Packet loss model

In our simulation, we use two different packet loss models to simulate the performance of scheme-0 and our two schemes. One is the uniform packet loss model. The other is introduced by Gillbert[6] and Elliott [7], which is called the two-state Markov Chain (2-MC) loss model[9][11]. According to [8, 9], Paxson

14

and Yajnik et al showed that the pattern of loss in the Internet is bursty. To accurately simulate the loss pattern in the Internet, we use this model as part of our simulation result. The 2-MC model has two possible states, one is the “good state”

and the other is the “bad state”. If the packet is lost, the transmission channel is in

“bad state”, otherwise the channel is in “good state”. Figure 3-1 shows the 2-MC model.

Figure 3-1: 2-MC model.

There are four transition probabilities (P₄₄ , P₄₅ , P₅₄ and P₅₅). The stationary probabilities of good state and bad state are denoted as 8₉ and 8_:  1  8₉ respectively. The probability transition matrix M is:

M  ;1  q q p 1  p>

The stationary probability vector is V  @8₉, 8_:A such that V=VM. We have

8₉ 1  q B 8_:p  8₉ 8₉ B 8_:  1

Thus we get:

15

8₉ _CD^C , 8_:  _CD^D

The average probability of packet loss can be defined as P_EFG 8₉P₄₅B 8_:P₅₅. In [9], the parameter p is measured as 0.0496. The parameter 1-q is measured as 0.0513. If (1-q)>p, the packet loss is burstier than predicted by the uniform packet loss model and the 2-MC model is more accurate.

16

Chapter 4

Proposed schemes

We propose two schemes that are robust to packet loss and achieve lower computational overhead at receiver side. In section 4.1, we propose the first scheme called scheme-1 which is the simplest one. However, when the packet loss probability is not low, the computational cost of receiver also increases. In section 4.2, we propose a scheme called scheme-2 that is more efficient than scheme-1 when the packet loss of network is not low.

4.1 Scheme-1

We review some notations. The hash value of message M is H(M). The stream S can be divided into blocks, each block consists of n messages.

S B_'||B_|| … 

Each block is denoted as B_H  M_HI ||M_{HI }||. . . ||M_{HI  )}. The stream can also be finite or infinite. Because the same construction is performed on every block, we focus on the construction and verification of the first block (B_'  M_'||M_|| … ||M _)). The construction of scheme-1 consists of three steps. In the first step, the sender constructs a hash chain as follow:

M-  JM||H M_-, 0  i  n  2 M, i  n  1 

17

In the second step, the sender uses M- to build a Merkle hash tree. For example, if n=8, the tree structure of scheme-1 is shown in Figure 4-1. Note that !  H M-. AP(i) is the log_ hash values needed to reconstruct the path from ! to the root of the tree.

Figure 4-1: Tree structure of scheme-1.

In the third step, the sender signs the root of the tree. The signature of the root is denoted as Sign. We illustrate the content of the packets of the first block in Figure 4-2. Each packet is composed of M-, authentication path and the signature of root.

M- is composed of original message M and H M_-. When M- is verified, M is verified.

18

Figure 4-2: Packet format of scheme-1.

The verification is easy. Assume each packet has sequence number and block number. Each packet in block B_H has block number b. The i-th packet of a block has sequence number i-1. The sequence number and block number are part of the original message M and can be used to point out the position at the stream. For example, in Figure 4-2, the block number of P_ is 0 and the sequence number is 2.

In the first block, when getting the first packet P_', the receiver uses AP(0) and Sign to verify M_'-. The receiver has valid H M_-. Whenever P is verified, the receiver records the sequence number i of P as the latest valid sequence number and updates the hash chain information as H M_L-. If the next received packet is P_L, the receiver uses H M_L- to verify M_L-. The receiver doesn’t have to verify M_L- by using AP(i+1). It takes just one hash operation to verify a message. In the other case, if the receiver doesn’t receive P_L, he doesn’t have H M_L- and the hash chain is broken. When receiving P_L, the receiver has to use AP(i+1) of P_L to verify M_L- . If the receiver doesn’t cache the authentication path information, it takes log_n hash operations to verify a

19

message. Every packet can be verified individually. When the packet loss probability is very low, the computational cost of receiver is low.

In scheme-1, the communicational overhead of every packet is 1+log_n hash values. When the packet loss probability increases, the verification time of scheme-1 goes up. In some situation like stock quotes, even when the packet loss probability is not low, the receiver still wants to receive the packet because of the importance of packets. We design a scheme that is also efficient and robust against injection attack. So we propose scheme-2 that is more efficient and robuster to injection attack than scheme-1.

4.2 Scheme-2

The construction of scheme-2 is based on scheme-1. Before the description of scheme-2, we define a term: sub-tree. The tree structure of scheme-1 can be roughly illustrated in Figure 4-3. There are many smaller Merkle hash trees T_N. Every T_N is called sub-tree. Every sub-tree has λ leaves. Note that λ  2^P and x is a non-zero integer. The root of T_N is #QIN,QINQ). λ can be greater than the average consecutive loss length of the network.

Figure 4-3: Tree structure of scheme-1.

