ebook img

DTIC ADA435468: Quantifying Effect of Network Latency and Clock Drift on Time-Driven Key Sequencing PDF

9 Pages·0.12 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA435468: Quantifying Effect of Network Latency and Clock Drift on Time-Driven Key Sequencing

Quantifying Effect of Network Latency and Clock Drift on Time-driven Key Sequencing GeoffreyG.Xie CynthiaIrvine TimLevin ∗ † † DepartmentofComputerScience NavalPostgraduateSchool,Monterey,CA93943 xie,irvine,levin @cs.nps.navy.mil { } Abstract from a root key or preloaded into each device. This rel- atively low cost method of session key establishment has Time-drivenKeySequencing(TKS)isakeymanagement beenusedinspecializeddistributedsystemswheresessions techniquethatsynchronizesthesessionkeyusedbyasetof aresparseandeachsessionspansashorttimeperiodcom- communicating principals based on time of day. This rel- prisingasmallnumberofmessageexchanges. Typically,in atively low cost method of session key synchronization has these systems some communicating devices, such as low- been used in specialized distributed systems with low-end endsmartcards, havetoolittleprocessingcapacitytosup- communicatingdeviceswheresessionsaresparseandeach portatime-durablecrypto-algorithmwhichfeaturesastatic sessionspansashorttimeperiodcomprisingasmallnum- key for all sessions spanning the entire system lifetime. berofmessages. Norcanthesedevicesaffordanelaboratekeymanagement In this paper, we describe how TKS may be useful in schemeinwhichanewsessionkeyisregularlydistributed severalscenariosinvolvinghighspeedcomputernetworks. tothedevicesthroughopencommunicationchannels. This Moreimportantly,wepresentaperformancemodelofTKS isbecausethekeytransfersmustbeencryptedandtheasso- andconductadetailedanalysistodeterminetheimpactof ciatedtaskswouldimposeasignificantamountofprocess- clock drift and network latency on the required key refresh ingoverheadateachdevice. rate.Wegivetheexactconditionsfordeterminingtherange Comparedtomostotherkeysynchronizationtechniques, ofadequatekeyrefreshrates,anddemonstratethatthede- TKS has a clear advantage for incurring little processing rived conditions are sufficient to ensure that data are both overhead. TKS also has several limitations. First, it re- protected and deliverable. Interestingly, these conditions quires some form of system wide clock synchronization to may be used to obtain a key refresh rate that can tolerate bound the maximum clock drift within a tolerable range. amaximumamountofclockdriftafterotherparametersin Additional overhead may be incurred in other parts of the thesystemarefixed. systemtoaddressthesecurityconcernsassociatedwithdy- namicallygeneratingorpreloadingasequenceofkeys.For- tunately,mostofthisoverheadoccursveryinfrequentlyon the order of days or months. Second, a system may use 1.Introduction TKS to synchronize encryption keys only if each piece of data being encrypted has a lifespan that is shorter than the Time-driven Key Sequencing (TKS) is a key manage- maximumlifetime1ofthekeyusedfortheencryption. ment technique that synchronizes the session key used by AwidelyusedTKSapplicationistheSecureIDauthenti- asetofcommunicatingdevicesbasedontimeofday. The cationdeviceproducedbyRSASecurity,Inc.Thesedevices sequence of session keys is either dynamically generated areusedtoenhancethesecurityofremotedial-upaccesses to corporate servers. Most of them are essentially low-end supportedinpartbyDARPAundertheNextGenerationInternetPro- ∗ gram(AO#417)andbyagrantfromNSF(ANI-0114014). supportedinpartbyDARPAQuorumProgramandtheDefenseInfor- 1Themaximumlifetimeofakeyequalstheminimumamountoftime † mationSystemsAgency. ittakestocompromisethekeyusingbrute-force. Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 2. REPORT TYPE 3. DATES COVERED 2002 N/A - 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Quantifying Effect of Network Latency and Clock Drift on Time-Driven 5b. GRANT NUMBER Key Sequencing 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Department of Computer Science Naval Postgraduate School Monterey, REPORT NUMBER CA 93943 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE UU 8 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 smartcardswithkeypadandasmalldisplayarea. EachSe- whichTKSmaybefavorable. Asystemmodelispresented cureIDcardispreloadedwithuser-specificrootkeysthatit in Section 3 to provide a high-level context for TKS. The shareswiththetargetserver. Wheninitiatingadial-inses- performancemeasuresusedinthispaperareintroducedtoo. sion,acarduserfirstentersauser-specificpincodeintothe InSection4,acanonicalTKSimplementationisdescribed, cardandretrievesaone-timepasscode,whichisafunction along with intuitions for the negative effects of clock drift of the user’s root key and the current value of the card’s andnetworklatency. Section5followswithaformalanal- local clock. The function is implemented by a proprietary ysis of TKS and two theorems that permit us to bound the hashalgorithm. Theuserthenprovidesthispasscodeasan rekeyingfrequencybaseduponnetworklatency,clockdrift, additionalauthenticatortotheserveralongwiththepin. To andkeydurability. InSection6,amethodforchoosingthe verify the passcode the server first derives its own version optimal rekeying frequency based on system requirements ofthepasscodefromthecurrentvalueofitsownclockand ispresented. RelatedworkisdiscussedinSection7. therootkeythatithasstoredforthatuser. Theserverthen comparesthetwocodesandgrantsthedial-insessiononly 2.PotentialTKSUsageScenarios iftheymatch. AlthoughTKS-basedsecurityapplicationslikeSecureID In this section, two potential scenarios in which time- arewidelydeployed, performancestudiesofthesesystems driven key sequencing may prove advantageous are de- are very limited. The few articles that we are able to find scribed. The first requires a high speed packet authenti- in the literature focus exclusively on the potential security cation service to counter Denial of Service (DoS) attacks, risksofRSASecureIDbasedsystems[8,9]. Littleanalysis while the second requires message confidentiality for data hasbeendonetoquantifytheadverseeffectsofclockdrift thathasashortlifespan. andnetworklatencyontheperformanceofsystemsimple- We define “cryptographic mechanism” to include spe- mentingTKS.Thesesystemsassumethetimescaleofclock cificselectionsforallvariableparameters,including,where driftandnetworklatencyisseveralmagnitudesmallerthan applicable, the transformation algorithm (including the therekeyingintervalandisthusnegligible. Becauseofthis number of internal “rounds” or permutations), blocksize, assumption, the key refresh rate is often set in an ad hoc and the length of the key. The security or “cryptographic fashionandmaynotbeoptimal. strength”ofsuchamechanismcanbetakentobeameasure Themaincontributionofthispaperisasetofexactcon- of its resistance to attack, and may be a function of some ditions for determining the range of adequate key refresh or all of these parameters. Similarly, the specific parame- rates based on clock drift and network latency parameters. ters of a cryptographic mechanism will determine its level We prove that the derived conditions are sufficient for the of resource use, or overhead. Processor utilization is the correspondingTKSsystemtoensurethatdataarebothpro- most critical overhead. In general the stronger is a crypto- tected and deliverable. Interestingly, these conditions may graphicmechanism,themoreprocessingoverheaditincurs. beusedtoobtainakeyrefreshratethatcantolerateamax- For example, the performance of the Advanced Encryp- imum amount of clock drift after other parameters in the tionStandard(AES)algorithm(Rijndael)[4],isfunctionally system are fixed. The result also indicates that in general dependent on the size of the key used. Both setup and en- TKScantoleratelargeclockdrift,ontheorderofminutes. cryptiontakelongerasthekeylengthincreases. WealsodescribehowTKSmaybeusefulinseveralsce- Scenario 1. The Internet routing protocols such as nariosinvolvinghighspeedcomputernetworks. TKSmay IS-IS, OSPF and BGP frequently flood the network with prove advantageous for some applications even though the linkstateorpathupdatepacketstokeeproutingtablessyn- processingcapacityofindividualcomponentsappearsnotto chronizedanduptodate. Ineachoftheseupdatecycles,a bealimitationforimplementingtime-durablecryptographic router must process a large number of control packets sent algorithms. In these scenarios, it may be desirable to have by numerous other routers. Worse, these