Internet DRAFT - draft-huang-ace-hiding-communication
draft-huang-ace-hiding-communication
ACE Working Group Q. Huang
Internet Draft M. Wei
Interned status: Standards Track H. Wang
Expires: August 26, 2017 S. Li
P. Wang
Y. Li
Chongqing University of
Posts and Telecommunications
February 22, 2017
Subliminal Channel Hiding Communication for Constrained-Node
Networks
draft-huang-ace-hiding-communication-00
Abstract
Due to the computation and storage limitations of constrained-node
networks, it is costly to apply those security mechanisms based on
public key algorithm. This document proposed a subliminal channel
hiding communication method, which can provide message
authentication service and protect the transmission of the sensitive
data.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on August 26, 2017.
Huang, et al. Expires August 26, 2017 [Page 1]
Internet-Draft ace hiding communication February 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction ................................................ 2
1.1. Requirements Notation................................... 3
1.2. Terms Used ............................................. 3
2. Subliminal Channel Hiding Communication ..................... 4
2.1. Overview of the scheme.................................. 4
2.2. The implementation of the scheme ....................... 5
3. Security Considerations...................................... 6
4. IANA Considerations ......................................... 6
5. References .................................................. 6
5.1. Normative References.................................... 6
5.2. Informative References.................................. 6
1. Introduction
In the existing networks, the processing of the sensitive data has
mainly used a variety of encryption technologies, and the sensitive
data is transmitted through the public channel. The attacker could
easily detect the communication process, hence, the man-in-middle
attack, the DoS attack or the Sybil attack can be applied to
interfere the communication, which makes the legal receiver cannot
obtain the encrypted sensitive data, and leads to the failure of the
communication process eventually.
The subliminal channel hiding communication is to hide the sensitive
data into the ordinary data. The attacker is hard to analyze whether
there is any sensitive data in the ordinary data. In this way, the
transmitted ordinary data would not cause attacker's attentions and
doubts. The subliminal channel hiding communication decreased the
Huang, et al. Expires August 26, 2017 [Page 2]
Internet-Draft ace hiding communication February 2017
intercept rate of the sensitive data and guaranteed the security of
the sensitive data fundamentally.
The traditional subliminal channel hiding communication is not
suitable for the constrained-node networks due to its high
computational overhead. Many existing subliminal channel
communications are based on public key mechanisms, such as: Scheme
of subliminal channel based on Schnorr digital signature and
analysis, and the Subliminal Channel Protocol based on Elliptic
Curve Digital Signature Algorithm, both of them hides the sensitive
data into the digital signature by using embedding algorithm.
Although the message authentication mechanism is introduced in the
communication process, the asymmetric encryption technology is
adopted in the existing embedding algorithm, which increases the
calculation costs of the node, and makes the distribution of the
public key and the private key very complex.
The purpose of this document is to solve the problems of low
security and high energy consumption in constrained-node networks
communication process. A subliminal channel hiding communication
method based on Message Authentication Code (MAC) has been put
forward. By using the data hiding technology, the confidentiality
and integrity of the sensitive data can be protected, where the
sensitive data is less vulnerable to be attacked in the
communication process.
1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]
1.2. Terms Used
MAC: Message Authentication Code.
Ordinary data: The data is divided into different grades according
to its importance, the ordinary data is low-grade.
Sensitive data: The data is divided into different grades according
to its importance, the sensitive data is high-grade. Such as the key
update messages, time synchronization messages, etc.
Broadcast packet: A 2-tuple packets contains the ordinary data and
MAC.
Huang, et al. Expires August 26, 2017 [Page 3]
Internet-Draft ace hiding communication February 2017
Cluster head node: Resource-rich node with high computation and
storage capacity.
Cluster node: Constrained node with constrained computation and
storage capacity.
2. Subliminal Channel Hiding Communication
2.1. Overview of the scheme
There are two types of nodes in this document, the cluster head node
which is a resource-rich node, and the cluster node which is a
constrained-node. The topology of the network is shown in Figure 1.
Node A is cluster head node, node B, C and N etc. are cluster nodes.
+---+
+---->| A |<------+
| +---+ |
| | |
v v v
+---+ +---+ +---+
| B | | C | ... | N |
+---+ +---+ +---+
Figure 1. The network topology
There is a trust third party with high computation and storage
capacity in the network used to distribute the key materials and
other necessary materials to the cluster head node and the cluster
nodes at the initialization phase. The mode of the third party is
shown in Figure 2.
