Dual-homomorphic message authentication code scheme for network coding-enabled wireless sensor networks

Network coding has shown a considerable improvement in terms of capacity and robustness compared to traditional store-and-forward transmission paradigm. However, since the intermediate nodes in network coding-enabled networks have the ability to change the packets en route, network coding-enabled networks are vulnerable to pollution attacks where a small number of polluted messages can corrupt bunches of legitimate messages. Recently, research effort has been put on schemes for protecting the transmitted messages against data pollution attacks. However, most of them cannot resist tag pollution attacks. This paper presents a new homomorphic MAC-based scheme, called Dual-Homomorphic MAC (Dual-HMAC), for network coding-enabled wireless sensor networks. The proposed scheme makes use of two types of tags (i.e., MACs and D-MACs) to provide resistance against data pollution attacks and partially tag pollution attacks. Furthermore, our proposed scheme presents low communication overhead and low computational complexity compared to other existing schemes

Analysis of a Homomorphic MAC-based scheme against tag pollution in RLNC-enabled wireless networks

Network Coding-enabled wireless networks are vulnerable to data pollution attacks where adversary nodes inject into the network polluted (i.e. corrupted) packets that prevent the destination nodes from decoding correctly. Even a small proportion of pollution can quickly propagate into other packets via re-coding, occurred at the intermediate nodes, and lead to resource waste. Therefore, during the past few years, several solutions have been proposed to provide resistance against data pollution attacks. One of the most well-known solutions is Homomorphic Message Authentication Code (HMAC). However, HMAC is susceptible to a new type of pollution attacks, called tag pollution attacks, in which a malicious node randomly modifies MAC tags appended at the end of the transmitted packets. To address this issue, we have recently proposed an HMAC-based scheme making use of two types of MAC tags to provide resistance against both data pollution attacks and tag pollution attacks. In this paper, we steer our focus on improving the resistance of our proposed scheme against tag pollution attacks by decreasing the number of MACs. Finally, we analyze the impact of the total number of MACs on the bandwidth overhead of the proposed scheme

Esquemas de segurança contra ataques de poluição em codificação de rede sobre redes sem fios

Doutoramento em TelecomunicaçõesResumo em português não disponivelThe topic of this thesis is how to achieve e cient security against pollution attacks by exploiting the structure of network coding. There has recently been growing interest in using network coding techniques to increase the robustness and throughput of data networks, and reduce the delay in wireless networks, where a network coding-based scheme takes advantage of the additive nature of wireless signals by allowing two nodes to transmit simultaneously to the relay node. However, Network Coding (NC)-enabled wireless networks are susceptible to a severe security threat, known as data pollution attack, where a malicious node injects into the network polluted (i.e., corrupted) packets that prevent the destination nodes from decoding correctly. Due to recoding at the intermediate nodes, according to the core principle of NC, the polluted packets propagate quickly into other packets and corrupt bunches of legitimate packets leading to network resource waste. Hence, a lot of research e ort has been devoted to schemes against data pollution attacks. Homomorphic Message Authentication Code (MAC)-based schemes are a promising solution against data pollution attacks. However, most of them are susceptible to a new type of pollution attack, called tag pollution attack, where an adversary node randomly modi es tags appended to the end of the transmitted packets. Therefore, in this thesis, we rst propose a homomorphic message authentication code-based scheme, providing resistance against data pollution attacks and tag pollution attacks in XOR NC-enabled wireless networks. Moreover, we propose four homomorphic message authentication code-based schemes which provide resistance against data and tag pollution attacks in Random Linear Network Coding (RLNC). Our results show that our proposed schemes are more e cient compared to other competitive tag pollution immune schemes in terms of complexity, communication overhead and key storage overhead

Security threats in network coding-enabled mobile small cells

The recent explosive growth of mobile data traffic, the continuously growing demand for higher data rates, and the steadily increasing pressure for higher mobility have led to the fifth-generation mobile networks. To this end, network-coding (NC)-enabled mobile small cells are considered as a promising 5G technology to cover the urban landscape by being set up on-demand at any place, and at any time on any device. In particular, this emerging paradigm has the potential to provide significant benefits to mobile networks as it can decrease packet transmission in wireless multicast, provide network capacity improvement, and achieve robustness to packet losses with low energy consumption. However, despite these significant advantages, NC-enabled mobile small cells are vulnerable to various types of attacks due to the inherent vulnerabilities of NC. Therefore, in this paper, we provide a categorization of potential security attacks in NC-enabled mobile small cells. Particularly, our focus is on the identification and categorization of the main potential security attacks on a scenario architecture of the ongoing EU funded H2020-MSCA project “SECRET” being focused on secure network coding-enabled mobile small cells

