Analysis of a key-establishment security protocol Anca Jurcut*, Tom Coffey*, Reiner Dojen* and Robert Gyorodi** *
Department of Electronic & Computer Engineering, University of Limerick, Ireland. E-Mail: anca jurcut @ul.ie,
[email protected],
[email protected] **
Department of Computer Science, University of Oradea, Romania E-Mail:
[email protected]
any flaws in a security protocol can be exploited by an attacker. Many published security protocols. have been subsequently been found to contain security weaknesses [1, 2, 3, 4, 5, 6, 7, 8], which can be exploited in an attack on the protocol.
Abstract – Nowadays security protocols are a key component in providing security services for fixed and mobile networks. These services include data confidentiality, radio link encryption, message integrity, mobile subscriber authentication, electronic payment, certified e-mail, contract signing and nonrepudiation.
This paper presents security protocols and their application. The most common attacks that exploit weaknesses in the design of security protocols are discussed. The Wide-Mouthed Frog key establishemnt protocol of Burrows, Abadi and Needham [1] is presented. Attacks which expoit known weaknesses in the protocol are discussed and a corrected version of the protocol by Lowe [10] is presented. Additionally, a new parallel session attack on the Lowe modified WideMouthed Frog protocol is detailed and discussed.
This paper is concerned with attacks against security protocols. Security protocols are introduced and the most common attacks against security protocols are discussed. The Wide-Mouthed Frog key-establishemnt protocol of Burrows, Abadi and Needham is presented. Attacks which exploit known weaknesses in the protocol are discussed and a corrected version of the protocol by Lowe is presented. Analysis of the Lowe modified Wide-Mouthed Frog protocol in this paper reveals a new parallel session attack. The reasons for this attack and how it can be mounted are discussed.
II.
The design of effective security protocols is complex and highly prone to error. The main difficulty in the development of effective security protocols is to address the vast possibilities of an adversary to gain information. In contrast to communications protocols, where the main issues are reachability of all legal states and avoidance of infinite loops, security protocol verification deals with the gain of information by an adversary.
Keywords: Security protocols, protocol flaws, protocol attacks, parallel session attacks.
I.
SECURITY PROTOCOLS
INTRODUCTION
A security protocol is a communication protocol that is based on a cryptographic system. A protocol is a prescribed sequence of interactions between communicating parties designed to achieve certain goals. These parties may be users, hosts, mobile devices or processes and they are referred to as principals. An honest principal follows a particular communication protocol, while a dishonest principal (or attacker, intruder, spy, enemy, adversary, etc.) tries to manipulate the protocol to achieve an unfair advantage.
The adversary can be either passive (just listening to communication) or active (modifying message content, message order, dropping messages, etc). An active adversary is more dangerous than a passive eavesdropper. Further, an adversary might use simultaneous protocol runs to gain information. One has to keep in mind that an adversary will not play fair by any rules. Hence, a security protocol should attempt to achieve its goals under all possible circumstances.
A security protocol should enforce the data exchange between honest participants, while the dishonest ones should be denied any benefit of the exchange. However,
Basic cryptographic protocols allow principals to authenticate each other, to establish fresh session keys 1
synthesise messages in the other session (the attack session). Examples of parallel session attacks on security protocols include [2, 3, 6]. There are several forms of parallel session attacks such as oracle attacks, man-inthe-middle attacks or multiplicity attacks. In an oracle attack the intruder starts a new run of the protocol and uses one of the principals as an oracle. Thus, the intruder has the appropriate answers for the challenges in the main run of the protocol. A man-in-the-middle attack occurs when two principals believe they are mutually authenticated, when in fact the intruder masquerades as one principal in one session and as the other principal in another. There are two runs of the protocol, but the honest principals think that there is only one. A multiplicity attack is a parallel session attack that can occur when the principals disagree on the number of runs they think they have successfully completed with each other.