packets typically a high rate of rekeying that is on the order of minutes and arriveinbunches,creating“packetstorms”thatcouldover- thus approaches the time scale of clock error and network loadthereceivingrouters. Theproblemwillbeexacerbated latency. Thatiswheredeterminingasaferekeyingratebe- whenvariousproposalsforachievingsubsecondroutecon- comesaveryimportantconcern. vergencesareimplemented[1,2]. The remainder of this paper is organized as follows. In AnadversarywillexplorethisproblemandlaunchDoS Section 2 we describe a couple of networking scenarios in attacksagainsttheseprotocolsrathereasilyasfollows. The 2 adversary identifies those routers already busy processing usedneedsonlytobesufficientlystrongtoprotecttheinfor- control packets and then aggravates their predicament by mation for these relatively small intervals. Again, security sendingalargenumberoffakedorduplicatedcontrolpack- related processing overhead may be reduced by using the ets to them. Such attacks will delay routing table conver- right, not necessarily the strongest, cryptographic mecha- genceanddisruptnetworkservices. nism. In both scenarios, it may be beneficial to use a high An effective measure to counter these DoS attacks is rekeying frequency. But because of non-negligible clock deploying to each router interface a packet filter to form driftandnetworklatencyinrealsystems,thereisanupper a first-line defense. Malicious packets are dropped early bound on the maximum rekeying frequency. On the other andrapidlybeforetheyenterthemoreprocessing-intensive hand,theminimumrekeyingfrequencyisdirectlyrelatedto stages. Themaindesignobjectiveforthefilteris“minimal the maximum key lifetime. The remainder of the paper is processing overhead”, as long as security is not compro- dedicatedtothesetopics. mised. Although the existing security extensions of the Internetroutingprotocolscandetectmaliciouspackets,they 3.ASystemModelofTKS do not meet the requirement of minimum processing over- head. Their main objective is “adequate security”. TKS, on the other hand, provides an ideal basis for developing While TKS is applicable to different types of network thepacketfilter. Byincreasingtherekeyingfrequency, the communication protocols, for ease of presentation we as- system may use a “weak-per-key” but lightweight crypto- sumeapacket-based(e.g.,IP)network. Thefollowingdefi- graphic mechanism like keyed-MD5 to achieve the same nitionsapplystotheSystemModelusedtodiscussTKSin filtering accuracy (i.e., 100% drop rate of malicious pack- thispaper. ets) as a strong but costly mechanism based on public key System.Asetofcommunicatingnodes,oneormoreof cryptography. • which comprise a logical (viz, potentially distributed) We have developed such a filter as part of our effort to key distribution center (KDC). Nodes wish to com- buildalink-layerhighspeedpacketauthenticationprotocol municate securely through the shared use of a cryp- [10].RunningaspartoftheNetBSDkernelonanantiquated tographickeytable. Thenodescanbeofvarioustypes Pentium200MhzPCbox,thefilterwasstillabletoachieve ranging from powerful workstations and gateways to afilteringrateof75Mbps. lighter-weight appliances. Therefore, the TKS pro- Scenario 2. Thisscenariocentersuponconfidential- cessingrequirementatthenodeshouldbeminimized. ity. Use of rapidly changing keys would be useful in situ- Onemayalsointerpretanodeasalogicalentitysuch ations where time-critical data are distributed in encrypted asauseraccountorevenanapplicationactivatedona form toa group ofsubscribing customers. Asan example, physicalmachine. consider time-critical analyses of highly volatile financial Maximum Key Lifetime, T. Each cryptographic key markets. Here subscribers are provided with timely multi- • usedintheSystemissubjecttovariousattacksassoon mediaanalysestosupportinformedinvestmentdecisionsin asthefirstpacketsecuredwiththekeyentersthepublic afast-pacedmarket. Theanalysesareofconsiderablevalue network. Theamountoftimethatthekeycanremain forafewhours,butareavailabletothepublicafterafixed concealedwhileunderattackisdefinedtobethemax- periodandprovidenoaddedvaluetosubscribersthereafter. imumlifetimeofthekey. Subscribersreceivecontinuousupdatesandanalyses. They