Design issues - 安全且快速訊息驗證的廣播認證機制

There are many additional requirements when designing the algorithm for the multicast stream authentication problem.

Low computational overhead: Since the packets must be sent and verified as fast as possible.

Low communication overhead: For receivers to authenticate a message, a packet is composed of message and authentication information. The size of authentication information should be as small as possible to avoid network congestion.

Low storage overhead: The buffer or unused memory of receiver is limited. When the buffer is full of packets, the receiver drops the incoming packets, causing unnecessary packet loss.

Robust to packet loss: When packet loss occurs, the receiver can still verify the incoming packets.

Individual packet authentication: If the authentication of one packet P depends on another packet P received later, the receiver must keep P. If P is lost, P is useless. Thus, if a scheme achieves individual packet authentication, the receiver can verify a packet immediately.

Our contribution. In this paper, we focus on the computational cost of receiver. We propose two schemes that reduce the computational cost of receiver.

These schemes also achieve data integrity, non-repudiation, individual packet authentication, robust to packet loss and reasonable storage overhead. From the point of view of the receiver, receiver may execute many programs simultaneously.

Thus, the computational resource of the receiver is not totally used for packet authentication. As a result, there may be some packets that can’t be checked immediately. These packets are temporarily stored in the buffer of receiver. If the computational resource is not sufficient, the buffer may overflow and the receiver drops the incoming packets. Moreover, a type of denial of service attack is called the injection attack or the pollution attack [1]. The attacker forges many invalid packets and sends them to receiver to exhaust the computational resource of receiver. With this attack, the problem of buffer overflow becomes more serious.

From the point of view of the sender, the sender just broadcasts packets. The sender doesn’t receive any packet. There is no denial of service attack at sender side. And it is reasonable to assume that the computational power of sender is stronger than the receiver

The rest of paper is organized as follows: In Chapter 2, we introduce some related works. In Chapter 3, we give some background information for this paper.

In Chapter 4, we propose our two schemes. In Chapter 5, we give the simulation results. In Chapter 6, we give the conclusion and future work of this paper.

Chapter 2 Related work

Previous works on multicast stream authentication problem are roughly divided into two classes. The first class of schemes is called the signature amortization schemes, and the second class of schemes is called the MAC-based schemes. We introduce some signature amortization schemes in section 3.1 and then describe some MAC-based schemes in section 3.2.

2.1 Signature amortization schemes

The signature amortization schemes compute single signature over several packets and reduce the computational overhead greatly. Hash chain [2], hash tree [3], and SAIDA [4] are examples of signature amortization schemes.

2.1.1 Hash chain

Early work on signature amortization was done by Gennaro and Rohatgi [2].

Let || denotes string concatenation, and H(.) denotes a collision resistant hash function. Assume the sender knows the whole stream. The stream is finite and can be divided into n messages. We denote the stream as S M||M|| … ||M. Each packet P transmitted over the network is composed of the message M representing the original data of stream and the hash of the next packet. The

construction of the packets works backwards as follow:

P H P||SignH P, i 0 M||H P, 1 i n 1

M, i n

If P is a valid packet, then the receiver has the valid hash value of P. When the receiver gets P, it takes just one hash operation to verify P. The computational cost of receiver is very low.

This approach has constant communication and computational overhead. We use the hash chain approach as part of our scheme. However, it doesn’t achieve individual packet authentication. When a packet loss occurs, the receiver doesn’t get the hash of the next packet. The receiver can’t authenticate the remaining packets.

2.1.2 Merkle hash tree

Wong and Lam [3] used the Merkle hash tree to deal with the problem of multicast stream authentication. A Merkle hash tree is a binary hash tree that takes n leaves as input. A leaf is the hash value of a message. The internal node of a

Merkle hash tree is defined as the hash value of the concatenation of its two children. The Merkle hash tree is used to compute a single hash digest over several messages. Figure 2-1 shows a Merkle hash tree when n=8.

Figure 2-1: Merkle hash tree.

We define authentication path AP(i) as the concatenation of the log hash values needed to reconstruct the path from ! to the root of the tree. For example, in Figure 2-1 we have AP(0)= !||#_,$||#_%,& . Using AP(0), we can reconstruct the root as #_',& H H H !_'|| !||#_,$||#_%,&. By the property of second-preimage resistant of hash function, the attacker cannot change the value of any node of the tree. Thus, each message with its authentication path is individually verifiable. In Wong and Lam’s scheme, the stream can be finite or infinite and can be divided into blocks of n messages. The stream can be denoted as S B_'||B|| … . Each block consists of n messages. The i-th block is B M||M||. . . ||M₎.