for confidential communication and to ensure the authenticity of data and services. Building on such basic cryptographic protocols, more advanced services like non-repudiation, fairness, electronic payment and electronic contract signing are achieved. Security protocols can be categorised by application area, such as: 1. Wireless Communications including • mobile subscriber authentication [11], [12], [13], [14], [15] • radio link encryption [16], [17], [18], [19] • secure mobile ad hoc networking [20], [21], [22], [23] • secure mobile IP [24], [25] 2. E-Commerce including • electronic payment [26], [27], [28] • fair-exchange [29], [30], [31], [32] • Non-repudiation [33], [34], [35], [36] • certified e-mail [37], [38], [39], [40] • contract signing [41], [42], [43] 3. E-Voting including schemes using • mixed-nets • blind signatures • homomorphic encryption Sample protocols include: [44], [45], [46], [47], [48]. 4. Sensor Networks including • authentication [49], [50] • confidentiality/privacy [51],[52], [53] • key-management [54], [55], [56] • security architectures [57], [58] • Denial of Service [59], [60] III.
A type flaw attack involves the replacement of a message component with another message of a different type by the intruder. Examples of type flaw attack on security protocols include [3, 7, 8]. A binding attack occurs when the intruder exploits the protocol’s failure to establish a proper binding between a public key and its owner. Other attacks on secure protocols include attack due to name omission and attacks due to misuse of cryptographic services. IV.
THE WIDE-MOUTHED FROG PROTOCOL
The Wide-Mouthed Frog security protocol was first published by Burrows, Abadi and Needham [1] in 1989. It was proposed as a cryptographic protocol for the distribution of a fresh shared-key between peer entities (cf. Figure 1). It assumed the use of symmetric key cryptography, a trusted server and synchronized clocks. Inspite of the fact that most of the server-based key establishment protocols assume that principals trust only a sever to choose the key for a session, this protocol is intended for enviroments where one principal chooses the shared key. The server simply makes the key chosen by one principal available to the other.
ATTACKS AGAINST SECURITY PROTOCOLS
A security protocol should enforce the data exchange between honest participants, while the dishonest ones should be denied any benefit of it. However, security protocols can contain weaknesses that make them vulnerable to a range of attacks such as replay, parallel session and type-flaw attacks. A message replay attack is one of the most common attacks on authentication and key-establishment protocols. If the messages exchanged in an authentication protocol do not carry appropriate freshness identifiers, then an adversary can get himself authenticated by replaying messages copied from a legitimate authentication session. Examples of replay attacks on security protocols include [1, 4, 5]. Replay attacks can be foiled by the use of nonces, run identifiers and timestamps.
1: {T a, B, Kab}Kas
A parallel session attack requires the parallel execution of multiple protocol runs, where the intruder uses messages from one session (the reference session) to
Figure 1 The Wide-Mouthed Frog Protocol
2
2: {Ts, A, Kab}Kbs
This replay attack works as follows: after intercepting the message exchange of the protocol run i, an intruder I can masquerades as B in a subsequent protocol run. The intruder I starts a new session run of the protocol (ii) as B and sends to the server the same encrypted message (ii.1.) as the one intercepted in i.2. By intercepting the message sent by the server to the principal A (ii.2) the intruder I obtains {T’s, B, Kab}Kas, where T’s is a new timestamp. The intruder can start a new protocol run (iii) pretending to be A and so on. As a result the session key Kab is kept alive by the intruder.
In this paper a message m encrypted with a key k is denoted by {m}k. It is assumed that each principal possesses a shared key with the server (Kas and Kbs respectively). The principals involved in the protocol are denoted by A, B and S, with the latter referring to the server. The Wide-Mouthed Frog protocol aims to establish a shared key Kab for use in a session between the principals A and B. This key is generated by A and sent to B via a trusted server S. The protocol steps are as follows: 1. A -> S : A, {Ta, B, Kab}Kas 2. S -> B : {Ts, A, Kab}Kbs
B. The multiplicity attack Each message contains a timestamp, which is intended to guarantee the recentness of the message. A timestamp, denoted by Tn, represents the time at which the message was generated, where the subscript n identifies the principal generating the message. It is assumed that when a principal receives a message containing a timestamp, it compares the timestamp with its local time, considering the network delays and differences in local clocks.
