Dynamic Message Puzzle as Pre-Authentication Scheme in Wireless Sensor Networks

Denial of Service (DoS) is a type of attack that has a huge impact on a computer system. This can deplete and shorten the lifetime of wireless sensor networks (WSNs). Signature-based DoS is a kind of DoS attack that exploits the high computation of a public key cryptography based authentication. The adversaries have the opportunity to send a large number of a fake signature to the WSNs. Message Specific Puzzle (MSP) was developed to defend against this type of attack. This scheme utilizes a hash function as an irreversible method to create a puzzle and produce a session key. Furthermore, this has low complexity in the sender and receiver for construction and verification process. However, the sender-side delay occurred. The higher the security expected for the system leads to the more time is needed for the user to send messages. The number of hash iteration in the puzzle construction cannot be controlled. This paper proposes the Dynamic Message Puzzle scheme that uses the power of first quartile (Q1power1) and the exponential of second quartile (Q2exp) threshold functions. These limit the maximum number of hash iterations for each puzzle construction. Consequently, this mechanism can decrease sender-side delay by at least 60%. Besides avoiding zero solution and has a high value of mean absolute deviation, this scheme also increases the adversaries’ complexity in attacking the system. The proposed scheme transmits index implicitly. This obscures the portion of each parameter in the transmitted packet

A Survey on Comparisons of Cryptographic Algorithms Using Certain Parameters in WSN

The Wireless Sensor Networks (WSNs) have spread its roots in almost every application. Owing to their scattered nature of sensor nodes, they are more prone to attacks. There are certain applications e.g. military, where sensor data’s confidentiality requirement during transmission is essential. Cryptography has a vital role for achieving security in WSNs.WSN has resource constraints like memory size, processing speed and energy consumption which bounds the applicability of existing cryptographic algorithms for WSN. Any good security algorithms has higher energy consumption by the nodes, so it’s a need to choose most energy-efficient cryptographic encryption algorithms for WSNs. This paper surveys different asymmetric algorithms such as RSA, Diffie-Hellman, DSA, ECC, hybrid and DNA cryptography. These algorithms are compared based on their key size, strength, weakness, attacks and possible countermeasures in the form of table

SEAD: source encrypted authentic data for wireless sensor networks

One of the critical issues in WSNs is providing security for the secret data in military applications. It is necessary to ensure data integrity and authentication for the source data and secure end-to-end path for data transmission. Mobile sinks are suitable for data collection and localization. Mobile sinks and sensor nodes communicate with each other using their public identity, which is prone to security attacks like sink replication and node replication attack. In this work, we have proposed Source Encrypted Authentic Data algorithm (SEAD) that hides the location of mobile sink from malicious nodes. The sensed data is encrypted utilizing symmetric encryption---Advanced Encryption Standards (AES) and tracks the location of the mobile sink. When data encounters a malicious node in a path, then data transmission path is diverted through a secure path. SEAD uses public encryption---Elliptic Curve Cryptography (ECC) to verify the authenticity of the data. Simulation results show that the proposed algorithm ensures data integrity and node authenticity against malicious nodes. Double encryption in the proposed algorithm produces better results in comparison with the existing algorithms

PAuthKey: A Pervasive Authentication Protocol and Key Establishment Scheme for Wireless Sensor Networks in Distributed IoT Applications

Wireless sensor Networks (WSNs) deployed in distributed Internet of Things (IoT) applications should be integrated into the Internet. According to the distributed architecture, sensor nodes measure data, process, exchange information, and perform collaboratively with other sensor nodes and end-users, which can be internal or external to the network. In order to maintain the trustworthy connectivity and the accessibility of distributed IoT, it is important to establish secure links for end-to-end communication with a strong pervasive authentication mechanism. However, due to the resource constraints and heterogeneous characteristics of the devices, traditional authentication and key management schemes are not effective for such applications. This paper proposes a pervasive lightweight authentication and keying mechanism for WSNs in distributed IoT applications, in which the sensor nodes can establish secured links with peer sensor nodes and end-users. The established authentication scheme PAuthKey is based on implicit certificates and it provides application level end-to-end security. A comprehensive description for the scenario based behavior of the protocol is presented. With the performance evaluation and the security analysis, it is justified that the proposed scheme is viable to deploy in the resource constrained WSNs