Key/Prime number +-------------------+
+--------------| Trust third party |
| +-------------------+
| |
| | Key/Prime number
v v
+-------------------+ +--------------+
| Cluster head node |<---------->| Cluster node |
+-------------------+ +--------------+
Figure 2. The third-party mode
The cluster head node hides the sensitive data into MAC and
constructs a broadcast packet by using Chinese Remainder Theorem
(CRT). Then the cluster head node sends the broadcast packet to the
Huang, et al. Expires August 26, 2017 [Page 4]
Internet-Draft ace hiding communication February 2017
cluster nodes. While the cluster nodes receive the broadcast packet
it SHOULD have the message authenticated before, and then it can
extract the sensitive data from the MAC if the message is certified.
The attacker cannot know whether the MAC contains a sensitive data
and cannot get any data from the MAC. This method increased the
difficulty of decoding the sensitive data.
2.2. The implementation of the scheme
The communication process is divided into several steps: (1)
Initialization phase; (2) Preprocessing phase; (3) Constructing
broadcast packets; (4) Message authentication; (5) Recovering the
sensitive data.
(1) Initialization phase: In order to realize authentication and
information hiding, the trust third party needs to generate the key
parameters. The trust third party generates a key k shared by the
whole network nodes, and a series keysrespectively shared by the
cluster nodes and the cluster head node. The trust third party also
generates a large prime number m shared by the whole network nodes,
and a series of large prime numberrespectively shared by the cluster
node and the cluster head nodes.
(2) Preprocessing phase: when the cluster head node broadcasts the
ordinary data v, it utilizes hash algorithm and key k to generate a
preprocessed data b.
If the cluster head node wants to send a sensitive data u to the
cluster node A, it utilizes the individual key KA and the identity
of the receiving node A through a symmetric encryption algorithm to
generate an encrypted sensitive data U.
(3) Constructing broadcast packets phase: the cluster head node
utilizes the preprocessed data b, the prime number m, the encrypted
sensitive data U and the prime number mA which is shared by the
cluster node A and the cluster head node to calculate the congruence
equation according to the Chinese Remainder Theorem algorithm.
The cluster head node calculates the solution of the congruence
equation as the MAC which is embedded the sensitive data. Then the
cluster head node constructs a 2-tuple packets P and broadcasts to
the cluster nodes.
(4) Message authentication phase: when the cluster node A received
the 2-tuple packets P, it SHOULD first authenticate the packet. If
Huang, et al. Expires August 26, 2017 [Page 5]
Internet-Draft ace hiding communication February 2017
the packet P is certified, which means the packet p is credible;
otherwise, it will discard the packet.
(5) Recovering the sensitive data phase: If the packet P passed the
verification, the cluster node A will calculate the encrypted
sensitive data U by using its prime number mA from the MAC, then it
uses key KA to decrypt the data U, and finally obtains the sensitive
data u.
3. Security Considerations
TBD.
4. IANA Considerations
This memo includes no request to IANA.
5. References
5.1. Normative References
5.2. Informative References
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,DOI 10.17487/RFC2119,
March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC7228]
Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228,DOI 10.17487/RFC7228,
May 2014,
<http://www.rfc-editor.org/info/rfc7228>.
Huang, et al. Expires August 26, 2017 [Page 6]
Internet-Draft ace hiding communication February 2017
Authors' Addresses
QingQing Huang
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: huangqq@cqupt.edu.cn
Min Wei
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: weimin@cqupt.edu.cn
Hao Wang
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: wanghao@cqupt.edu.cn
Shuaiyong Li
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: lishuaiyong@cqupt.edu.cn
Ping Wang
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Huang, et al. Expires August 26, 2017 [Page 7]
Internet-Draft ace hiding communication February 2017
Chongqing, 400065
China
Phone: (86)-23-6246-1061
Email: wangping@cqupt.edu.cn
Yong Li
Key Laboratory of Industrial Internet of Things & Networked Control
Ministry of Education
Chongqing University of Posts and Telecommunications
2 Chongwen Road
Chongqing, 400065
China
Email: 13101279737@126.com
Huang, et al. Expires August 26, 2017 [Page 8]