Although Burrows, Abadi, and Needham [1] claimed that both time stamps and nonces ensure freshness of message exchanges in the Wide-Mouthed Frog protocol, Lowe [10] demonstrated that timestamps only ensure recentness of a message. This protocol is thus susceptible to a multiplicity attack. In this attack an intruder records the second message and replays it, making B believe that A is engaging in a new protocol run. Alternatively the intruder could replay the first message to the server, leading B to believe that A is engaging in a new protocol run. The attack involves two interleaved runs of the protocol, as follows:
In the first message A sends timestamp Ta, the identity of B and the new session key Kab, encrypted with the shared key Kas. The server forwards the session key, along with A’s identity and its own timestamp Ts to B, encrypted with the key Kbs. V.
i.1. A -> S : A, {Ta, B, Kab}Kas i.2. S -> B : {Ts, A, Kab}Kbs
KNOWN ATTACKS ON WIDEMOUTHED FROG PROTOCOL
ii.2. I(S) -> B : {Ts, A, Kab}Kbs
In 1995 Anderson and Needham [9] claimed a replay attack on the Wide-Mouthed Frog protocol. Another attack on the protocol was discovered by Lowe [10] in 1997 who modified the protocol to prevent the attacks.
In the first session, denoted by i, the protocol proceeds in the normal way, where A establishes a session with B using the key Kab. The intruder intercepts the last message of this run (i.2.) and impersonates S, by replaying this message in a second run, ii (message ii.2.).The result is that the intruder falsely convinces B into thinking that A is trying to establish a second session with him, whereas A has established only one session.
A. The replay attack Anderson and Needham [9] claim a replay attack on the Wide-Mouthed Frog protocol, where an attacker can keep the session key Kab for later reuse. This attack assumes that the server does not keep a list of all recent working keys and timestamps.
For this attack to succeed it is assumed that the principals are willing to accept messages that contain the same session key. Therefore this attack works only if the principals do not have a list of recent keys.
In this paper the intruder is denoted by I. The intruder can masquerade as an principal A/B to send or receive message, which is denoted by I(A)/I(B). Multiple runs of the protocol are labelled i, ii, etc. and message inside a protocol run are denoted by i.1, i.2, ii.1, etc.
VI.
i.1. A -> S : A, {Ta, B, Kab}Kas i.2. S -> B : {Ts, A, Kab}Kbs ii.1. I(B) -> S : B, {Ts, A, Kab}Kbs ii.2. S -> A : {T’s, B, Kab}Kas iii.1. I(A) -> S : A, {T’s, B, Kab}Kas iii.2. S -> B : {T’’s, A, Kab}Kbs ....
LOWE’S MODIFIED WIDE-MOUTHED FROG PROTOCOL
In Lowe’s modified version of the Wide-Mouthed Frog protocol [10] a nonce handshake between the principals A and B has been added in steps 3 and 4 (cf. Figure 2) to prevent the multiplicity attack described in the previous section. In this protocol Nb denotes a nonce, which is a once off random number generated by principal B.
3
1: {Ta, B, Kab}Kas
In ii.2 the server sends a new message with B’s identity, a new time-stamp along with the key Kab, all encrypted with its shared key Kas to A. Principal A, who is a honest principal, decrypts the message, extracts the key Kab and responds by sending message ii.3 which contains a freshly generated nonce Na encrypted with this session key. The intruder then replays ii.3 as its next message in first run i (as message i.3.). In response, A returns an encrypted successor succ Na (message i.4.), which the intruder again replays, as its next message in run ii (message ii.4).
2: {Ts, A, Kab}Kbs
3: {Nb}Kab
4: {Succ Nb}Kab
Hence, A believe that he has establish a session with B in run i, and he believes that B has establish a session with him in run ii, even though B is in fact absent.