mayjoinandleavethesubscriberpoolperiodically,forex- Key-Table. Anorderedsetofsessionkeys. Thesame • amplemonthly,thuswearenotconcernedwithrapidrekey- table must be available at each node of the system. ing in order to include or exclude particular subscribers or ThesekeysKeytabledistributioncanbeaccomplished formersubscribersrespectively.Weare,howeverconcerned by several means. One method is to transmit “seed” withattackerswhowishtoaccessthevaluablesensitivein- keys (e.g., see [3]) which are used by the nodes as formationforfree. Becauseattackerswillbeableuseboth part of an algorithm for local generation of the com- known ciphertext and known plaintext, it is necessary to plete key table. Another means is to distribute the changethekeyswhilesubscribersareactivelyusingtheser- literalkeysthatmakeupthekeytable. Literalkeys,to vice. Yet,thefactthattheinformationisnolongersensitive theextentthattheyaregenerated“randomly,”willex- after a few hours means that the cryptographic mechanism hibit more inter-key independence, as algorithmically 3 generated keys will be related to each other, however Thesecondperformancemeasureisaboutdatadelivery. remotely,viathealgorithm. ItdescribestheefficacyoftheTKSsystemindeliveringuse- fuldatawhiletryingtomeetthesecurityrequirement. The For the purposes of this paper, the key-table has an specificmetricweuseiscalledmaximumtolerablenetwork infinitesize; thisisunderstoodasreflectinganimple- latency,denotedbyDandaperformancetargetthatcanbe mentationmechanismwhichreplenishesallnodeswith setapriori. ATKSsystemissaidtosupportmaximumtol- additionalsequenceofkeysbeforetheexpirationofthe erablenetworklatencyofDsecondsifanodeinthesystem lastkeyinthecurrentsequence,thusinfinitelyextend- will never drop a valid packet — one that comes from an- ingthelengthofthetable. othernodeinthesystemandisnottemperedwithintransit —unlessthepacketisdelayedmorethanDsecondsbythe Time-driven Key Sequencing, TKS. In a system uti- • network. A formal data deliverability condition is defined lizing shared logical key tables, TKS is a method for inLemma1ofSection5. synchronizingthetransitionbetweenkeyswithoututi- lizingexplicitnode-to-nodehandshaking. 4.ImplementingTKSwith DynamicKeyWindows 3.1.Threatmodel Inthissection, thegeneralbehaviorofaTKSsystemis The threat model assumed in this paper is one of inse- described using a reference implementation in which each curecommunicationchannelsbetweenSystemnodes,such node stores active session keys in special variables named thatcryptographicallyprotecteddatapacketsmightbeinter- dynamickeywindows. Theimplementationisreferredtoas cepted and then subjected to attacks on the key space. We TKS-DW. We hope the ensuing discussions will also pro- donotconsiderwithattacksaimedatdirectlycompromising vide some intuitive explanations for the adverse effects of theunderlyinghardwareand/orsoftwareofanode. Weas- clockdriftandnetworklatency. sumethattheprefetchedkeys(ortheirseeds,inthecaseof InTKS-DW,eachnodemaintainstwodynamickeywin- algorithmically-generated keys) are stored and distributed dows. The first is the Send-Key Window, which is of size securely. 1. The node uses the session key in this window to cryp- tographically transform outgoing packets. A special term 3.2.Performancemeasures (s)isdesignatedforthetimewhenakeyisfirstputintothe send-keywindow.Thedurationofakeystayinginthesend- Weareprimarilyconcernedwithtwoperformancemea- key window is fixed and is called the Key Window Period, sures. The first one is a Boolean indicator of security. W. An obvious constraint needed on W is that it be less Specifically, the described System is said to be secure if than or equal to the cryptographic lifetime of one key. At keys are not used beyond their maximum lifetime at any theendofthecurrentkeywindowperiod,aSend-KeyWin- node,pertheTKSprotocol,eveninthecontextofaninse- dowTransitionoccursandanewkeyisputintothesend-key cure communication channel. A formal definition is given window. inDefinition1ofSection5. WewillmotivatetheneedforaReceive-KeyWindowand Ifakeyisusedbeyonditsmaximumlifetime,thesystem then give its precise definition. The effect of clock drift is maybevulnerableto abrute-forceattackasfollows.Anin- considered first and for the moment network latency is as- truderwhointerceptspacketsfromthemessagestreamofa