IDLP: an efficient intrusion detection and location-aware prevention mechanism for network coding-enabled mobile small cells

Mobile small cell technology is considered as a 5G enabling technology for delivering ubiquitous 5G services in a cost-effective and energy efficient manner. Moreover, Network Coding (NC) technology can be foreseen as a promising solution for the wireless network of mobile small cells to increase its throughput and improve its performance. However, NC-enabled mobile small cells are vulnerable to pollution attacks due to the inherent vulnerabilities of NC. Although there are several works on pollution attack detection, the attackers may continue to pollute packets in the next transmission of coded packets of the same generation from the source node to the destination nodes. Therefore, in this paper, we present an intrusion detection and location-aware prevention (IDLP) mechanism which does not only detect the polluted packets and drop them but also identify the attacker's exact location so as to block them and prevent packet pollution in the next transmissions. In the proposed IDLP mechanism, the detection and locating schemes are based on a null space-based homomorphic MAC scheme. However, the proposed IDLP mechanism is efficient because, in its initial phase (i.e., Phase 1), it is not needed to be applied to all mobile devices in order to protect the NC-enabled mobile small cells from the depletion of their resources. The proposed efficient IDLP mechanism has been implemented in Kodo, and its performance has been evaluated and compared with our previous IDPS scheme proposed in [1], in terms of computational complexity, communicational overhead, and successfully decoding probability as well

A novel intrusion detection and prevention scheme for network coding-enabled mobile small cells

Network coding (NC)-enabled mobile small cells are observed as a promising technology for fifth-generation (5G) networks that can cover the urban landscape by being set up on demand at any place and at any time on any device. Nevertheless, despite the significant benefits that this technology brings to the 5G of mobile networks, major security issues arise due to the fact that NC-enabled mobile small cells are susceptible to pollution attacks; a severe security threat exploiting the inherent vulnerabilities of NC. Therefore, intrusion detection and prevention mechanisms to detect and mitigate pollution attacks are of utmost importance so that NC-enabled mobile small cells can reach their full potential. Thus, in this article, we propose for the first time, to the best of our knowledge, a novel intrusion detection and prevention scheme (IDPS) for NC-enabled mobile small cells. The proposed scheme is based on a null space-based homomorphic message authentication code (MAC) scheme that allows detection of pollution attacks and takes proper risk mitigation actions when an intrusive incident is detected. The proposed scheme has been implemented in Kodo and its performance has been evaluated in terms of computational overhead

An efficient null space-based Homomorphic MAC scheme against tag pollution attacks in RLNC

This letter proposes an efficient null space-based homomorphic message authentication code scheme providing resistance against tag pollution attacks in random linear network coding, where these attacks constitute a severe security threat. In contrast to data pollution attacks, where an adversary injects into the network corrupted packets, in tag pollution attacks the adversary corrupts (i.e. pollutes) tags appended to the end of the coded packets to prevent the destination nodes from decoding correctly. Our results show that the proposed scheme is more efficient compared to other competitive tag pollution immune schemes in terms of computational complexity

Key management for secure network coding-enabled mobile small cells

The continuous growth in wireless devices connected to the Internet and the increasing demand for higher data rates put ever increasing pressure on the 4G cellular network. The EU funded H2020-MSCA project “SECRET” investigates a scenario architecture to cover the urban landscape for the upcoming 5G cellular network. The studied scenario architecture combines multi-hop device-to-device (D2D) communication with network coding-enabled mobile small cells. In this scenario architecture, mobile nodes benefit from high transmission speeds, low latency and increased energy efficiency, while the cellular network benefits from a reduced workload of its base stations. However, this scenario architecture faces various security and privacy challenges. These challenges can be addressed using cryptographic techniques and protocols, assuming that a key management scheme is able to provide mobile nodes with secret keys in a secure manner. Unfortunately, existing key management schemes are unable to cover all security and privacy challenges of the studied scenario architecture. Certificateless key management schemes seem promising, although many proposed schemes of this category of key management schemes require a secure channel or lack key update and key revocation procedures. We therefore suggest further research in key management schemes which include secret key sharing among mobile nodes, key revocation, key update and mobile node authentication to fit with our scenario architecture

An efficient MAC-based scheme against pollution attacks in XOR network coding-enabled WBANs for remote patient monitoring systems

