|
Recent
Publications
- PIKE: Peer
Intermediaries for Key Establishment in Sensor Networks PS, PDF, BIB. With Haowen Chan. Appears at IEEE Infocom 2005.
- FIT: Fast
Internet Traceback PS, PDF, BIB.
With Avi Yaar and Dawn
Song. Appears at IEEE
Infocom 2005.
- SPV: Secure Path
Vector Routing for Securing BGP PS, PDF, BIB.
With Yih-Chun Hu and Marvin
Sirbu. Appears in ACM SIGCOMM 2004.
- Key Infection:
Smart Trust for Smart Dust PS,
PDF, BIB. With Ross Anderson and Haowen Chan. Appears in IEEE International Conference on
Network Protocols (ICNP 2004).
- SIFF: A Stateless
Internet Flow Filter to Mitigate DDoS Flooding Attacks PS, PDF, BIB. With Avi Yaar and Dawn Song. Appears in 2004 IEEE
Symposium on Security and Privacy.
- SWATT:
SoftWare-based ATTestation for Embedded Devices PS, PDF,
BIB. With Arvind Seshadri, Leendert van Doorn, and
Pradeep
Khosla. Appears in 2004 IEEE
Symposium on Security and Privacy.
- Using SWATT for
Verifying Embedded Systems in Cars PS,
PDF, BIB. With Arvind Seshadri, Leendert van Doorn, and
Pradeep
Khosla. Appears in Embedded
Security in Cars Workshop (ESCAR 2004).
- The Sybil Attack
in Sensor Networks: Analysis and Defenses PS,
PDF, BIB. With James Newsome, Elaine
Shi, and Dawn Song.
Appears in Third International
Symposium on Information Processing in Sensor Networks (IPSN 2004).
- Distillation
Codes and Applications to DoS Resistant Multicast Authentication PS, PDF, BIB. With Chris Karlof, Naveen Sastry, Yaping
Li, and Doug Tygar.
Appears in Network
and Distributed System Security Symposium (NDSS 2004).
- Taming IP Packet
Flooding Attacks PS, PDF, BIB. With Daniel Adkins, Karthik Lakshminarayanan,
and Ion Stoica.
Appears in Workshop on
Hot Topics in Networks (HotNets-II).
- ACE: An Emergent
Algorithm for Highly Uniform Cluster Formation PDF, BIB.
With Haowen Chan.
Appears in First European Workshop on
Wireless Sensor Networks (EWSN 2004).
- SIA: Secure
Information Aggregation in Sensor Networks PDF,
BIB. With Bartosz Przydatek and Dawn Song. Appears in ACM SenSys 2003.
- Security and
Privacy in Sensor Networks PDF, BIB. With Haowen Chan. Appears in IEEE Computer Magazine,
October 2003.
- Opportunistic Use
of Content Addressable Storage for Distributed File Systems PDF, BIB.
With Niraj Tolia,
Michael Kozuch, Mahadev
Satyanarayanan, Brad Karp, and Thomas Bressoud.
Appears in the 2003
Usenix Annual Technical Conference.
- Random Key
Predistribution Schemes for Sensor Networks PS, PDF,
BIB. With Haowen Chan and Dawn Song. Appears in IEEE Symposium on
Security and Privacy 2003.
- Pi: A Path
Identification Mechanism to Defend against DDoS Attacks PS, PDF, BIB. With Avi Yaar and Dawn Song. Appears in IEEE Symposium on
Security and Privacy 2003.
- Efficient
Security Mechanisms for Routing Protocols PS, PDF, PS.GZ, BIB. With Yih-Chun Hu and Dave Johnson. Appears in the
proceedings of the Tenth Annual
Network and Distributed System Security Symposium (NDSS 2003).
- Rushing Attacks
and Defense in Wireless Ad Hoc Network Routing Protocols PS, PDF, PS.GZ, BIB. With Yih-Chun Hu and Dave Johnson. In ACM Workshop on
Wireless Security (WiSe 2003).
- Packet Leashes: A
Defense against Wormhole Attacks in Wireless Networks PS, PDF, PS.GZ, BIB. With Yih-Chun Hu and Dave Johnson. In IEEE Infocom 2003.
Network
security projects
Secure
Ad Hoc Network Routing
Ad hoc networks are
on the brink of wide-spread deployment. Research in ad hoc routing
protocols has made great progress, however, the majority of this
research assumed a trusted environment. Many real-world applications
lack a trustworthy environment, and they require secure ad hoc routing
protocols to prevent an adversary from performing denial-of-service
(DoS) attacks on the routing infrastructure. Together with Dave Johnson and Yih-Chun Hu, we designed
several secure ad hoc network routing protocols.