sumedtobenegligible. trustednodecanusecryptanalysistechniquesorasearchof In a perfect network where the local clocks of all of thekeyspacetodiscoverthekey,andthenhijackthemes- the nodes are exactly synchronized, all nodes would make sagestream.Thereceivernodewillnotbeabletodetectthis send-keywindowtransitionsatpreciselythesametime. All intrusionjustbyinspectingthemessagessincetheintruder senders and receivers would see the same key in their re- isabletomodifyallpacketfields(includinganytimestamp spectivesend-keywindows. orsequencenumber)afterlearningthekey.Becauseofsuch Perfectclocksynchronizationdoesnotexistinrealnet- attacks,itisalsonotadvisabletosynchronizesessionkeys works. If a receiver’s clock is slow with respect to that of withalimitedmaximumlifetimebyaddingakeyindexfield asender,thenacurrentkeyofthesenderwillappeartobe topackets. eitheracurrentkeyorafuturekeytothereceiver.Similarly, 4 acurrentkeyofasenderwillbeeitherapreviouskeyorthe currentkeyofareceiverwitharelativelyfastclock. What Key table Key table Key table Key table is of interest to note is that between any particular sender- ... Send receiverpair, akeywilleitherbeaprevious/currentkeyor key window ... ... ... acurrent/nextkeyatthereceiver,notboth. Thismeansthat, ki-2 foraparticularsender-receiverpair,akeywillbeactivefor ki-1 ki-1 ki-1 ki-1 a duration equal to a variable number, n, of Key Window ki ki ki ki Periods,i.e.,nW. Receive ki+1 ki+1 ki+1 ki+1 Becausetheclockofagivenreceivermaybeslowwith key window ... ... ki+2 kki+2 ... i+3 respecttosomesendersandfastwithrespecttoothers,the ... receiver must maintain a receive-key window that encom- Time (a) (b) (c) passes both previous, current, and future send-keys. Thus s-W s s+W s+2W s+3W the Receive-Key Window defines a set of one or more keys that a node uses to cryptographically transform (e.g., vali- date)incomingpackets.Thewindowalsohasafiniteperiod Figure 1. Key windows of a node at different ofW.Inotherwords,onekeyinthewindowisreplacedev- timeintervals eryW time. Thereceive-keywindowhasthefollowinggenericposi- (b)andk isthepreviouskey. Thenodethenslidesthekey tions: i windows one more row at time s+2W. At this point the xprevioussend-keys node has entered window interval (c) and ki is no longer • inthereceive-keywindow. Observethatwithperfectclock 1currentsend-key synchronization,akeystaysinreceive-keywindowfortwo • consecutive window periods after becoming the send key ynextsend-keys • andsubjecttoattack. Inthatcase,thekeylifetimemustbe We wish to minimize the number of keys that must be in- greaterthan2W toensuresecurity. specteduponreceiptofapacket.Inwhatfollows,thesizeof Supposetheclockdriftofeachnodeisboundedwithre- thereceive-keywindowisassumedtobe3(i.e.,x=y =1). specttoastandardtimesourcebyavaluee. Themaximum This assumption places limitations on the allowed clock clocktimethattwonodescandriftapartwithrespecttoeach drift,whichwillbeexplainedbelow. otheris2e.Thusthereceive-keywindowperiodmustbeex- As a key window period expires, a Receive-Window tendedby2etoensuredatadeliveryintheworst-case,which Transitiontakesplaceandthereceive-keywindow“slides” occursfora(fastsender,slowreceiver)pair. Consequently, downthekeytableinthefollowingmanner.Thekeyineach thelowerboundonkeylifetimemustbeincreasedfrom2W positionofthereceivekeywindowisreplacedbyits“next” to2W +2e. neighbor, such that in the subsequent receive-key window, Whataretheconsequencesofnetworklatency?Thetime (1)thecurrentkeyhasbecomethenewestpreviouskey,(2) that it takes a packet p to get from source to destination is the oldest next key has become the current key, (3) a new called the network latency of p and is denoted d(p). This key has entered the table (as the newest next key) and (4) means that the key window period W must be at least as theoldestpreviouskeyhasleftthetable. large as d(p) to have a chance to not drop p mistakenly. Figure1illustrateshowkeywindowsmovewithtimeat When also taking into consideration a maximum of clock a node. s denotes the time when k , the key at the ith row drift2ebetweenthesenderandreceiver,W mustbeatleast i of the table, becomes the current sending key. Recall that D+2e to not drop packets whose network latency can be W is the Key Window Period. In