We focus on the first block B_'. A packet P is composed of the message M, the authentication path AP(i) and the signature of the root of Merkle hash tree. Each authentication path of a packet is unique and an attacker can’t change it. Thus, this scheme achieves individual authentication. However, assume the receiver doesn’t store the authentication path, it takes logn hash operations to verify a packet.

Even if the receiver stores the authentication path, the computational cost of receiver can be reduced. In our paper, we combine the hash chain scheme and the Merkle hash tree scheme to obtain schemes that achieve low computational cost at

receiver side and individual packet authentication. In our paper, we call this classical Merkle hash tree scheme the scheme-0.

2.1.3 SAIDA

SAIDA (Signature Amortization using the Information Dispersal Algorithm) [4] [11] is a scheme based on erasure code [12][13][14][15]. The erasure code is composed of an encoder and a decoder. The (n, t)-encoder takes a block of n messages as input and output n symbols. When the receiver get at least t of these symbols, the receiver can decode these symbols back to the original block of messages. Thus, erasure code is robust to any pattern of loss among the symbols as long as the receiver gets sufficient number of symbols. We describe the construction of SAIDA as follow. Assume the stream is also divided into blocks of n messages and can be finite or infinite. We also focus on the construction of the first block. The sender computes H_' H M_'||H M|| … || H M₎ , the concatenation of the hash values of all messages of this block. In the second step, the sender computes the signature of the hash of H_', i.e. S_'=Sign SK, H H_'.

Then the erasure encoder encodes H_'||S_' into n symbols s_', s, … , s₎.

Finally, the sender appends the symbols to each packet and outputs n packets such that P M||s for i=0, 1, … , n-1. This scheme is robust to packet loss.

Unfortunately, if the attacker injects forged packets into the communication channel, the receiver will decode an invalid H_' that can’t pass the verification algorithm of digital signature. If the receiver tries to reconstruct a valid H_' by decoding all possible combinations of received symbols, it is computationally expensive for him to do this.

2.2 MAC based schemes

The MAC-based schemes use the symmetric primitives to design an efficient scheme that achieves asymmetry.

2.2.1 Timed Efficient Stream Loss-Tolerant Authentication (TESLA)

In [5], Perrig et al proposed the simplest TESLA protocol. Let F and F- be two pseudo random functions. Assume S M|| M || M_$… is the stream. The sender generates every packet as follows:

P M||F K||K₎||MAC K⁰ , M||F K||K₎ K- F⁰ K , K is a random number

The receiver uses F- to compute the keys of MAC. To authenticate a packet P, assume that the packet P₎ has been authenticated. When receiving P, the receiver checks K contained in P using the value F K contained in P₎

first. Then the receiver computes K- F⁰ K as the MAC key of P. Finally, the receiver checks the validity of P using the MAC. If all verifications are successful, P is a valid packet. The verification process can be illustrated in Figure 2-2.

Figure 2-2: TESLA.

The simplest TESLA scheme has two shortcomings. First, if P is sent before the receiver gets P. An attacker can intercept P and P, and then he can use K disclosed in P to forge an invalid P without the detection of the receiver.

To avoid this type of attack, when sending a packet P, the sender must wait until all receivers get P, then he sends the next packet P. This slows down the transmission rate. Second, this scheme can’t tolerate a single packet loss. If the receiver doesn’t get P₎, he can’t authenticates P even if he get P because he doesn’t know whether K is valid or not.

2.2.2 Modified TESLA

In order to avoid the second shortcoming described above, Perrig et al proposed the modified TESLA protocol. Let F x F F x denotes two consecutive operations of F on input x. In modified TESLA, the sender chooses a number n and a MAC key K randomly first. Then he computes a sequence of n

MAC keys K₎, K₎, … , K_' where K F⁾ K for i=0, 1, … , n-1. We get a key chain. Figure 2-3 shows the generation of key chain and the construction of modified TESLA.

Figure 2-3: Modified TESLA.

The key chain can tolerate any pattern of packet loss because when a receiver gets the latest MAC key K, he can compute all keys from K₎ to K_'. Since F is a one way function, it is hard for an attacker to compute K given K.

To deal with the first problem mentioned above, the sender discloses K in P₂ rather than P. However, before the receiver gets P₂, he can’t authenticates P. He has to store d packets in the process of verification. When the attacker injects many invalid packets, the problem of buffer overflow is serious.