- A Survey of
Secure Wireless Ad Hoc Routing PDF.
Appears in IEEE Security
and Privacy special issue on Making Wireless Work, 2(3):28-39,
IEEE, May/June 2004.
- (SuperSEAD
journal paper) SEAD: Secure Efficient Distance Vector Routing for
Mobile Wireless Ad Hoc Networks PDF, BIB. Appears in Ad Hoc Networks Journal,
1(2003), pages 175-192.
- Ariadne: A Secure
On-Demand Routing Protocol for Ad Hoc Networks PS, PDF, PS.GZ, BIB. Appears in Mobicom 2002.
- Efficient
Security Mechanisms for Routing Protocols PS, PDF, PS.GZ, BIB. Appears in the
proceedings of the Tenth Annual
Network and Distributed System Security Symposium (NDSS 2003).
- SEAD: Secure
Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks PS, PDF, PS.GZ, BIB. In Fourth IEEE Workshop on Mobile
Computing Systems and Applications (WMCSA '02), June 2002.
- Rushing Attacks
and Defense in Wireless Ad Hoc Network Routing Protocols PS, PDF, PS.GZ, BIB. With Yih-Chun Hu and Dave Johnson. In ACM Workshop on
Wireless Security (WiSe 2003).
- Packet Leashes: A
Defense against Wormhole Attacks in Wireless Networks PS, PDF, PS.GZ, BIB. In IEEE Infocom 2003.
Security
for Sensor Networks
As sensor networks
edge closer towards wide-spread deployment, security issues become a
central concern. So far, much research has focused on making sensor
networks feasible and useful, and has not concentrated on security. We
are working on several projects to secure sensor networks.
We present a suite
of security building blocks optimized for resource-constrained
environments and wireless communication. SPINS has two secure building
blocks: SNEP and mTESLA. SNEP provides the following important baseline
security primitives: Data confidentiality, two-party data
authentication, and data freshness. A particularly hard problem is to
provide efficient broadcast authentication, which is an important
mechanism for sensor networks. mTESLA is a new protocol which provides
authenticated broadcast for severely resource-constrained environments.
We implemented the above protocols, and show that they are practical
even on minimal hardware: the performance of the protocol suite easily
matches the data rate of our network. Additionally, we demonstrate that
the suite can be used for building higher level protocols.
- SPINS: Security
Protocols for Sensor Networks PS, PDF, BIB, with Robert Szewczyk, Victor Wen, David Culler, and Doug Tygar, in Wireless Networks
Journal (WINE), September 2002.
- SPINS: Security
Protocols for Sensor Networks PS,
PDF, PPT, PS.GZ, HTML, BIB, with Robert Szewczyk, Victor Wen, David Culler, and Doug Tygar, in
Proceedings of Seventh Annual International Conference on Mobile
Computing and Networks MOBICOM
2001, July 2001.
Authentication
and signature of broadcast streams
Assuring
authenticity or non-repudiation of broadcast information is an
important research challenge. Current solutions are largely
impractical, due to their high communication and/or computation
overhead. We propose three protocols: TESLA and BiBa provide source
authentication, and EMSS offers non-repudiation (signature).
TESLA
One of the main
challenges of securing multicast communication is source
authentication, or enabling receivers of multicast data to verify that
the received data originated with the claimed source and was not
modified en-route. The problem becomes more complex in common settings
where other receivers of the data are not trusted, and where lost
packets are not retransmitted.
Check out our TESLA project page.
- The TESLA
Broadcast Authentication ProtocolPS, PDF, PS.GZ, HTML, BIB, with
Ran Canetti, Dawn Song,
and Doug Tygar, in RSA Cryptobytes,
Summer 2002.
- Efficient and
Secure Source Authentication for MulticastPS, PDF, PS.GZ, HTML, BIB, with Ran Canetti, Dawn Song, and Doug Tygar, in
Proceedings of Network and Distributed System Security Symposium NDSS 2001, February 2001.
- Efficient
Authentication and Signing of Multicast Streams over Lossy Channels PS, PDF, PS.GZ, HTML, BIB, with Ran Canetti, Dawn Song, and Doug Tygar, in Proc. of
IEEE Security and Privacy Symposium S&P2000,
May 2000.