The construction of scheme-2 is described as follow. Assume a block is

20 constructs a upper hash chain backwards:

M_N--  R#QIN,QINQ)||H M_N--,0  j  Tn

We illustrate an example. Assume every sub-tree has eight leaves and a block has 32 messages. Every root of sub-tree can be treated as an original message in scheme-1. We replace M_N with #VIN,VIN& for j=0, 1, 2, 3 in scheme-1 and get Figure 4-4. The complete tree structure of scheme-2 is illustrated in Figure 4-5.

M_N-- can be verified by using the authentication path for upper Merkle hash tree.

Every original message M in M- can be verified by using the authentication path for sub-tree. Scheme-2 achieves individual packet authentication. We can use the upper and lower hash chains to reduce the computational overhead of receiver.

The packet format of scheme-2 is illustrated in Figure 4-6.

21

Figure 4-4: Upper part of tree structure of scheme-2.

Figure 4-5: Complete tree structure of scheme-2.

22

Figure 4-6: Packet format of scheme-2.

In Figure 4-6, the upper part of a packet is composed of the signature of root, the authentication path for upper tree and M_N--. Note that packets in the same authenticating the i-th packet, the receiver can use the lower hash chain to verify the message of the (i+1)-th packet just one hash operation. So, when the

The receiver doesn’t have to authenticate M_-- by using AP 1-. In general case, the number of packets of a block ranges from 128 to 1024, in these cases, scheme-2 require lesser hash operation than scheme-1 at receiver side.

There is one additional advantage of the scheme-2. In scheme-0 and scheme-1 for the first packet of the block, the attacker may send many invalid first packet and claims that these packets are originated from the sender, we call this the first packet denial of service attack. When the receiver wants to verify the

23

validity of the first packet of a block, he has to conducts about log_n hash operations for each. If the attacker forges k first packets, the receiver has to do k I log_n hash operations in scheme-0 and scheme-1. In scheme-2, the receiver executes the packet authentication from the middle of the tree. That is, when the receiver gets P_' in Figure 4-5, he uses M_'-- and the authentication path (H M_-- and #_,$- ) for upper tree to compute #_',$-- . If #_',$-- is invalid, scheme-2 finds this error with lesser hash operations than scheme-0 and scheme-1.

24

Chapter 5

Comparison and experiment results

In this section, we compare Wong and Lam’s scheme [3] to our two schemes.

In section 5.1, we compare the verification times of different schemes under the uniform packet loss model. In section 5.2, we compare the verification times of different schemes under the 2-MC packet loss model in order to simulate the packet loss in real world. In section 5.3, we compare the verification times of different schemes under the injection attack. From section 5.1 to section 5.3, we assume the receiver caches the authentication path. We also assume the receiver just caches log_n hash values in scheme-0 where n is the number of packets per block. That is, the receiver doesn’t cache all internal nodes of a tree. For example, in Figure 2-1, after authenticating P_W, the receiver stores #_',&, #_%,& and #_%,W. In scheme-1 and acheme-2, the way of caching is similar. The experiments were performed on a Pentium IV 1.66 GHz. We implement these schemes using JAVA.

We use SHA-1 as the hash function and 512-bit DSA as the digital signature scheme. The number of packets in a block is 1024 and the original message of each packet is 512 bytes. In scheme-2,λ  8.

5.1 Results under the uniform packet loss

Assume all types of attacks don’t exist in the network. Figure 5-1 shows the average verification times under the uniform packet loss model. The verification

25

time of the Merkle hash tree scheme (or scheme-0) decreases when the loss probability increases because the number of packets needed to be checked decreases. When the loss probability increases, the verification time of scheme-1 approaches that of scheme-0 but doesn’t exceed it. The verification time of scheme-2 is the lowest one because of the upper hash chain.

Figure 5-1: Results under the uniform packet loss.

5.2 Results under the 2-MC loss model

Assume all types of attacks don’t exist in the network. Figure 5-2 shows the average verification times when the average length of burst loss is 8. We can see that the verification times of scheme-1 and scheme-2 are almost the same since the loss is bursty. However, scheme-2 is still the lowest one.

0

26

Figure 5-2: Results under the 2-MC loss model.

5.3 Results under the injection attack

We simulate the injection attack in this section. The uniform packet loss probability is 10%. In Figure 5-3, when the injection factor is 2, for every packet the receiver gets one packet produced by the trust sender and two invalid packets produced by the attacker. For every packet the attacker just generates two packets randomly and sends them to receiver in order to lunch denial of service attack. In Figure 5-3, the verification time of each scheme is proportional to the injection factor. The slope of scheme-1 is lower than the scheme-0, and the slope of scheme-2 is the lowest one. It means that scheme-2 is the robustest scheme among these schemes against the injection attack.

0

27

Figure 5-3: Results under the injection attack.

5.4 Comparison

Table 5.1 shows the comparison between Hash chain, Wong-Lam, SAIDA, TESLA and the proposed schemes. We make the following assumptions:

A block is composed of n messages and one signature is done for each block. For Hash chain and TESLA, n messages consist of a block.