From the schemes mentioned above, designing a scheme that achieves all requirements is hard. Although in Wong and Lam’s scheme, the communication

overhead is high, it has many outstanding properties:

Each packet is individually verifiable.

It is robust to any pattern to packet loss.

It is robust to injection attack.

It is robust to delay and capture attack.

It is clear that only the Merkle hash tree scheme meets these properties. We think that the Merkle hash tree scheme is one of the best schemes for multicast scheme authentication. However, we can improve the computational cost of receiver. Thus, we design our schemes based on Wong and Lam’s scheme and the hash chain scheme.

Chapter 3 Preliminaries

3.1 Collision resistant hash function

A collision resistant hash function H is a function which maps a message M of arbitrary size to a message digest of fixed size. H has the following properties:

Given an input x, it is efficient to compute H(x).

Given a hash value y, it is computationally infeasible to find x such that H(x)=y.

Given an input x, it is computationally infeasible to find another x- such that x- 3 x and H x⁰ H x.

H is deterministic.

Because of the collision resistant property, the modification of the message will result in a different hash value.

3.2 Packet loss model

In our simulation, we use two different packet loss models to simulate the performance of scheme-0 and our two schemes. One is the uniform packet loss model. The other is introduced by Gillbert[6] and Elliott [7], which is called the two-state Markov Chain (2-MC) loss model[9][11]. According to [8, 9], Paxson

and Yajnik et al showed that the pattern of loss in the Internet is bursty. To accurately simulate the loss pattern in the Internet, we use this model as part of our simulation result. The 2-MC model has two possible states, one is the “good state”

and the other is the “bad state”. If the packet is lost, the transmission channel is in

“bad state”, otherwise the channel is in “good state”. Figure 3-1 shows the 2-MC model.

Figure 3-1: 2-MC model.

There are four transition probabilities (P₄₄ , P₄₅ , P₅₄ and P₅₅). The stationary probabilities of good state and bad state are denoted as 8₉ and 8_: 1 8₉ respectively. The probability transition matrix M is:

M ;1 q q p 1 p>

The stationary probability vector is V @8₉, 8_:A such that V=VM. We have

8₉ 1 q B 8_:p 8₉ 8₉ B 8_: 1

Thus we get:

8₉ _CD^C , 8_: _CD^D

The average probability of packet loss can be defined as P_EFG 8₉P₄₅B 8_:P₅₅. In [9], the parameter p is measured as 0.0496. The parameter 1-q is measured as 0.0513. If (1-q)>p, the packet loss is burstier than predicted by the uniform packet loss model and the 2-MC model is more accurate.

Chapter 4 Proposed schemes

We propose two schemes that are robust to packet loss and achieve lower computational overhead at receiver side. In section 4.1, we propose the first scheme called scheme-1 which is the simplest one. However, when the packet loss probability is not low, the computational cost of receiver also increases. In section 4.2, we propose a scheme called scheme-2 that is more efficient than scheme-1 when the packet loss of network is not low.

4.1 Scheme-1

We review some notations. The hash value of message M is H(M). The stream S can be divided into blocks, each block consists of n messages.

S B_'||B|| …

Each block is denoted as B_H M_HI||M_HI||. . . ||M_HI ). The stream can also be finite or infinite. Because the same construction is performed on every block, we focus on the construction and verification of the first block (B_' M_'||M|| … ||M₎). The construction of scheme-1 consists of three steps. In the first step, the sender constructs a hash chain as follow:

M- JM||H M-, 0 i n 2 M, i n 1

In the second step, the sender uses M- to build a Merkle hash tree. For example, if n=8, the tree structure of scheme-1 is shown in Figure 4-1. Note that ! H M-. AP(i) is the log hash values needed to reconstruct the path from ! to the root of the tree.

Figure 4-1: Tree structure of scheme-1.

In the third step, the sender signs the root of the tree. The signature of the root is denoted as Sign. We illustrate the content of the packets of the first block in Figure 4-2. Each packet is composed of M-, authentication path and the signature of root.

M- is composed of original message M and H M-. When M- is verified, M is verified.

Figure 4-2: Packet format of scheme-1.

The verification is easy. Assume each packet has sequence number and block number. Each packet in block B_H has block number b. The i-th packet of a block has sequence number i-1. The sequence number and block number are part of the original message M and can be used to point out the position at the stream. For example, in Figure 4-2, the block number of P is 0 and the sequence number is 2.