- TESLA: Multicast
Source Authentication Transform Introduction draft-ietf-msec-tesla-intro-03.txt,
with Ran Canetti, Bob Briscoe, Dawn Song, and Doug Tygar, proposed
IETF draft.
- TESLA: Multicast
Source Authentication Transform Specification draft-ietf-msec-tesla-spec-00.txt,
Adrian Perrig, Ran Canetti, and Bram Whillock, proposed IETF draft.
- Bram Whillock
implemented the TESLA specification. The code
is available here, use it at your own risk.
BiBa
The BiBa broadcast
authentication protocol is based on the BiBa one-time signature. The
BiBa one-time signature is a new signature construction that uses
one-way functions without trapdoors. BiBa features a low verification
overhead and a relatively small signature size. In comparison to other
one-time signature schemes, BiBa has smaller signatures and is at least
twice as fast to verify (which probably makes it one of the fastest
signature schemes to date for verification).
- The BiBa One-Time
Signature and Broadcast Authentication Protocol PS, PDF,
PS.GZ, HTML, BIB, in Proceedings of the ACM
Conference on Computer and Communications Security CCS 2001, November
2001.
EMSS
EMSS is an efficient
protocol to sign data streams. The main idea is to ammortize an
expensive digital signature operation over a large number of data
packets. For more information, please see:
- Efficient
Authentication and Signing of Multicast Streams over Lossy Channels PS, PDF, and PS.GZ, BIB, with Ran Canetti, Dawn Song, and Doug Tygar, in Proc. of
IEEE Security and Privacy Symposium S&P2000,
May 2000.
Key
distribution and agreement of dynamic groups
Confidentiality is
the main purpose of secure group communication. The general approach is
to establish a secret group key shared by all members to encrypt all
confidential communication. Dealing with dynamic membership is a
challenging problem since secure group communication requires forward
and backward secrecy. Forward secrecy guarantees that a passive
adversary who knows a contiguous subset of old group keys cannot
discover subsequent group keys. Similarly, backward secrecy guarantees
that a passive adversary who knows a contiguous subset group keys
cannot discover preceding group keys.
In my research I
distinguish two common group settings:
- Large groups
(over 100 receivers) with a small number of senders. In general, the
group is managed centrally, and has a small number of senders (usually
only one).
- Small groups
(3-100 members). In this setting, every member is usually a sender and
a receiver.
ELK is
a new key distribution scheme for large broadcast groups. The
main goal is to improve the efficiency such that the key distribution
scales to larger and more dynamic groups. Inhibitors for scalability
include:
- Many membership changes cause many key update messages.
This is a problem because the key update traffic has a high bandwidth
overhead.
- Providing reliability for key update messages is a
challenge. The current recovery policy for receivers if they lost a key
update is to send a unicast message to the key server to request a key
update. Needless to say that this approach hardly scales to large
groups considering the packet loss rates we see today in the Internet.
ELK uses new techniques to improve the scalability of key distribution:
- We observe that the computation power of servers continues
to increase. Hence, we design a protocol such that member join events
do not require any broadcast message at all, for the cost that the key
server needs to compute a one-way function on all keys in each time
interval. This approach increases the scalability since no key update
message is sent and hence no message can get lost.
- We also provide a mechanism for smaller key update
messages, by trading off security and communication overhead. A lower
security margin directly translates into smaller key update. Note that
previous techniques did not have this property: As keys became smaller,
the scheme becomes vulnerable to pre-computation attacks.
- ELK also introduces "hints", another technique to reduce
the size of key updates. As the receiver's workstation gets faster, we
trade off receiver computation for communication overhead.
- We introduce the notion of Maximum Impact Keys (MIK).
Assume a LKH or OFT based key tree. Note that if a member leaves the
group, half of the remaining members only need a single key update -
the updated root key. So if we just send the key update for the group
key only, half the members could recover from a lost key update.
Similarly, if we send the update for two keys, 3/4 of all members can
update their key tree. We propose to piggyback hints to the MIKs with
data packets, such that the majority of members can recover from lost
key updates.
Key agreement for
small groups
Secure group
communication for dynamic peer groups is an important service in the
future. Considering collaborative workplaces, audio and video
conferencing, and the intercommunication between devices in ubiquitous
computing, I expect that the number of small groups (between 3 and 100
members) will greatly outnumber large groups (more than 100
members). Furthermore, the setting in small dynamic peer groups has
different requirements from large groups: Autonomous and contributory
key agreement, and fault tolerance to network partitions (members in
each partition form an independent peer group).