Wireless Body Area Networks (WBANs) play a pivotal role to remote patient monitoring which is one of the main applications of m-Health. However, WBANs comprise a subset of Wireless Sensor Networks (WSNs), and thus, they inherit the limitations of WSNs in terms of communication bandwidth, reliability and power consumption that should be addressed so that WBANs can reach their full potential. Towards this direction, XOR Network Coding (NC) is a promising solution for WBANs. Nevertheless, XOR NC is vulnerable to pollution attacks, where adversaries (i.e., compromised intermediate nodes) inject into the network corrupted packets that prevent the destination nodes from decoding correctly. This has as a result not only network resource waste but also energy waste at the intermediate nodes. In this sense, pollution attacks comprise a serious threat against WBANs (i.e., resource-constrained wireless networks), that should be addressed so that WBANs can reap the benefits of XOR NC. Therefore, in this paper, we propose an efficient Message Authentication Code (MAC)-based scheme providing resistance against pollution attacks in XOR NC-enabled WBANs for remote patient monitoring systems. Our proposed scheme makes use of a number of MACs which are appended to the end of each native packet. Our results show that the proposed MAC-based scheme is more efficient compared to other competitive schemes for securing XOR NC against pollution attacks in resource-constrained wireless networks, in terms of communication bandwidth and computational complexity

Efficient Authentication, Node Clone Detection, and Secure Data Aggregation for Sensor Networks

Sensor networks are innovative wireless networks consisting of a large number of low-cost, resource-constrained sensor nodes that collect, process, and transmit data in a distributed and collaborative way. There are numerous applications for wireless sensor networks, and security is vital for many of them. However, sensor nodes suffer from many constraints, including low computation capability, small memory, limited energy resources, susceptibility to physical capture, and the lack of infrastructure, all of which impose formidable security challenges and call for innovative approaches. In this thesis, we present our research results on three important aspects of securing sensor networks: lightweight entity authentication, distributed node clone detection, and secure data aggregation. As the technical core of our lightweight authentication proposals, a special type of circulant matrix named circulant-P2 matrix is introduced. We prove the linear independence of matrix vectors, present efficient algorithms on matrix operations, and explore other important properties. By combining circulant-P2 matrix with the learning parity with noise problem, we develop two one-way authentication protocols: the innovative LCMQ protocol, which is provably secure against all probabilistic polynomial-time attacks and provides remarkable performance on almost all metrics except one mild requirement for the verifier's computational capacity, and the HB$^C$ protocol, which utilizes the conventional HB-like authentication structure to preserve the bit-operation only computation requirement for both participants and consumes less key storage than previous HB-like protocols without sacrificing other performance. Moreover, two enhancement mechanisms are provided to protect the HB-like protocols from known attacks and to improve performance. For both protocols, practical parameters for different security levels are recommended. In addition, we build a framework to extend enhanced HB-like protocols to mutual authentication in a communication-efficient fashion. Node clone attack, that is, the attempt by adversaries to add one or more nodes to the network by cloning captured nodes, imposes a severe threat to wireless sensor networks. To cope with it, we propose two distributed detection protocols with difference tradeoffs on network conditions and performance. The first one is based on distributed hash table, by which a fully decentralized, key-based caching and checking system is constructed to deterministically catch cloned nodes in general sensor networks. The protocol performance of efficient storage consumption and high security level is theoretically deducted through a probability model, and the resulting equations, with necessary adjustments for real application, are supported by the simulations. The other is the randomly directed exploration protocol, which presents notable communication performance and minimal storage consumption by an elegant probabilistic directed forwarding technique along with random initial direction and border determination. The extensive experimental results uphold the protocol design and show its efficiency on communication overhead and satisfactory detection probability. Data aggregation is an inherent requirement for many sensor network applications, but designing secure mechanisms for data aggregation is very challenging because the aggregation nature that requires intermediate nodes to process and change messages, and the security objective to prevent malicious manipulation, conflict with each other to a great extent. To fulfill different challenges of secure data aggregation, we present two types of approaches. The first is to provide cryptographic integrity mechanisms for general data aggregation. Based on recent developments of homomorphic primitives, we propose three integrity schemes: a concrete homomorphic MAC construction, homomorphic hash plus aggregate MAC, and homomorphic hash with identity-based aggregate signature, which provide different tradeoffs on security assumption, communication payload, and computation cost. The other is a substantial data aggregation scheme that is suitable for a specific and popular class of aggregation applications, embedded with built-in security techniques that effectively defeat outside and inside attacks. Its foundation is a new data structure---secure Bloom filter, which combines HMAC with Bloom filter. The secure Bloom filter is naturally compatible with aggregation and has reliable security properties. We systematically analyze the scheme's performance and run extensive simulations on different network scenarios for evaluation. The simulation results demonstrate that the scheme presents good performance on security, communication cost, and balance