Figure 2 Lowe modified Wide-Mouthed Frog Protocol
The message exchange of the modified protocol is as follows: 1. A -> S : A, {Ta, B, Kab}Kas 2. S -> B : {Ts, A, Kab}Kbs 3. B -> A: {Nb}Kab 4. A -> B: {succ(Nb)}Kab
The impact of this attack is that an intruder can masquerade as somebody else. Therefore authentication is not achieved in Lowe’s modified Wide-Mouthed Frog protocol. One of the reasons this attack can be mounted is due to the symmetry of the first two encrypted messages of the protocol. This symmetry is a weakness that the intruder is able to take advantage of by replaying the second message of the first protocol run (i.2) as the initial message of the second run (ii.1).
The nonce handshake is to ensure mutual authentication between the principals. This nonce handshake provides for an additional goal of authentication in the modified protocol, in addition to the original goal of keyestablishment. VII.
The second and major weakness of the protocol occurs in the last two steps, where the nonce handshake does not ensure authentications as it is not possible to establish the source of involved messages.
A NEW ATTACK ON LOWE’S MODIFIED WIDE-MOUTHED FROG PROTOCOL
In this section we present a new parallel session attack on the Lowe modified Wide-Mouthed Frog protocol [10]. This attack uses two parallel runs of the protocol. In run i, the principal A initiates the protocol with B, by sending message i.1 to the server S. The encrypted component of the message consists of a timestamp Ta, the identity of B and the session key Kab. The server S extracts the session key Kab from message i.1 and forwards it to B as part of message i.2. An intruder I intercepts the message intended for B and starts a parallel run ii in which the intruder impersonates B so as to initiate a session with A. The intruder uses A as an oracle in order to encrypt messages.
VIII.
CONCLUSION
This paper introduced security protocols and the most common attacks that exploit weaknesses in the design of security protocols. The Wide-Mouthed Frog key establishemnt protocol was presented and attacks which exploit known weaknesses in the protocol were discussed. A corrected version of the Wide-Mouthed Frog protocol by Lowe was also presented. A new parallel session attack on the Lowe modified Wide-Mouthed Frog protocol was detailed. The impact of this new attack is that an intruder can easily take advantage of the protocol’s inherent weaknesses and impersonate an honest principal.
i.1. A -> S: A,{ Ta, B, Kab}Kas i.2. S -> I(B): {Ts, A, Kab}Kbs
Acknowledgements This work was funded by the Irish Research Council for Science, Engineering and Technology (IRCSET Embark Initiative) and Science Foundation Ireland - Research Frontiers Programme (SFI RFP07 CMSF 631).
ii.1. I(B) -> S: B, {Ts, A, Kab}Kbs ii.2. S -> A: { T’s, B, Kab}Kas ii.3. A ->I( B) : { Na}Kab i.3. I(B) -> A: { Na}Kab i.4. A -> I(B): {succ Na}Kab ii.4. I(B) -> A: {succ Na}Kab 4
[16] Flanagan, T., Coffey T., and Dojen, R.: "Radio Access Link Security for Universal Mobile Telecommunication Systems (UMTS)", Engineering of Modern Electric Systems (EMES 01), Oradea-Felix Spa, Romania, pp. 1823, May 2001. [17] Lee, B.R., Chang, K.A. and Kim, T.Y.: “A Secure and Efficient Key Escrow Protocol for Mobile Communications”, International Conference on Computational Sciences, San Francisco, CA, USA, pp. 433-446, May 2001. [18] Bruschi, D. and Rosti, E.: “Secure multicast in wireless networks of mobile hosts: protocols and issues”, Mobile Networks and Applications, Vol. 7, No. 6, pp. 503-511, 2002. [19] Crescenzo, G.D., Arce, G. and Ge, R.: “Threshold Cryptography in Mobile Ad Hoc Networks”, International Conference, SCN 