Caching-based Multicast Message Authentication in Time-critical Industrial Control Systems

Attacks against industrial control systems (ICSs) often exploit the insufficiency of authentication mechanisms. Verifying whether the received messages are intact and issued by legitimate sources can prevent malicious data/command injection by illegitimate or compromised devices. However, the key challenge is to introduce message authentication for various ICS communication models, including multicast or broadcast, with a messaging rate that can be as high as thousands of messages per second, within very stringent latency constraints. For example, certain commands for protection in smart grids must be delivered within 2 milliseconds, ruling out public-key cryptography. This paper proposes two lightweight message authentication schemes, named CMA and its multicast variant CMMA, that perform precomputation and caching to authenticate future messages. With minimal precomputation and communication overhead, C(M)MA eliminates all cryptographic operations for the source after the message is given, and all expensive cryptographic operations for the destinations after the message is received. C(M)MA considers the urgency profile (or likelihood) of a set of future messages for even faster verification of the most time-critical (or likely) messages. We demonstrate the feasibility of C(M)MA in an ICS setting based on a substation automation system in smart grids.Comment: For viewing INFOCOM proceedings in IEEE Xplore see https://ieeexplore.ieee.org/abstract/document/979676

An Architecture for Biometric Electronic Identification Document System Based on Blockchain †

This paper proposes an architecture for biometric electronic identification document (e-ID) system based on Blockchain for citizens identity verification in transactions corresponding to the notary, registration, tax declaration and payment, basic health services and registration of economic activities, among others. To validate the user authentication, a biometric e-ID system is used to avoid spoofing and related attacks. Also, to validate the document a digital certificate is used with the corresponding public and private key for each citizen by using a user’s PIN. The proposed transaction validation process was implemented on a Blockchain system in order to record and verify the transactions made by all citizens registered in the electoral census, which guarantees security, integrity, scalability, traceability, and no-ambiguity. Additionally, a Blockchain network architecture is presented in a distributed and decentralized way including all the nodes of the network, database and government entities such as national register and notary offices. The results of the application of a new consensus algorithm to our Blockchain network are also presented showing mining time, memory and CPU usage when the number of transactions scales up

AUTENTIKASI JARINGAN SENSOR NIRKABEL UNTUK MENGHADAPI SERANGAN DoS BERBASIS PKC

Komunikasi broadcast pada jaringan sensor nirkabel (JSN) sangat efisien dan berdampak besar pada seluruh node sensor. Alasan tersebut mendasari pemanfaatan node sensor terutama pada proses diseminasi data, kode, pemeliharaan, menjalankan perintah atau query maupun sinkronisasi. Kondisi ini diikuti dengan rawannya keamanan yang dapat mengganggu ketersediaan komunikasi pada JSN. Oleh karena itu dibutuhkan proses autentikasi pengguna untuk memastikan apakah pengguna valid. Pemanfaatan digital signature untuk autentikasi memiliki keamanan yang tinggi akan tetapi harus diimbangi dengan komputasi yang tinggi. Kekurangan ini dimanfaatkan peretas untuk mengirimkan signature palsu dalam jumlah besar sehingga node sensor akan sibuk memverifikasi dan proses ini dikenal dengan serangan Denial of Service (DoS) berbasis Public Key Cryptography (PKC). Berbagai metode filter dikembangkan untuk mengatasi masalah ini. Mekanisme ini memiliki komputasi rendah dan bersifat mendampingi proses verifikasi signature bukan menggantinya. Skema puzzle merupakan salah satu filter dengan komputasi rendah namun dapat diandalkan dalam mengatasi serangan DoS berbasis PKC akan tetapi memiliki kelemahan pada delay yang tinggi dalam mencari solusi puzzle pada sisi pengirim. Berkembangnya berbagai aplikasi pendukung yang akan mengakses node sensor secara langsung meningkatkan keragaman dan skalabilitas pada JSN. Sedangkan node sensor memiliki keterbatasan dalam sumber daya terutama pada ruang penyimpanan dan kemampuan komputasi. Oleh karena itu, penelitian ini mengajukan skema puzzle dinamis pada JSN menggunakan Multiuser-Dynamic Cipher Puzzle (M-DCP) yang dilengkapi dengan TinySet. Skema ini bertujuan untuk mengurangi waktu pemrosesan dan dapat dimanfaatkan oleh banyak pengguna atau pengirim dengan kebutuhan ruang penyimpanan pada JSN yang rendah. M-DCP memanfaatkan fungsi ambang untuk membatasi jumlah iterasi hash. Hasil percobaan menunjukkan bahwa fungsi ambang eksponensial dapat menurunkan delay pada sisi pengirim hingga 94% dengan peluang ditemukannya solusi hingga 1-(1.738x10-13). Sedangkan pemanfaatan TinySet yang telah diregularisasi bisa menghemat ruang penyimpanan hingga 77% dibandingkan dengan Counting Bloom Filter (CBF). Pemanfaatan skema ini berdampak pada meningkatnya komputasi pada proses verifikasi. Peningkatan ini bernilai hingga 36% dibandingkan dengan Bloom Filter based Authentication (BAS) atau pada implementasinya membutuhkan waktu tidak lebih dari 0.5 detik. Performansi yang didapatkan diimbangi dengan meningkatnya keamanan terutama pada autentikasi, confidentiality dan ketahanan terhadap serangan DoS berbasis PKC. Hal ini dibuktikan dengan peningkatan kompleksitas serangan menggunakan brute force hingga 1.86x10137 trial yang didapatkan dari proses autentikasi menggunakan Elliptic Curve Digital Signature Algorithm (ECDSA), proses enkripsi menggunakan Rivest Cipher 5 (RC5) dan proses pembuatan puzzle menggunakan DCP. Kata kunci: autentikasi, DoS, jaringan sensor nirkabel, multiuser, skema puzzl