- Group Key
Agreement Efficient in Communication PS,
PDF, with Yongdae Kim and Gene Tsudik, to appear in
IEEE Transactions on Computers.
- Simple and
Fault-Tolerant Key Agreement for Dynamic Collaborative Groups (the Tree
Group Diffie Hellman (TGDH) protocol), PS, PS.GZ, PDF, HTML, BIB, with Yongdae Kim and Gene Tsudik, 7th ACM
Conference on Computer and Communication Security CCS 2000.
- Communication-Efficient
Group Key AgreementPS, PS.GZ, PDF, HTML,
BIB, with Yongdae Kim and Gene Tsudik, International
Federation for Information Processing IFIP SEC 2001.
- Efficient
Collaborative Key Management Protocols for Secure Autonomous Group
Communication, BIB,
International Workshop on Cryptographic Techniques and E-Commerce CrypTEC '99.
More
information is on the Secure
Multicast Group (SMuG) web page.
Practical
techniques for IP-traceback
Denial-of-service
(DoS)
attacks are among the most challenging security problems on today's
Internet. One difficulty to thwart DoS attacks is to trace the source
of the attacks because they often use incorrect, or ``spoofed'' IP
addresses to disguise the true origin. We present two new schemes, the
Advanced Marking Scheme and the Authenticated Marking Scheme, which
allow the victim to traceback the approximate origin of spoofed IP
packets. Our techniques have very low network and router overhead and
support incremental deployment. Comparing with previous work, our
techniques have significantly higher precision (lower false positive
rate) and lower computation overhead for the victim to reconstruct the
attack paths under large scale distributed denial-of-service
attacks. Furthermore the Authenticated Marking Scheme provides
efficient authentication of routers' markings such that even a
compromised router cannot forge or tamper markings from other
uncompromised routers. For more details:
Automatic
Security Protocol Generation and Verification
The current process
of designing a security protocol is usually ad-hoc and involves little
formalism and mechanical assistance. Such a design process is not only
slow but also error-prone. Evidence shows that even when security
protocols are designed with care and examined intensely (even over
time of years), they can still be fundamentally flawed. A classic
example is the Needham-Schroeder public-key mutual authentication
protocol, in which Gavin Lowe discovered a flaw 18 years later. Due to
the lack of formalism and mechanical assistance, manually designed
protocols often contain undocumented assumptions and hence can lead to
implementation errors. Further, simply because a manual design process
cannot search a large number of candidates, it may not find the
optimal protocol for the given system requirements.
Hence, we design and
implement a different approach, Automatic Protocol Generation
(APG). The approach of APG is efficient and provides high confidence
and high quality of protocols. APG is able to through large protocol
space and generate protocols that suit the system the best.
For details about
how APG
works and the new protocols it generated in experiments:
- A First Step
towards the Automatic Generation of Security Protocols PS, PS.GZ, PDF, HTML, BIB, with Dawn Song. In Proc. of
Network and Distributed System Security NDSS 2000, February 2000.
- Looking for
diamonds in the desert: Automatic security protocol generation for
three-party authentication and key distribution PS, PS.GZ, PDF, HTML, BIB, with Dawn Song. In Proc. of
IEEE Computer Security Foundations Workshop CSFW 13,
July 2000.
- AGVI ---
Automatic Generation, Verification, and Implementation of Security
ProtocolsPS, PS.GZ, PDF, HTML, BIB, with Dawn Song and Doantam
Phan. In Proceedings of 13th Conference on Computer Aided Verification CAV 2001, July 2001.
Applied
Cryptography
Search
on Encrypted Data
It is desirable to
store
data on data storage servers such as mail servers and file servers in
encrypted form to reduce security and privacy risks. But this usually
implies that one has to sacrifice functionality for security. For
example, if a client wishes to retrieve only documents containing
certain words, it was not previously known how to let the data storage
server perform the search and answer the query without loss of data
confidentiality.
We design a
cryptographic
schemes for the problem of searching on encrypted data and provide
proofs of security for the resulting crypto systems. Our technique is
efficient and provably secure.
Human
Factors in Computer Security
Hash
Visualization and User Authentication through Image Recognition
Long random strings,
such
as digital fingerprints or hash values, are difficult to remember. It
is much easier for people to deal with images instead of meaningless
strings. We therefore generate a visual represantation of the hash
value, which we call hash visualization. Hash visualization is
particularly useful in settings where people need to repeatedly verify
the integrity of data, because people can easily remember the images
generated.
