Analysis and Optimization of Cryptographically Generated Addresses - - PowerPoint PPT Presentation

Introduction CGA for IPv6 CGA++

Analysis and Optimization of Cryptographically Generated Addresses (CGA)

Revisiting Self-Certifying Address Generation and Verification

Joppe Bos, Onur ¨ Ozen and Jean-Pierre Hubaux

Ecole Polytechnique F´ ed´ erale de Lausanne

1 / 41

Introduction CGA for IPv6 CGA++

Outline

1 Introduction 2 CGA for IPv6

Outline Several Attacks Efficiency

3 CGA++

Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

2 / 41

Introduction CGA for IPv6 CGA++

Problem outline

Problem:

The need for the nodes to be able to generate their own address and verify the ones from others without relying on any global trusted authority.

Solution:

Using self-certifying addresses, which allows hosts and domains to prove they have the address they claim to have regardless of a trusted third party

• r a public-key infrastructure (PKI).

An Example:

Cryptographically Generated Addresses (CGA) for Internet Protocol version 6 (IPv6) addresses.

3 / 41

Introduction CGA for IPv6 CGA++

Motivation

The Impact

CGA is used in Internet Protocol version 6 (IPv6) addresses. IPv6 is the next-generation Internet Protocol version designated as the successor to version 4, IPv4. CGA is used in Secure Neighbour Discovery Protocol for proof of adress ownership and dublicate address detection.

What is missing?

A more in-depth security/efficiency analysis of CGA.

4 / 41

Introduction CGA for IPv6 CGA++

Our Contribution

A detailed security/efficiency analysis of CGA Security: Introduction of a security framework for CGA-like protocols. Efficiency: Estimation of the cost of address generation/verification and possible attacks. Investigation of several attack scenarios A new and more secure protocol is designed: CGA++.

Resistant against certain type of attacks which are possible against CGA. Better authentication. Less efficient (more later).

5 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

CGA Basics: The notion of a self-certifying name

The public-key itself:

6 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

CGA Basics: The notion of a self-certifying name

The public-key itself: Or, for convenience the hash of the public-key

6 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

CGA for IPv6

SHA−1 SHA−1

Modifier Public Key

Hash2

Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Proposed by Aura at ISC 2003. Introduces the so-called “hash extensions” which trades efficiency for security. Appeared in an RFC 3972 in 2005.

7 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

CGA for IPv6

SHA−1 SHA−1

Modifier Public Key

Hash2

Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

8 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

SHA−1 SHA−1

Public Key

Hash2

Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier

1 Set modifier to a random 128-bit value. 9 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

SHA−1 Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 10 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

SHA−1 Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

11 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

SHA−1 Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

are ZERO 16*sec bits ? 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

4 Compare the 16×Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 12 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

SHA−1 Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

are ZERO 16*sec bits ? 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

4 Compare the 16×Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. 13 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

SHA−1 Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

are ZERO 16*sec bits ? 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

4 Compare the 16×Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. 14 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

are ZERO 16*sec bits ? SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

4 Compare the 16×Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. 7 Execute SHA-1. The leftmost 64 bits of the result are Hash1. 15 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

are ZERO 16*sec bits ? SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

4 Compare the 16×Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. 7 Execute SHA-1. The leftmost 64 bits of the result are Hash1. 8 Form an interface identifier by setting u, g in Hash1 both to 1 and the three leftmost bits to Sec. 16 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

Subnet Prefix (64 bits)

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

are ZERO 16*sec bits ? SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

4 Compare the 16×Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. 7 Execute SHA-1. The leftmost 64 bits of the result are Hash1. 8 Form an interface identifier by setting u, g in Hash1 both to 1 and the three leftmost bits to Sec. 9 Concatenate the subnet prefix and interface identifier to form a 128-bit IPv6 address. 17 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Address Generation

Subnet Prefix (64 bits) are ZERO 16*sec bits ? Collision ? Any

Prefix Subnet Collision Count Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Modifier Public Key

SHA−1

Hash2

SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK. 3 Execute SHA-1 algorithm. The leftmost 112 bits

• f the result are Hash2.