time interval (a), k is aslargeasD. i thecurrentsendingkeyanditisinthereceivekeywindow along with k and k . At the end of the interval, i.e., exactly2s+iW−1,thenoid+e1slidesthekeywindowsdownone 5.ExactconditionsforusingTKS rowofthetable.Thenodehasnowenteredwindowinterval In the last section, we presented intuition that there are 2Foreaseofpresentation,weassumethatthenodeuseskiasthesend- ingkeyats+W andswitchestoki+1at(s+W)+. exact limits on the key window period W (and thus the 5 rekeyingfrequency)withrespecttothemaximumkeylife- TheproofofTheorem1isstraightforwardbasedonthe time, clock drift, and network latency. In this section, we intuition given in the end of previous section. (See [11].) formally establish that these limits are sufficient to ensure Combining the results of Definition 1 and Theorem 1, it is that data is both protected and deliverable under TKS-DW clear that a TKS-DW system is secure if it meets the con- with the receive-key window size set to three keys.3 The dition specified by equation (3). Thus, we have derived a securityobjectiveofTKS-DWisformallydefinedbelow. conditionforTKS-DWtoensuresecurity. Next, we turn attention to the adverse effect of network Definition1 Assumethatthemaximumlifetimeofeachkey latencyonpacketdelivery. Thenetworklatencyofapacket is T seconds measured by standard time. The protocol is is measured as the difference between the standard time not vulnerable to brute-force attacks if it never uses a key when the packet leaves the sending node and the standard beyondthemaximumkeylifetime;thatis,theprotocolisnot timewhenthepacketarrivesatthereceivingnode. Givena vulnerableifthefollowingholdsforanykeykthatituses, specificmaximumtolerablenetworklatencytargetD,The- orem2establishestheimportanceofchoosingW basedon t (k) t (k) T, (1) l f Dtoensurethatdataaredeliverable. − ≤ where t (k) is the standard time when the first packet se- Lemma1 ConsideranarbitrarypacketpsecuredbyaTKS f cured with k enters the public network, and t (k) the last sender. Let k be the key that secures the packet. a(p) l standardtimethatkisinareceive-keywindowatanynode. denotes the standard time when the packet arrives to the receiving node, and tp(k) the last standard time that k is l Equation (1) tells us that the protocol is secure when inthereceive-keywindowofthereceivingnodeofp. Ifthe the keys are used within the time bounds of their defined packethasnotbeentemperedwith,and lifetimes, given standardized (i.e., perfectly synchronized) tp(k) 3W a(p) tp(k), (5) clocksatallnodes. However, inreality, theclocksatlocal l − ≤ ≤ l nodesmaydeviatefromstandardtime. Theorem1presents thenthepacketwillbeacceptedbythereceivingnode. anconditionunderwhichwecanguaranteethattheprotocol Theorem2(ConditionforDataDeliverability) issecureusinglocal,non-standard,clocks. IfW meetsthefollowingdatadeliverabilitycondition Assumption1 Eachnodehasalocalclock. Amechanism W D+2e, (6) ≥ isinplacetosynchronizetheseclockswiththestandardtime then for any packet p whose network latency (denoted by sothatatanytimetheabsolutedifferencebetweenanylocal d(p))doesnotexceedD, clockandthestandardtimeisupperboundedbyeseconds. That is, at any standard time t and for any node n in the tp(k) 3W a(p) tp(k). (7) l − ≤ ≤ l TKSsystem, Lemma1followsdirectlyfromtheprotocolspecification c (t) t e, (2) | n − |≤ of TKS-DW and the fact that (tp(k) 3W, tp(k)] is the l − ≤ l wherecndenotesthelocalclockofn,andcn(t)thereading receive-key period of k at the receiving node. The proof onthatclockatstandardtimet. of Theorem is straightforward based on the intuition given in the end of previous section. (See [11].) Combining the Theorem1(ConditionforSecurity) results of Lemma 1 and Theorem 2, it is clear that if the ConsideraTKS-DWsystem. Let W be the key window condition specified by (6) holds, then a valid packet, i.e., period. AssumethatthemaximumlifetimeofeachkeyisT one that is secured by a TKS sender and is not tempered seconds. Ifthefollowingsecurityconditionholds withintransit,willbeacceptedbythereceiveraslongasits network latency does not exceed D. Thus, we have deter- T W e, (3) mined a condition on TKS-DW to ensure deliverability of ≤ 2 − data. thenforeverykeykusedbythesystem, 6.PracticalUsesoftheConditions t (k) t (k) T. (4) l f − ≤ We see several practical uses of the theoretical results 3Theresultscanbeextendedtoarbitrarilylargereceive-keywindow sizes. presentedintheprevioussection.Theyaredescribedbelow. 