2004, Amalfi, Italy, pp. 91-104, September 2004. [20] Buttyán, l. and Hubaux, J.P.: “Report on a working session on security in wireless ad hoc networks”, ACM SIGMOBILE Mobile Computing and Communications Review, Volume 7, Issue 1, pp 74 – 94, 2003. [21] Hu, Y.C., Perrig, A. and Johnson, D.B.: “Rushing attacks and defense in wireless ad hoc network routing protocols”, ACM Workshop on Wireless Security, SESSION: Secure routing, San Diego, CA, USA, pp. 3040, September 2003. [22] Sun, B., Wu, K. and Pooch, U.W., “Alert aggregation in mobile ad hoc networks”, ACM Workshop on Wireless Security, Session: Secure wireless protocols, San Diego, CA, USA, pp. 69-78, September 2003. [23] Song, J.H., Wong, V.W.S. and Leung, V.C.M., “A framework of secure location service for position-based ad hoc routing”, ACM International Workshop on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks, Session: Network Protocols, Venezia, Italy, pp. 99-106, October 2004. [24] Park, S.H., Ganz, A. and Ganz, Z., “Security protocol for IEEE 802.11 wireless local area network”, Mobile Networks and Applications, Vol. 3, No. 3, pp. 237-246, 1998. [25] Kempf, J., Arkko, J. and Nikander, P., “Mobile IPv6 Security”, Wireless Personal Communications, Vol. 29, No. 3-4, pp. 389-414, 2004. [26] Burdett, D., “Internet Open Trading Protocol version 1.0.”, IETF Network Working Group, IETF RFC 2801, April 2000. [27] Ray, I. and Ray, I., “Failure Analysis of an E-commerce Protocol Using Model Checking”, International Workshop on Advanced Issues of E-Commerce and Webbased Information Systems, Milpitas, CA, USA, pp. 176183, June 2000. [28] Song, R. and Korba, L., “How to make e-cash with nonrepudiation and anonymity”, International Conference on Information Technology: Coding and Computing (ITCC2004), Las Vegas, Nevada, USA, pp.167-172, April 2004. [29] Asokan, N., Schunter, M. and Waidner, M., “Optimistic protocols for fair exchange”, 4th ACM Conference on Computer and Communications Security, Zurich, Switzerland, pp.7-17, April 1997. [30] Zhou, J., “Achieving Fair Non-repudiation in Electronic Transactions”, Journal of Organizational Computing and Electronic Commerce, Vol. 11, No. 4, pp. 253-267, 2001. [31] Saeednia, S., Markowitch, O. and Roggeman, Y., “Identity-based optimistic fair exchange with transparent
REFERENCES [1] Michael Burrows, Martin Abadi, and Roger Needham, “A logic of authentication”, Technical Report 39, Digital Systems Research Center, february 1989. [2] Gavin Lowe. “An attack on the Needham-Schroeder public key authentication protocol”, Information Processing Letters, 56(3), pp. 131–136, November 1995. [3] Gavin Lowe, “Some new attacks upon security protocols”, In IEEE Computer Society Press, editor, In Proceedings of the Computer Security Foundations Workshop VIII, 1996. [4] D. Denning and G. Sacco, “Timestamps in key distributed protocols”, Communication of the ACM, 24(8), pp. 533– 535, 1981. [5] T. Aura, “Strategies against replay attacks”, In Proceedings of the 10th IEEE Computer Society Foundations Workshop, pp. 59 – 68, Rockport, MA, June 1997, IEEE Computer Society Press. [6] Junghyun Nam, Seungjoo Kim, Sangjoon Park, Dongho Won, “Security Analysis of a Nonce-Based User Authentication Scheme Using Smart Cards”, IEICE Transactions Fundamentals, vol. E90-A, no. 1, pp.299302, January 2007. [7] Tzonelih Hwang, Narn-Yoh Lee, Chuang-Ming Li, Ming-Yung Ko, and Yung-Hsiang Chen, “Two attacks on neumann-stubblebine authentication protocols”, Information Processing Letters, no. 53, pp. 103 – 107, 1995. [8] J. Heather, G. Lowe, and S. Schneider, “How to prevent type flaw attacks on security protocols”, pp. 255–268. IEEE Computer Society, 2000. [9] Ross Anderson and