The computation overhead: We only consider the computational cost at sender side.

Injection attack resistance: When a scheme is injection attack resistance, this scheme reduces the computational cost of receiver.

The communication overhead: We consider the average communication overhead for a single packet. For scheme-0, every packet has log_n

28

The storage overhead: We only consider the number of hash values stored at receiver.

In SAIDA, the encoder is a (t,n)-encoder.

Hash chain Scheme-0 Scheme-1 Scheme-2 SAIDA TESLA Computation n-1 2n-1 3n-2 3n-3+T^ _QU n+O( n^)

field OP n

Communication 1 logn,1 1+logn,1 3+logn,1 1 3

Individual authentication No Yes Yes Yes No No

Non-repudiation Yes Yes Yes Yes Yes No

Loss resistance No Yes Yes Yes Yes No

Injection attack resistance Yes Middle Yes Yes No No

Storage 1 logn 1 B logn 3 B logn t 2

Table 5.1: Comparison of selected schemes.

29

Chapter 6

Conclusions and future work

We propose two schemes for multicast stream authentication problem. Wong and Lam’s scheme has many outstanding features: each packet is individually verifiable and reasonable storage overhead at receiver side. If a multicast stream authentication protocol adopts a digital signature scheme, it is hard for attacker to forge a packet. Besides, the sender only broadcasts packet and doesn’t receive any packet. Thus it is highly possible that the attacker may inject many invalid packets to receivers in order to waste the resources of receivers such as computational power and storage. We combine the ideas of Merkle hash tree and hash chain to obtain scheme-1. We extend scheme-1 to scheme-2. Scheme-1 achieves individual packet authentication, lower computational overhead at receiver side and reasonable storage overhead at receiver side with the costs of additional computational cost at sender side for the hash chain. In most cases, the computational power of sender is strong, thus our schemes are reasonable in real world. From the experiment result, scheme-2 is the robustest scheme among three schemes against the injection attack. Scheme-2 is suitable when the packet loss is not low and the data is important for receivers.

We propose an open problem as below. Our schemes achieves individual packet authentication, robust to packet loss, low computational overhead at receiver side and reasonable storage overhead at receiver side. Is it possible to design a scheme that also achieves low communication overhead?

30

References

[1] Chris Karlof, Naveen Sastry, Yaping Li, Adrian Perrig, and J. D. Tygar.

Distillation codes and applications to DoS resistant multicast authentication. In 11th Network and Distributed Systems Security Symposium (NDSS), San Diego, USA, February 2004.

[2] Rosario Gennaro and Pankaj Rohatgi. How to sign digital streams. In Advances in Cryptology -Crypto’97, volume 1294 of Lecture Notes in Computer Science, pages 180–197, Santa Barbara, USA, August 1997. Springer-Verlag.

[3] Chung Kei Wong and Simon S. Lam. Digital signatures for flows and multicasts. IEEE/ACM Transactions on Networking, 7(4):502 – 513, August 1999.

[4] Jung Min Park, Edwin K. P. Chong, and Howard Jay Siegel. Efficient multicast packet authentication using signature amortization. In IEEE Symposium on Security and Privacy, pages 227–240, Oakland, USA, May 2002. IEEE Press.

[5] Adrian Perrig, Ran Canetti, J.D. Tygar, and Dawn Song. Efficient authentication and signing of multicast streams over lossy channels. In IEEE Symposium on Security and Privacy, pages 56 – 73, Oakland, USA, May 2000.

IEEE Press.

[6] E. N. Gilbert. Capacity of Burst-Noise Channel. In The Bell System Technical Journal, pages 1253-1265, September 1960.

[7] E. O. Elliott. Estimates of Error Rates for Codes on Burst-Noise Channels. In The Bell System Technical Journal, pages 1977-1997, September 1963.

[8] Vern Paxson. End-to-end Internet packet dynamics. IEEE/ACM Transactions on Networking,7(3):277 – 292, June 1999.

31

[9] Maya Yajnik, Sue Moon, Jim Kurose, and Don Towsley. Measurement and modeling of the temporal dependence in packet loss. In IEEE INFOCOM 1999, volume 1, pages 345 – 352, New York, USA, March 1999. IEEE Press.

[10] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.

[11] J. M. Park, E. K. P. Chong, and H. J. Siegel. Efficient multicast packet authentication using erasure codes. In ACM Transactions on Information and System Security, pages 6(2):258–285, May 2003.

[12] M. Luby. LT codes. In 43rd Annual IEEE Symposium on Foundations of Computer Science (FOCS ’02), 2002.

[13] M. G. Luby, M. Mitzenmacher, M. A. Shokrollahi, and D. A. Spielman.

Efficient erasure correcting codes. IEEE Transactions on Information Theory, pages 47(2):569–584, February 2001.

[14] M. O. Rabin. Efficient dispersal of information for security, load balancing, and fault tolerance. In Journal of ACM, pages 36(2):335–348, 1989.

[15] I. Reed and G. Solomon. Polynomial codes over certain finite fields. In Journal of the Society for Industrial and Applied Mathematics, pages 8(2):300–304, 1960.