4 Compare the 16×Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. 7 Execute SHA-1. The leftmost 64 bits of the result are Hash1. 8 Form an interface identifier by setting u, g in Hash1 both to 1 and the three leftmost bits to Sec. 9 Concatenate the subnet prefix and interface identifier to form a 128-bit IPv6 address. 10 If an address collision is detected, increment the collision count and go back to step (6). After three collisions, stop. 18 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Security of CGA for IPv6

SHA−1 SHA−1

Modifier Public Key

Hash2

Subnet Prefix (64 bits)

Prefix Subnet

Collision Count

Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Impersonation (without hash extensions)

The number of operations required for impersonation of a specific node is 259 hash function evaluations.

Impersonation (ideal case, with hash extensions)

The number of operations required for impersonation of a specific node is 259+16×sec hash function evaluations.

19 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

A Time-Memory Trade-Off Attack on CGA

SHA−1 SHA−1

Modifier Public Key

Hash2

Subnet Prefix (64 bits)

Prefix Subnet

Collision Count

Zero Zero

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

Generation of Hash2 is independent of the subnet prefix

Why?

Help mobile nodes

They change subnet prefix

• ften, avoid computing

Hash2 over and over again Mobile nodes do not have much computation power.

This helps an attacker as well! Precompute and Store valid modifier values. Reduce the effect of hash extensions!

20 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Replay Attack

Replaying messages

Select a random node in the network, sniff and store signed messages. Ask this node to verify its address → receive the modifier value and public-key. Then, by switching network, generate a “verifiable” address. The cost for an attacker to generate an address becomes negligible instead of 216×sec + 1 hash function evaluations. The attacker can not send new messages, he has no access to the private-key, but can replay the stored signed messages. Verification of these messages by other nodes will be OK!

21 / 41

Introduction CGA for IPv6 CGA++ Outline Several Attacks Efficiency

Efficiency of CGA

In CGA, the address generation time is equal to 216×sec + 1 hash function evaluations which is dominated by the security parameter; assuming sec > 0. Our implementation of CGA using OpenSSL running on an AMD64: sec value 1 2 3 4 ... Required Time 0.2 secs 3.2 hrs 24 yrs 1.6 ⋅ 106 yrs ...

Conclusion

Setting the security parameter to zero or one (may be two) are currently practical values.

22 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

CGA++, Design Goals

Make CGA++ at least as secure as basic-CGA without hash extensions resistant against the TMTO attack resistant against replay attack capable of authentication inside the verification part as similar to CGA as possible

23 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

The Time-Memory Trade-off Attack

Obvious Fix

Add the subnet prefix to the computation of the Hash2 value.

24 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

The Time-Memory Trade-off Attack

Obvious Fix

Add the subnet prefix to the computation of the Hash2 value.

Efficiency

No change when sec = 0. When sec > 0 the address renewal time == the address generation time. Current practical security parameters are: sec ∈ {0, 1}. These do not lead to practical problems (even for mobile nodes), only

• rder of a second.

24 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Authentication

Idea

Introduce authentication inside the verification process. “Bind” the modifier value, subnet prefix and collision count to this public/private key pair.

25 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Authentication

Idea

Introduce authentication inside the verification process. “Bind” the modifier value, subnet prefix and collision count to this public/private key pair.

How?

Sign these values in the computation of the Hash1 value. This prevents almost all instances of the replay attack.

25 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Hash2

Subnet Prefix (64 bits)

Public Key Public Key Modifier(m)

Prefix Subnet

(SP) Sign(SP,m,Collision Count)

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

26 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Generation

Hash2

Subnet Prefix (64 bits)

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP) Sign(SP,m,Collision Count)

Public Key Public Key

1 Select security parameter sec ∈ {0, ..., 7}, pick a random modifier value and set CC to zero. 27 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Generation

Subnet Prefix (64 bits)

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP) Sign(SP,m,Collision Count)

Public Key Public Key

Hash2

1 Select security parameter sec ∈ {0, ..., 7}, pick a random modifier value and set CC to zero. 2 Concatenate the modifier, subnet prefix and the encoded public-key. Execute the hash algorithm on the concatenation. Continue until 16 × sec bits are zero by increasing the value

• f modifier.