Roger Needham, “Programming Satan's Computer”, Computer Science Today - Recent Trends and Developments , J. van Leeuven (ed.), Springer LNCS vol 1000, pp. 426-440, 1995. [10] Gavin Lowe, “A family of attacks upon authentication protocols”, Technical Report 1997/5, Department of Mathematics and Computer Science, University of Leicester, 1997. [11] Martin, K.M. and Mitchell, C.J.: “Comments on an optimized protocol for mobile network authentication and security”, ACM SIGMOBILE Mobile Computing and Communications Review, Vol. 3, No. 2, pp. 37-37, 1999. [12] Harbitter, A. and Menascé, D.A.: “The performance of public key-enabled kerberos authentication in mobile computing applications”, ACM Conference on Computer and Communications Security, Session: Mobile Code and Distributed Systems, Philadelphia, PA, USA, pp. 78-85, November 2001. [13] Yang, J.P., Shin, W. and Rhee, K.H.: “An End-to-
End Authentication Protocol in Wireless Application Protocol”, Australasian Conference, ACISP 2001, Sydney, Australia, pp. 247-259, July 2001. [14] Harbitter, A. and Menascé, D.A.: “A methodology for analyzing the performance of authentication protocols”, ACM Transactions on Information and System Security (TISSEC), Vol. 5, No. 4, pp. 458–491, 2002. [15] Coffey T. and Dojen R.: “Analysis of a mobile communication security protocol”, International Symposium on Information and Communication Technologies (ISICT03), Dublin, Ireland, pp. 329-335, September 2003.
5
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
[44]
[45]
[46]
signature recovery”, International Conference on Distributed Multimedia Systems (DMS 2003), Miami, USA, pp. 718-721, September 2003. Avoine, G. and Vaudenay, S., “Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing”, 9th Australasian Conference on Information Security and Privacy (ACISP 2004), Sydney, Australia, pp. 74-85, July 2004. Coffey, T. and Saidha, P., “A Logic for Verifying Public Key Cryptographic Protocols”, IEE Journal ProceedingsComputers and Digital Techniques, Vol. 144, No. 1, pp.28-32, 1997. Coffey T., Saidha P. and Burrows P., “Analysing the security of a non-repudiation communication protocol with mandatory proof of receipt”, Proceedings of International Symposium on Information and Communication Technologies (ISICT03), Dublin, Ireland, pp.351-356, September 2003. Kremer, S. and Raskin, J.F., “A game-based verification of non-repudiation and fair exchange protocols”, Journal of Computer Security, Vol. 11, No. 3, pp. 399-429, 2003. Coffey, T., Ventuneac, M., Newe, T. and Salomie, S., “On investigating the security and fairness of a fair exchange protocol using logic-based verification”, IEEE International Conference on Intelligent Engineering Systems (INES2004), Cluj-Napoca, Romania, pp. 325330, September 2004. Zhou, J. and Gollmann, D., “Certified Electronic Mail”, European Symposium on Research in Computer Security ESORICS’96, Rome, Italy, pp. 160-171, September 1996. Abadi, M. and Blanchet, B., “Computer-assisted verification of a protocol for certified email”, 10th International Symposium on Static Analysis (SAS'03), San Diego, California, USA, pp. 316-335, June 2003. Blundo, C., Cimato, S. and De Prisco, R., “Certified email: design and implementation of a new optimistic protocol”, IEEE International Symposium on Computers and Communication (ISCC 2003), Kemer, Antalya, Turkey, pp. 828-833, June 2003. Zhou, J., “On the Security of a Multi-Party Certified Email Protocol”, International Conference on Information and Communications Security, Malaga, Spain, pp. 40-52, October 2004. Baum-Waidner, B. and Waidner, M., “Optimistic Asynchronous Multi-party Contract Signing”, International Colloquium on Automata, Languages