Multicast protocol enables a sender to efficiently disseminate digital media data to many receivers. Due to the time-sensitive requirement of some applications, reliable transmission protocol like TCP (Transmission Control Protocol) is impractical for multicast. Therefore, unreliable transmission protocol such as UDP (User Datagram Protocol) is generally adopted for multicast applications. Multicast protocol is suitable for many applications, for example, video transmission, live broadcast, stock quotation or news feed. These applications have the common characteristics that the receiver might be plenty and the communication data is time-sensitive. However security is an important issue for multicast to ensure secure communication between sender and receivers. An attacker is able to impersonate sender to send malicious packets to receivers and the malicious information might injure the receivers or intercept the communication. To defend against forged packets injected by attackers, multicast authentication is proposed for this purpose. Multicast authentication enables receiver to authenticate the packet source and malicious packets will be denied. There have been many multicast authentication approaches and these approaches could be roughly divided into two categories: symmetric cryptographic primitives and asymmetric cryptographic primitives. Symmetric cryptographic primitive generally uses symmetric key to authenticate data source and MAC (Message Authentication Code) is the well-known approach in this category. In MAC, an identical secret key is maintained at sender and receiver. Sender uses the secret key to generate a MAC for a packet and receiver is able to authenticate the packet source by verifying the MAC of the packet with secret key. Asymmetric cryptographic primitive uses asymmetric key pair to authenticate data source. Asymmetric key pair generally means that there are
two keys, one key is used to generate signature and another key is for verifying the signature. Digital signature is a well-known approach in this category and is believed secure enough. Using RSA to generate digital signature is popular, nevertheless, digital signature generation and verification incur high computation overhead and signing every packet significantly downgrades the system performance. According to this practical concern, a compromised approach which is signature amortization [10][11][15][16][17][18][19][20], was proposed to amortize the overhead of generating one signature over a block of packets. For a block of packets, only one digital signature will be generated. These packets will be considered authentic if the signature of this block can be correctly verified by receiver. Signature amortization makes tradeoff between security and computation overhead. Due to the unreliable transmission and packet loss in multicast protocol, an elaborate signature amortization scheme should be able to work well even thought some packets get lost. For this reason, signature amortization schemes with fault-tolerant coding algorithms are proposed. In this kind of scheme, the digital signature for a block of packets is always encoded at sender by fault-tolerant coding algorithms and decoded at receiver.
Fault-tolerant coding algorithms like erasure codes [7][8][9][12], or diversity codes [21] partition an information into many segments and the information is able to be correctly reconstructed even though a threshold number of segments get lost. For example, an (n,t) erasure encoder generates a set S of n symbols (s1,s2,…, sn) from an information. The erasure decoder can tolerate a loss of up to t packets. Although signature amortization with fault-tolerant coding algorithms reduces computation overhead and tolerates packet loss, it suffers pollution attacks [1]. Pollution attack was first defined in [1] and this attack occurs if attackers inject a great quantity of forged packets into the block of packets. At receiver, these forged packets will disturb the signature decoding procedure of fault-tolerant coding algorithm and then the decoder
will consequently reconstruct an incorrect signature. The incorrect signature will fail to be verified by receiver with sender’s public key and all the packets in the block will be considered invalid. Receiver will drop received packets in the block which includes valid packet transmitted by legal sender. The information inside valid packets will not be understood by receiver; hence the multicast application is unable to serve users fluently.
Distillation codes [1] is so far the only one solution to defend against pollution attack for signature amortization. In distillation codes, sender augments each packet with a witness and receiver is able to partition received packets into many groups according to the augmented witness. Distillation codes guarantees that all valid packets will be partitioned into the same group and correct signature could be decoded from the packets in this group. Therefore, forged packets injected by attackers will be partitioned into other groups and pollution attack is unable to affect the decoding procedure. However, in distillation codes, we can not realize which group contains valid packets in advanced, and every group should execute the decoding procedure to reconstruct the correct signature. Besides, while packets reach receiver side, receiver is unable to determine the received packets valid of invalid instantly and receiver consequently should store all received packets no matter valid or invalid. Distillation codes incurs high computation overhead and the storage space at receiver, and the delay of distillation codes is considerable.
Multicast authentication ensures the security for multicast applications. However, sign every multicast packet with digital signature incurs high overhead and the cumbersome overhead is impractical for many resource limited devices. Signature amortization reduces the computation and communication overhead and a fault-tolerance coding algorithm is always involved in to tolerate packet loss. But a signature amortization scheme with erasure codes suffers pollution attacks which an
attacker can inject forged packets to disturb the decoding procedure of erasure codes.
Therefore, to solve this problem, we design a lightweight and pollution attack resistant multicast authentication protocol (PARM). The main advantages of our proposed scheme are fast and lightweight, since many multicast applications are time-sensitive and some end devices may have only limited computation power.
Therefore, a high overhead and high delay solution is unsuitable to be wildly deployed on multicast applications. In contrast to distillation codes, our proposed scheme requires less computation overhead and less storage space.
In the next section, we briefly discuss related work of signature amortization, and give some overview of a signature amortization scheme, SAIDA, and distillation codes. Our proposed scheme and is given in section 3 and we analyze the overhead of our proposed scheme and compare it with distillation codes in section 4. In section 5, we derive the security strength of PARM and an evaluation is given in section 6.
Finally, a conclusion of this thesis is in section 7.