• The protection of integrity and privacy of data
  payload is left as the responsibility and choice
  of the user by end-to-end security.
• Man-in-Middle attack
• Prevented by end-to-end protection
• It is much harder to comprise the intermediate
  router.

40
Simulations

• The number of sub-windows of each scheme is 32
  and the maximum number of receiving/range
  sub-windows is defined as 16 in hybrid
  receiving/range window scheme.
• Random Packet Reordering (RPR)
• The whole packet stream is separated into blocks.
• The packets within each block arrive randomly
  while the blocks as a whole are in order.
• This pattern can be formalized as B, S where B
  is the number of blocks and S is the size of
  block.
• In order to simplify this pattern, we assume that
  each block has the same size here.

41
Random Packet Reordering (RPR)
42
Exponential Distribution Based Packet Reordering
(EPR)

• The propagation time for each packet arriving is
  based on Exponential distribution, F(t)1-e-?t.
• It is denoted as N, ?, where N is the number of
  packets involveded and ? is the expected
  propagation time.
• The packets are assumed to be sent by the
  constant interval. We generate the propagation
  time for each sequence number, and then sort the
  sequence numbers in the ascending order of total
  time. After that we feed the sorted sequence of
  sequence numbers into our simulation program.

43
Exponential Distribution Based Packet Reordering
(EPR)
0
0
0
2
1
2
4
2
1
6
3
4
8
4
3
44
Exponential Distribution Based Packet Reordering
(EPR)
45
Burst Packer Reordering (BPR)

• Blocks can arrive out of order while packets
  within each block can be random or in order.
• It is formalized as B, S, where B is the number
  of blocks reordered and S is the size of block.
• In our experiment, we assume that each block size
  is the same and within each block, the packets
  arrive in the random order.

46
Burst Packer Reordering (BPR)
47
Conclusion

• Statistically control the network access
• Much less overhead introduced
• It fulfills the requirement of being secure,
  efficient, robust and detectable.

48
Thank you!
49
Questions?