We also developped
Déjà
Vu, a method to authenticate people through image recognition. The
key insight we had is to base the person authentication on a human
strength instead of on a human weakness. Most currently used
authentication schemes authenticate the user through precise recall, a
task that people are not particularly good at. Instead, studies have
shown that people are extremely good at recognizing previously seen
images, which is the main ingredient of Déjà Vu.
Furthermore, our
system prevents people from picking poor passwords, writing down or
sharing passwords with others, and prevents an attacker from guessing
passwords.
- Our Deja Vu
project page
- Hash
Visualization: a New Technique to Improve Real-World Security PS, PS.GZ, PDF, HTML, BIB, with Dawn Song. International
Workshop on Cryptographic Techniques and E-Commerce CrypTEC '99.
- Déjà
Vu: A User Study Using Images for Authentication PS, PS.GZ, PDF, HTML, BIB, with Rachna Dhamija, 9th Usenix Security
Symposium, August 2000.
- LA Times article In a
User-Friendly World, One Picture's Worth 1,000 Passwords.
- Article on
Microsoft's user authentication system mentions our research to
counteract shoulder surfing NY
Times. A summary is at ACM
Technews
- Deja Vu on Slashdot.
- Article on Deja
Vu in the NY
Times. Here's another article in the NY
Times that mentions Deja Vu.
- Newspaper
articles by Suelette Dreyfus appeared in the Independent
in the UK, and in the Age,
a newspaper in Melbourne, Australia.
- ZDNet
Article
- Article in Swedish
at Yahoo
- Article in
German at Akademie
- Article in NYT on
the cost
of forgotten passwords
In this research, we
use Andrej Bauer's Random Art
Security
and E-Commerce
Secure
Auction Architecture
Increasing numbers
of economic transactions are conducted through on-line auctions.
Nevertheless, most current auction implementations fail to address
important security concerns. In particular, most auction systems force
buyers and sellers to trust the auctioneer; alternative secure systems
are inflexible and have a high computational and/or communication
overhead.
To overcome these
limitations, we propose a secure auction marketplace (SAM)
architecture, based on the recently available tool of high-performance,
programmable secure coprocessors.
Unlike previous
schemes, this approach provides a general framework that can
incorporate arbitrary auction schemes by using different evaluation
programs, as well as provide complex security properties by using the
secure coprocessor and our auction protocols.
Our approach
features strong security guarantees for the buyers and sellers without
trusting the auctioneer, precise definition of the information
disclosed during and after the auction, and high flexibility to adapt
to new types of auctions.
- SAM: A Flexible
and Secure Auction Architecture Using Trusted HardwarePS, PS.GZ, with Sean Smith, Dawn Song, and Doug Tygar. Submitted
to the Electronic Journal on
E-commerce Tools and Applications.
- SAM: A Flexible
and Secure Auction Architecture Using Trusted HardwarePS, PS.GZ,
PDF, HTML, BIB, with Sean Smith, Dawn Song, and Doug Tygar. First
International Workshop on Internet Computing and E-Commerce ICEC 2001 or mirror.
Previous
Projects
Digital
Image Watermarking
Digital Image
Watermarking was initially perceived by some people as the white knight
of intellectual property protection. My position is that watermarking
is an interesting research problem, and it may be one building block in
the solution of IP protection.
In collaboration
with Alexander Herrigel and Joseph O'Ruanaidh I worked on a digital
image copyright environment which does not solely rely on the watermark
in the image to enforce the copyright. My more recent research focused
on the robustness of watermarking techniques.
Protection
of medical databases
When releasing
medical databases to the public, sensitive information needs to be
removed from the database. Unfortunately, sensitive infomation could
potentially be inferred from less sensitive information. In a class
project with Dawn Song
and Qifa Ke, we developed an
algorithm that automatically finds inference rules in medical
databases. This is an important step in removing sensitive information
from the medical database.
- The report is
available in PS and HTML.
Other
reports:
- SMIF: A Framework
for Secure Multicast Intercommunication. HTML, PS, PDF, and PS.GZ.
Class project in collaboration with Dawn Song and Yang-hua Chu, CMU in fall
'97.
- User
authentication and recognition through keystroke latency analysis. This
was joint work with Dawn
Song and Peter Venable.
Our report is available in PS,
PDF, and HTML.
- Emacs and Unix
Tricks in PS, PDF, and HTML may improve
your productivity.
- Digital money report in PS, PDF, and HTML: Analysis of existing
systems and social impacts. With Joerg Kienzle
|