28 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Generation

Subnet Prefix (64 bits)

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP)

Public Key Public Key

Hash2

Sign(SP,m,Collision Count)

1 Select security parameter sec ∈ {0, ..., 7}, pick a random modifier value and set CC to zero. 2 Concatenate the modifier, subnet prefix and the encoded public-key. Execute the hash algorithm on the concatenation. Continue until 16 × sec bits are zero by increasing the value

• f modifier.

3 Sign the modifier, collision count and subnet prefix with the private-key corresponding to used public-key. 29 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Generation

Subnet Prefix (64 bits)

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP)

Public Key Public Key

Hash2

Sign(SP,m,Collision Count)

1 Select security parameter sec ∈ {0, ..., 7}, pick a random modifier value and set CC to zero. 2 Concatenate the modifier, subnet prefix and the encoded public-key. Execute the hash algorithm on the concatenation. Continue until 16 × sec bits are zero by increasing the value

• f modifier.

3 Sign the modifier, collision count and subnet prefix with the private-key corresponding to used public-key. 4 Concatenate the encoded public-key and the signature values. Execute the hash algorithm on the concatenation. The most significant 64 bits of the result are Hash1. 30 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Generation

Hash1

ID (64 bits) Interface

59 bits

Sec u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP)

Public Key Public Key

Hash2

Sign(SP,m,Collision Count)

Subnet Prefix (64 bits)

(3 bits)

1 Select security parameter sec ∈ {0, ..., 7}, pick a random modifier value and set CC to zero. 2 Concatenate the modifier, subnet prefix and the encoded public-key. Execute the hash algorithm on the concatenation. Continue until 16 × sec bits are zero by increasing the value

• f modifier.

3 Sign the modifier, collision count and subnet prefix with the private-key corresponding to used public-key. 4 Concatenate the encoded public-key and the signature values. Execute the hash algorithm on the concatenation. The most significant 64 bits of the result are Hash1. 5 Form an interface identifier by setting the two reserved bits in Hash1 both to 1 and three bits to sec. 31 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Generation

Hash2

Subnet Prefix (64 bits)

Public Key Public Key Modifier(m) Prefix Subnet

(SP) Sign(SP,m,Collision Count)

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Collision? 1 Select security parameter sec ∈ {0, ..., 7}, pick a random modifier value and set CC to zero. 2 Concatenate the modifier, subnet prefix and the encoded public-key. Execute the hash algorithm on the concatenation. Continue until 16 × sec bits are zero by increasing the value

• f modifier.

3 Sign the modifier, collision count and subnet prefix with the private-key corresponding to used public-key. 4 Concatenate the encoded public-key and the signature values. Execute the hash algorithm on the concatenation. The most significant 64 bits of the result are Hash1. 5 Form an interface identifier by setting the two reserved bits in Hash1 both to 1 and three bits to sec. 6 Concatenate the subnet prefix and interface identifier to form an 128-bit IPv6 address. 7 If an address collision is detected, increment the collision count and go back to step (3) (up to 3 collisions). 32 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Verification

Given the IPv6 address, the signature and the public-key of the node

Hash2 Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP) Sign(SP,m,Collision Count)

Public Key Public Key

Subnet Prefix (64 bits)

Verification

1 Verify the signature and obtain the modifier, collision count and subnet prefix values. 33 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Verification

Given the IPv6 address, the signature and the public-key of the node

Hash2 Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP) Sign(SP,m,Collision Count)

Public Key Public Key

Subnet Prefix (64 bits)

Verification

1 Verify the signature and obtain the modifier, collision count and subnet prefix values. 2 Check that the collision count value is 0, 1, or 2 and that the subnet prefix value is equal to the subnet prefix. 34 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Verification

Given the IPv6 address, the signature and the public-key of the node

Hash1

ID (64 bits) Interface

59 bits

Sec (3 bits) u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP) Sign(SP,m,Collision Count)

Public Key Public Key

Subnet Prefix (64 bits)

Hash2

Verification

1 Verify the signature and obtain the modifier, collision count and subnet prefix values. 2 Check that the collision count value is 0, 1, or 2 and that the subnet prefix value is equal to the subnet prefix. 3 Read the security parameter sec. Concatenate the modifier, subnet prefix and the encoded public-key. Execute the hash algorithm on the

• concatenation. Check if the most significant

16 × sec bits of the result are zero. 35 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Address Verification