and Programming, Málaga, Spain, pp. 898-911, July 2001. Baum-Waidner, B. and Waidner, M., “Round-optimal and abuse free optimistic multi-party contract signing”, Automata, Languages and Programming - ICALP 2000, Geneva, Switzerland, pp. 524-535, July 2000. Bao, F., Wang, G., Zhou, J. and Zhu, H., “Analysis and Improvement of Micali’s Fair Contract Signing Protocol”, Australasian Conference on Information Security and Privacy (ACISP 2004), Sydney, Australia, pp. 176-187, July 2004. Chaum, D., “Untraceable electronic mail, return addresses, and digital pseudonyms”, Communications of the ACM, Vol. 24, No. 2, pp. 84–88, 1981. Okamoto, T., “Receipt-free electronic voting schemes for large scale elections”, Security Protocols Workshop, Paris, France, pp. 25–35, April 1997. Lee, B. and Kim, K., “Receipt-free electronic voting scheme with a tamper-resistant randomiser”, International
[47]
[48]
[49]
[50]
[51]
[52]
[53]
[54]
[55]
[56]
[57]
[58]
[59]
[60]
6
Conference on Information and Communications Security ICISC2002, Singapore, pp 405–422, December 2002. Damgård, I. and Jurik, M. and Nielsen J.B., “A generalization of paillier’s public-key system with applications to electronic voting”, Accepted for publication in the special issue on Financial Cryptography, International Journal on Information Security (IJIS), 2003. Kiayias, A. and Yung, M., “The vector-ballot e-voting approach”, International Conference on Financial Cryptography 2004, Key West, Florida, USA, pp 72-89, February 2004. Perrig, A., Canetti, R., Tygar, J. and Song, S., “Efficient Authentication and Signing for Multicast”, Network and Distributed System Security Symposium NDSS 2001, San Diego, California, USA, February 2001. Deng, J., Han, R and Mishra, S., “Security support for innetwork processing in Wireless Sensor Networks”, ACM Workshop on Security of Ad Hoc and Sensor Networks, Fairfax, Virginia, USA, pp. 83-93, October 2003. Perrig, A., Szewczyk, R., Wen, V., Culler, D. and Tygar, J.D.: “SPINS: Security Protocols for Sensor Networks”, International Conference on Mobile Computing and Networking (ACM SIGMOBILE), Rome, Italy, pp.190199, July 2001. Chan, H. and Perrig, A., “Security and Privacy in Sensor Networks”, IEEE Computer, Vol. 36, No. 10, pp. 103105, 2003. Wagner, D., “Resilient aggregation in sensor networks”, ACM Workshop on Security of Ad Hoc and Sensor Networks, Washington DC, USA, pp. 78-87, October 2004. Eschenauer, L. and Gligor, V.D., "A key-management scheme for distributed sensor networks", ACM Conference on Computer and Communications Security, Washington DC, USA, pp. 41-47, Nov 2002. Jolly, G., Kuçu, M.C., Kokate, P. and Younis, M., “A Low-Energy Key Management Protocol for Wireless Sensor Networks”, IEEE International Symposium on Computers and Communications, Kemer-Antalya, Turkey, pp. 335-340, June 2003. Hwang, J. and Kim, Y., “Revisiting random key predistribution schemes for wireless sensor networks”, ACM workshop on Security of Ad Hoc and Sensor Networks, Washington DC, USA, pp. 43-52, October 2004. Karlof, C. and Wagner, D., “Secure Routing in Sensor Networks: Attacks and Countermeasures”, Special Issue on Sensor Network Applications and Protocols, Ad Hoc Networks, Vol. 1, No. 2-3, pp. 293-315, 2003. Sastry, N. and Wagner, D., “Security Considerations for IEEE 802.15.4 Networks”, ACM Workshop on Wireless Security (WiSe 2004), Philadelphia, PA, USA, pp.32-42, October 2004. Wood, A.D. and Stankovic, J.A., “Denial of Service in Sensor Networks”, IEEE Computer, Vol. 35, No. 10, pp.54-62, 2002. Stankovic, J.A., “Security in wireless sensor networks”, ACM Workshop on Security of Ad Hoc and Sensor Networks, Washington DC, USA, pp. 65-65, October 2004.
