Leap-frog packet linking and diverse key distributions for improved integrity in network broadcasts

2005 IEEE Symposium on Security and Privacy (S&P'05) Pub Date : 2005-05-08 DOI:10.1109/SP.2005.11

M. Goodrich

{"title":"Leap-frog packet linking and diverse key distributions for improved integrity in network broadcasts","authors":"M. Goodrich","doi":"10.1109/SP.2005.11","DOIUrl":null,"url":null,"abstract":"We present two new approaches to improving the integrity of network broadcasts and multicasts with low storage and computation overhead. The first approach is a leapfrog linking protocol for securing the integrity of packets as they traverse a network during a broadcast, such as in the setup phase for link-state routing. This technique allows each router to gain confidence about the integrity of a packet before passing it on to the next router; hence, allows many integrity violations to be stopped immediately in their tracks. The second approach is a novel key predistribution scheme that we use in conjunction with a small number of hashed message authentication codes (HMAC), which allows end-to-end integrity checking as well as improved hop-by-hop integrity checking. Our schemes are suited to environments, such as in ad hoc and overlay networks, where routers can share only a small number of symmetric keys. Moreover, our protocols do not use encryption (which, of course, can be added as an optional security enhancement). Instead, security is based strictly on the use of one-way hash functions; hence, our algorithms are considerably faster than those based on traditional public-key signature schemes. This improvement in speed comes with only modest reductions in the security for broadcasting, as our schemes can tolerate small numbers of malicious routers, provided they do not form significant cooperating coalitions.","PeriodicalId":6366,"journal":{"name":"2005 IEEE Symposium on Security and Privacy (S&P'05)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2005-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"20","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2005 IEEE Symposium on Security and Privacy (S&P'05)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2005.11","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 20

Abstract

We present two new approaches to improving the integrity of network broadcasts and multicasts with low storage and computation overhead. The first approach is a leapfrog linking protocol for securing the integrity of packets as they traverse a network during a broadcast, such as in the setup phase for link-state routing. This technique allows each router to gain confidence about the integrity of a packet before passing it on to the next router; hence, allows many integrity violations to be stopped immediately in their tracks. The second approach is a novel key predistribution scheme that we use in conjunction with a small number of hashed message authentication codes (HMAC), which allows end-to-end integrity checking as well as improved hop-by-hop integrity checking. Our schemes are suited to environments, such as in ad hoc and overlay networks, where routers can share only a small number of symmetric keys. Moreover, our protocols do not use encryption (which, of course, can be added as an optional security enhancement). Instead, security is based strictly on the use of one-way hash functions; hence, our algorithms are considerably faster than those based on traditional public-key signature schemes. This improvement in speed comes with only modest reductions in the security for broadcasting, as our schemes can tolerate small numbers of malicious routers, provided they do not form significant cooperating coalitions.

查看原文本刊更多论文

跨越式数据包链接和不同的密钥分布，以提高网络广播的完整性

我们提出了两种新的方法来提高网络广播和组播的完整性，同时降低存储和计算开销。第一种方法是跳跃式链接协议，用于在广播期间(例如在链路状态路由的设置阶段)遍历网络时保护数据包的完整性。该技术允许每个路由器在将数据包传递给下一个路由器之前获得对数据包完整性的信心;因此，允许许多完整性违规立即停止在他们的轨道。第二种方法是一种新的密钥预分发方案，我们将其与少量哈希消息身份验证码(HMAC)结合使用，它允许端到端完整性检查以及改进的逐跳完整性检查。我们的方案适合于环境，例如在ad hoc和覆盖网络中，路由器只能共享少量对称密钥。此外，我们的协议不使用加密(当然，可以作为可选的安全增强添加加密)。相反，安全性严格基于单向散列函数的使用;因此，我们的算法比基于传统公钥签名方案的算法要快得多。速度的提高只带来了广播安全性的适度降低，因为我们的方案可以容忍少量恶意路由器，只要它们不形成重要的合作联盟。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2005 IEEE Symposium on Security and Privacy (S&P'05)

自引率

0.00%

发文量