In the first block, when getting the first packet P_', the receiver uses AP(0) and Sign to verify M_'-. The receiver has valid H M-. Whenever P is verified, the receiver records the sequence number i of P as the latest valid sequence number and updates the hash chain information as H M_L-. If the next received packet is P_L, the receiver uses H M_L- to verify M_L-. The receiver doesn’t have to verify M_L- by using AP(i+1). It takes just one hash operation to verify a message. In the other case, if the receiver doesn’t receive P_L, he doesn’t have H M_L- and the hash chain is broken. When receiving P_L, the receiver has to use AP(i+1) of P_L to verify M_L- . If the receiver doesn’t cache the authentication path information, it takes logn hash operations to verify a

message. Every packet can be verified individually. When the packet loss probability is very low, the computational cost of receiver is low.

In scheme-1, the communicational overhead of every packet is 1+logn hash values. When the packet loss probability increases, the verification time of scheme-1 goes up. In some situation like stock quotes, even when the packet loss probability is not low, the receiver still wants to receive the packet because of the importance of packets. We design a scheme that is also efficient and robust against injection attack. So we propose scheme-2 that is more efficient and robuster to injection attack than scheme-1.

4.2 Scheme-2

The construction of scheme-2 is based on scheme-1. Before the description of scheme-2, we define a term: sub-tree. The tree structure of scheme-1 can be roughly illustrated in Figure 4-3. There are many smaller Merkle hash trees T_N. Every T_N is called sub-tree. Every sub-tree has λ leaves. Note that λ 2^P and x is a non-zero integer. The root of T_N is #QIN,QINQ). λ can be greater than the average consecutive loss length of the network.

Figure 4-3: Tree structure of scheme-1.

The construction of scheme-2 is described as follow. Assume a block is

20 constructs a upper hash chain backwards:

M_N-- R#QIN,QINQ)||H M_N--,0 j Tn

We illustrate an example. Assume every sub-tree has eight leaves and a block has 32 messages. Every root of sub-tree can be treated as an original message in scheme-1. We replace M_N with #VIN,VIN& for j=0, 1, 2, 3 in scheme-1 and get Figure 4-4. The complete tree structure of scheme-2 is illustrated in Figure 4-5.

M_N-- can be verified by using the authentication path for upper Merkle hash tree.

Every original message M in M- can be verified by using the authentication path for sub-tree. Scheme-2 achieves individual packet authentication. We can use the upper and lower hash chains to reduce the computational overhead of receiver.

The packet format of scheme-2 is illustrated in Figure 4-6.

Figure 4-4: Upper part of tree structure of scheme-2.

Figure 4-5: Complete tree structure of scheme-2.

Figure 4-6: Packet format of scheme-2.

In Figure 4-6, the upper part of a packet is composed of the signature of root, the authentication path for upper tree and M_N--. Note that packets in the same authenticating the i-th packet, the receiver can use the lower hash chain to verify the message of the (i+1)-th packet just one hash operation. So, when the

The receiver doesn’t have to authenticate M-- by using AP 1-. In general case, the number of packets of a block ranges from 128 to 1024, in these cases, scheme-2 require lesser hash operation than scheme-1 at receiver side.

There is one additional advantage of the scheme-2. In scheme-0 and scheme-1 for the first packet of the block, the attacker may send many invalid first packet and claims that these packets are originated from the sender, we call this the first packet denial of service attack. When the receiver wants to verify the

validity of the first packet of a block, he has to conducts about logn hash operations for each. If the attacker forges k first packets, the receiver has to do k I logn hash operations in scheme-0 and scheme-1. In scheme-2, the receiver executes the packet authentication from the middle of the tree. That is, when the receiver gets P_' in Figure 4-5, he uses M_'-- and the authentication path (H M-- and #_,$- ) for upper tree to compute #_',$-- . If #_',$-- is invalid, scheme-2 finds this error with lesser hash operations than scheme-0 and scheme-1.

Chapter 5 Comparison and experiment results

In this section, we compare Wong and Lam’s scheme [3] to our two schemes.

In section 5.1, we compare the verification times of different schemes under the uniform packet loss model. In section 5.2, we compare the verification times of different schemes under the 2-MC packet loss model in order to simulate the packet loss in real world. In section 5.3, we compare the verification times of different schemes under the injection attack. From section 5.1 to section 5.3, we assume the receiver caches the authentication path. We also assume the receiver

在文檔中安全且快速訊息驗證的廣播認證機制 (頁 12-0)