6 e estimate for current cryptograhic systems. If clock drift is the principal concern, one should choose a key window T/2 e = T/2 - W period that is close to (1800+30) = 610 seconds so that a 3 maximumclockdriftof (1800−2×30) =290secondscanbe 6 D) / 6 e = (W - D) / 2 tolerated. 2 T - 6.2.DeterminingD ande ( D T/2 W -D/2 (T + D) / 3 When selecting a value for the maximum network la- tencytoleranceD oneshouldconsiderhowtheapplication reactstopacketdelays. Forexample, itwouldbeoktoset D to a very small value (i.e., subsecond) if the system is Figure2.RelationshipbetweeneandW to just carry live voice traffic. Overly delayed packets are uselesstothistypeofapplications. SimilarlyfortypicalIn- 6.1. Choosing W to maximize tolerance of ternetWebapplications,thevalueofD canbeintherange clockdrift ofseconds. It would be prudent to make a conservative estimate on Assume that the key lifetime T and the maximum net- maximumclockdrifte. Severalexistingtimesynchroniza- work latency tolerance D have already been determined tion protocols can bound the clock drift within a second. based on system needs. Next we will discuss the relation- GlobalPositioningSystem(GPS)satellitebasedclocksmay shipbetweenthekeywindowperiodW andthemaximum reduceefurthertotheorderof1-2microseconds. However, tolerableclockdrift e. Wewillshowthatthereexistsa W theseperformancenumbersareachievedinnormaloperat- value that maximizes allowable e. That is, given T and D ing situations. The time synchronization protocols or GPS one can choose a particular key window period to maxi- satellites may malfunction or be under attack. Therefore, mize the system’s clock drift tolerance. Although a time it is important to select an e value that is sufficiently large synchronizationprotocolsuchastheInternetNetworkTime toaccountforextraclockerrorscausedbyunusualsystem Protocol(NTP)canbeusedtoreduceetotensofmillisec- conditions. onds,itisstilldesirabletomaximizethesystem’sclockdrift OuranalysissuggeststhatthesecurityofaTKSsystem tolerance because the NTP could be under attack itself or will not be compromised by an overestimated e or an im- malfunction, in which case e would be much higher than properlysetDvalue. Thisisbecausethesecuritycondition normal. is independent of D and a larger e value causes keys to From the security and deliverability conditions of The- be refreshed more frequently. On the other hand, the data orem 1 and 2, the following upper bound on e can also be delivery performance of the system may be significantly established impacted by these values. Other factors such as rekeying W D T overheadneedtobeconsideredtooindeterminingtheright e min − , W (8) ≤ { 2 2 − } Dandevaluesforasystem. (Seesectionsbelow.) NowwehavearangeofetochoosefrombasedonW.Ifthe 6.3.ChoosingW basedonD,e,andT valueofW issettooclosetoT/2orD,thenfromequation (8)eisrequiredtobeverysmall,whichmaybeinfeasible. After T, D and e are determined, a range of W values TheW valuethatmaximizesecanbederivedbasedon may be feasible. Based on the security and deliverability equation (8) as follows. Figure2 shows the e-W relation- conditions, specifically equations (3) and (6), the window ship embedded in equation (8). There is a feasible region, periodW canbeselectedfromthefollowingrange the shaded triangle of the figure, of (e,W) combinations thatmeetbothsecurityanddeliverabilityconditions.Within T T +D T 2D D+2e W e (9) thatregion,whenW = ,eismaximizedat − . ≤ ≤ 2 − 3 6 As an example, let D = 30 seconds, which is much For example, let D = 20 seconds, e = 20 seconds, and largerthanthenormalnetworklatencyintheInternet. Fur- T = 1800seconds. ThenW canbeanyvaluebetween60 thermore, let T = 1800 seconds, which is a conservative and880seconds. 7 The value of W determines how often a new key is severalsub-flows.However,eachoftheseflowsrequiresad- needed. Whenthereisarangeofvaluestoselectfrom, W ditionalset-upoverhead4[6]. Forusagescenariosdescribed shouldbeaslargeaspossible. Themainadvantageofthis herein, TKS would be ideal for replacing IKE or other ex- approachisthatitminimizestheoverheadofkeygeneration pensivekeyexchangealgorithms(viz,insteadofusingIKE and/or distribution. The trade-off is that large W requires tochangekeysforsub-flowsofalongsession). long-lasting keys and possibly more processing overhead associatedwiththetransform. 