Improved Internet Security Protocols Using Cryptographic One-Way Hash Chains

In this dissertation, new approaches that utilize the one-way cryptographic hash functions in designing improved network security protocols are investigated. The proposed approaches are designed to be scalable and easy to implement in modern technology. The first contribution explores session cookies with emphasis on the threat of session hijacking attacks resulting from session cookie theft or sniffing. In the proposed scheme, these cookies are replaced by easily computed authentication credentials using Lamport\u27s well-known one-time passwords. The basic idea in this scheme revolves around utilizing sparse caching units, where authentication credentials pertaining to cookies are stored and fetched once needed, thereby, mitigating computational overhead generally associated with one-way hash constructions. The second and third proposed schemes rely on dividing the one-way hash construction into a hierarchical two-tier construction. Each tier component is responsible for some aspect of authentication generated by using two different hash functions. By utilizing different cryptographic hash functions arranged in two tiers, the hierarchical two-tier protocol (our second contribution) gives significant performance improvement over previously proposed solutions for securing Internet cookies. Through indexing authentication credentials by their position within the hash chain in a multi-dimensional chain, the third contribution achieves improved performance. In the fourth proposed scheme, an attempt is made to apply the one-way hash construction to achieve user and broadcast authentication in wireless sensor networks. Due to known energy and memory constraints, the one-way hash scheme is modified to mitigate computational overhead so it can be easily applied in this particular setting. The fifth scheme tries to reap the benefits of the sparse cache-supported scheme and the hierarchical scheme. The resulting hybrid approach achieves efficient performance at the lowest cost of caching possible. In the sixth proposal, an authentication scheme tailored for the multi-server single sign-on (SSO) environment is presented. The scheme utilizes the one-way hash construction in a Merkle Hash Tree and a hash calendar to avoid impersonation and session hijacking attacks. The scheme also explores the optimal configuration of the one-way hash chain in this particular environment. All the proposed protocols are validated by extensive experimental analyses. These analyses are obtained by running simulations depicting the many scenarios envisioned. Additionally, these simulations are supported by relevant analytical models derived by mathematical formulas taking into consideration the environment under investigation

Unconditionally Secure Authentication and Integrity Protection for the Galileo Open Service Signal

The operational GNSSs do not offer authentication and integrity protection for the Open Service (OS) signal/message. But it is urgently needed, since several attacks can threat the OS user. By this reason the Galileo GNSS is working on this issue. This thesis contributes at the problem by adopting an approach as generic as possible, which outlines a theoretical bound on the key size. Therefore, the focus is providing data and signal unconditionally secure authentication and integrity pro