Given the IPv6 address, the signature and the public-key of the node

Hash1

ID (64 bits) Interface

59 bits

Sec u,g (2 bits)

H H

Modifier(m) Prefix Subnet

(SP)

Public Key Public Key

Hash2

Sign(SP,m,Collision Count)

Subnet Prefix (64 bits)

(3 bits)

Verification

1 Verify the signature and obtain the modifier, collision count and subnet prefix values. 2 Check that the collision count value is 0, 1, or 2 and that the subnet prefix value is equal to the subnet prefix. 3 Read the security parameter sec. Concatenate the modifier, subnet prefix and the encoded public-key. Execute the hash algorithm on the

• concatenation. Check if the most significant

16 × sec bits of the result are zero. 4 Concatenate the encoded public-key and the

• signature. Execute the hash algorithm on the

concatenation and compare the output with the interface identifier. Differences in the two reserved bits and three bits for sec are ignored. 36 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Efficiency of CGA++

RSA x-bit Signature Log2 of the Verification Log2 of the key time signature time time verification time 512 707 9.5 35 5.1 768 1338 10.4 40 5.3 1024 1910 10.9 47 5.5 1536 4432 12.1 69 6.1 2048 7812 12.9 89 6.4 Table: The Signature and Verification Time Expressed in Hash Function (SHA-1) Evaluations for Different RSA Key Sizes.

Benchmark based on information taken from:

• D. J. Bernstein and T. Lange. (editors) eBACS: ECRYPT Benchmarking of Cryptographic

Systems, accessed 7 January 2009.

37 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Efficiency of CGA++

RSA x-bit Signature Log2 of the Verification Log2 of the key time signature time time verification time 512 707 9.5 35 5.1 768 1338 10.4 40 5.3 1024 1910 10.9 47 5.5 1536 4432 12.1 69 6.1 2048 7812 12.9 89 6.4 Table: The Signature and Verification Time Expressed in Hash Function (SHA-1) Evaluations for Different RSA Key Sizes.

Benchmark based on information taken from:

• D. J. Bernstein and T. Lange. (editors) eBACS: ECRYPT Benchmarking of Cryptographic

Systems, accessed 7 January 2009.

38 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

CGA-CGA++ Comparison

CGA CGA++ Time to generate a new address when s = 0 1 1 + 210.9 Time to generate a new address when s > 0 216×s + 1 216×s + 1 + 210.9 Time to verify an address when s = 0 1 1 + 25.5 Time to verify an address when s > 0 2 2 + 25.5 Impersonation time when s = 0 259 269.9 Impersonation time when s > 0 259 259+16×s + 269.9 Time to renew the address when moving to a different network when s = 0 1 1 + 210.9 Time to renew the address when moving to a different network when s > 0 1 216×s + 1 + 210.9 Resistance against the global time-memory trade-off attack No Yes Authentication mechanism inside the verification protocol No Yes

Table: Comparison between CGA and CGA++ for IPv6 using a 1024-bit RSA

• key. All timings are expressed in hash function evaluations (from eBACS). The

parameter sec = s is the security parameter used for hash extensions.

39 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Conclusions

In this work, we

analyzed the security of CGA developed a security model for CGA-like protocols (in the paper) introduced an improved version of CGA: CGA++ Advantages

Higher security when no hash extensions are used Introduced authentication in the verification process Resistant against replay attacks Resistant against global time-memory trade-off attack

Disadvantage

Efficiency: Renewal of addresses is as expensive as address generation

40 / 41

Introduction CGA for IPv6 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison

Main references

• T. Aura. Cryptographically Generated Addresses (CGA). RFC 3972, IETF, March 2005.
• T. Aura and M. Roe. Strengthening Short Hash Values. See

http://research.microsoft.com/en-us/um/people/tuomaura/misc/aura-roe- submission.pdf.

• T. Aura. Cryptographically Generated Addresses (CGA). In C. Boyd and W. Mao, editors,

ISC, volume 2851 of Lecture Notes in Computer Science, pages 2943. Springer, 2003.

• L. Buttyan and J.-P. Hubaux. Security and Cooperation in Wireless Networks. Cambridge

University Press, Cambridge, 2007.

• A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied
• Cryptography. CRC Press, 2001.

41 / 41