8.ConcludingRemarks 6.4.Choosingtherightcryptographicmechanism There is a limit to how much efficiency can be gained from more frequent rekeying. At some point, the per-key Forwell-designedcryptographicsystems,theperpacket overhead of changing keys can overtake the resource ad- transform overhead typically increases with the maximum vantageofusingmoreefficientcryptographicmechanisms. key lifetime (T). To reduce the overhead, it is desirable to Furtherworkisneededtoquantifythecharacteristicsofthis use a cryptographic mechanism whose maximum key life- effect. time is just right for the task at hand. After D and e are determinedforthesystem,alowerboundonW canbeob- References tained based on the deliverability condition, i.e., equation (6). OnceW isset,alowerboundonT canbedetermined [1] C.Alaettinoglu,V.Jacobson,andH.Yu. Towardsmillisec- from the security condition, i.e., equation (3). Finally, an ond igp convergence. Internet Draft draft-alaettinoglu-isis- appropriatecryptographicalgorithmmaybeselectedbased convergence-00.txt,Nov.2000. onthislowerboundonkeylifetime. [2] A.BasuandJ.G.Riecke. Stabilityissuesinospfrouting. In For example, consider designing the packet filter de- ProceedingsofACMSIGCOMM2001,pages225–236,San scribed in the usage scenario 1. let D = 20 seconds and Diego,CA,Aug.2001. e =10seconds. Fromequation(6),thelowerboundonW [3] B.Briscoe. MARKS:Zerosideeffectmulticastkeymanage- is(20+2 10)=40seconds. Let’sassumethatW canbe mentusingarbitrarilyrevealedkeysequences. Presentedat × 46thIETFmeeting,Dec.1999. settoaminimumof120secondsduetokeygenerationand [4] J.DaemenandV.Rijmen. Availablefrom distributionoverheadandotherconcerns. Thenfromequa- csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijndael.pdf, tion(3),T hasalowerboundof(2 100+2 10)=220 × × June1998. NISTAESProposal. seconds. This lower bound of T can be used to select a [5] D.HarkinsandD.Carrel. Theinterenetkeyexchange(IKE). (transform,key-length)pairwithjusttherightstrength. RFC2409,Nov.1998. [6] A. Kara. Protecting privacy in remote-patient monitoring. IEEEComputer,pages24–27,May2001. 7.RelatedWork [7] S.KentandR.Atkinson.SecurityarchitecturefortheInternet Protocol. RFC2401,Nov.1998. SeveralsecurityrisksofaparticularRSASecureIDim- [8] MudgeandKingpin.InitialcryptanalysisoftheRSASecurID plementation and recommended fixes are reported in [9]. algorithm. On-lineWhitePaper,Jan.2001. Availablefrom Alloftheproblemsseemtohavesomethingtodowithhow www.atstake.com/research/reports/initialsecuridanalysis.pdf. [9] [email protected]. Weakness in Se- the SecureID system is engineered and operated, not the curID. On-line White Paper. Available from TKSconceptitself. AcryptanalysisoftheRSASecureID’s www.tux.org/pub/security/secnet/papers/secureid.pdf. supposedlyproprietaryhashalgorithmispresentedin[8]. [10] G.G.Xie,C.Irvine,andC.Colwell. LLPA:Aprotocolfor The IPSec protocol [7] provides a framework for man- highspeedpacketauthentication.TechnicalReportNPS-CS- aging encryption and authentication, and their associated 99-003,DepartmentofComputerScience,NavalPostgradu- policies, at the network (IP) level. The default automated ateSchool,Feb.1999. key management protocol for IPSec is referred to as In- [11] G. G. Xie, C. Irvine, and T. Levin. Conditions for ternet Key Exchange (IKE) [5]. Key exchange is based time-drivenkeysequencing. TechnicalReport NPS-CS-00- 001, Department of Computer Science, Naval Postgraduate on the use of the Diffie Hellman algorithm, which is rel- School, Aug. 2000. Revised, July 2001. Available from atively computationally intensive. By default, the lifetime www.cs.nps.navy.mil/people/faculty/xie/papers. ofaIPSecsessionkeymustatleastaslongastheduration of the target session. One may avoid using a long dura- 4The idea of key prefetching for long duration flows is briefly men- tion key by partitioning the traffic of a long session into tionedforIPSec.However,nodetailsforitsrealizationaregiven. 8

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.