A New Multicast Authentication Protocol using Erasure ... - IEEE Xplore

World Congress on Internet Security (WorldCIS-2013)

A New Multicast Authentication Protocol using Erasure Code Functions and Signcryption Techniques HebaAslan

Mohamed Rasslan

Infonnatics Department Electronics Research Institute Cairo, Egypt [email protected]

Faculty of Engineering and Computer Science Concordia University Montreal, Canada [email protected]

Abstract- Multicast authentication is a challenging problem, since it requires the verification of the sender by a large number of recipients. In literature, there are many solutions to solve this problem.

Some

of

these

solutions

suffer

from

high

communication and computation overheads, others suffer from packet loss and pollution attacks. The proposed solutions are divided into two approaches: the first is to design more efficient signature schemes and the second is to amortize the cost of signature over several packets. Other solutions are based on signcryption techniques which aim to simultaneously achieve the basic

goals

of

encryption

and

signature

schemes,

namely

confidentiality, authentication and non-repudiation. Although, the use of signcryption techniques enhances communication and computation overheads, this solution suffers from the inability to resist packet loss. This is due to the fact that all the block of packets must be received by the designated recipients before performing authentication. In the present paper, we propose a protocol that is based on the idea of amortizing the signcrypted text over several packets. The new protocol uses signcryption technique to provide both authenticity and confidentiality, and to resist pollution attack. In order to resist packet loss, the proposed protocol uses erasure code functions. The proposed protocol is compared to other authentication protocols. The comparison shows that the proposed protocol can resist packet loss and pollution

attacks

with

low

communication

and

computation

overheads, which make it suitable for real-time applications.

Keywords: Multicast Communication; Signcryption; Erasure Code Functions

I.

authentication;

INTRODUCTION

The increased number of applications that are of multicast nature (video conferencing, pay per view TV, financial stock quote distribution, etc) arise the need to secure data transmitted between group members. Authenticity is one of the major security problems concerning the multicast communication is the authenticity. Multicast authentication is a difficult problem, since it requires the verification of the sender by a large number of recipients. Multicast authentication protocol must have the following characteristics: it must have low communication and computation overheads, and it must resist both packet loss and pollution attacks. In literature, many solutions were presented to solve this problem. These solutions are divided into two approaches: design more efficient signature schemes and amortize the cost of signature over several packets. While designing more efficient signature schemes overcomes the computational problem, it still suffers from the high communication overhead problem. On the other

978-1-908320-22/3/$25.00©2013 IEEE

hand, amortizing signature over several packets overcomes the communication overhead problem with the inability to resist packet loss and pollution attacks. Recently, other solutions are based on signcryption techniques which aim to simultaneously achieve the basic goals of encryption and signature schemes, namely confidentiality, authentication and non-repudiation. Although, the use of signcryption techniques enhances communication and computation overheads with the ability to resist pollution attack, this solution suffers from the inability to resist packet loss. This is due to the fact that all the block of packets must be received by the designated recipients before performing the authentication process. In the present paper, we propose a protocol that is based on the idea of amortizing the signcrypted text over several packets. The new protocol uses signcryption technique to provide authenticity and confidentiality, and to resist pollution attack. In order to resist packet loss, the proposed protocol uses erasure code functions. This paper is organized as follows: in the next section, background and related work are detailed. Then, a description of the proposed protocol is given. Next, a comparison of the proposed protocol with other protocols is discussed. Finally, the paper concludes in the last section. II.

BACKGROUND AND RELATED WORK

A. Multicast Authentication

Multicast authentication is a challenging problem, since it requires that a large number of recipients must verify the data originator. To solve the multicast authentication problem, two approaches have been proposed: design more efficient signature schemes and amortize the cost of signature over several packets. For the first approach, efficient digital signature schemes have been proposed in [1-2]. Although these schemes overcome the computational problem, they suffer from the communication overhead problem, which makes them impractical for real-time applications. Another solution is to amortize signature over several packets as proposed in [2, 3, 5, 6 and 7]. Early work was done by Gennaro and Rohatgi [3]. The stream is divided into blocks of m packets and a chain of hashes is used to link each packet to the one preceding it. Finally, the last hash is signed. Although, this approach solves the computation and communication overheads problem, it has a major drawback that is, in case of any packet loss, the authentication chain is broken and subsequent packets cannot be authenticated. Many

99


of multicast applications are running over IP networks, where several packet losses could occur. Therefore, multicast authentication protocols must resist packet loss. In [4], Golle and Modadugu solve this problem by appending the hash of a packet into two places: the fIrst is in the next packet and the second is in the packet succeeding by a places and only the fmal packet is signed. Their solution is based on the property that loss over the Internet occurs in bursts as stated in [5] and can resist several bursts of a certain number of packets. Although, they solve the problem of loss over networks, it is not clearly stated how the packet containing signature is sent. The lost of the signature packet requires its retransmission several times. In multicast communication, different receivers lose different sets of packets, thus retransmission can overload the resources of both the sender and the network. In [2], Wong and Lam proposed another solution to solve the problem of packet loss. In their proposal, the stream is divided into blocks of m packets and a tree of hashes of degree 2 is constructed. The hashes of the m packets correspond to the leaves of the tree and only the root of the tree needs to be signed. In order to authenticate any packet, the siblings of each node along its path to the root and the packet signature must be appended. Then, the receiver checks the signature. Since each packet carries the information required for its authentication; therefore, any packet loss will not affect the ability of the receiver to authenticate packets that arrived after the loss. This solution requires the appending of log2(m)+ 1 hashes and the signature to each packet. Hence, it suffers from a high communication overhead. In [6-7], Perrig et al. proposed effIcient solutions for the authentication problem. These solutions are based on authenticating packets using MACs and revealing the MAC keys after a certain time interval. Although, these solutions have low communication and computation overheads, they have a major drawback that they require that the sender and the receivers maintain the synchronization of their clocks. Furthermore, these solutions suffer from multiple sent of signature packet in case of packet loss. In [8], Pannetrat and Molva proposed a solution to the problem of multiple sent of signature packet and packet loss using erasure codes. Erasure codes [9-10] allow the receiver to restore the original data under the condition that the loss rate does not exceed a certain value. The stream is divided into blocks of m packets and hashes of these packets are calculated. The output hash values are input to an erasure code function to produce X, which consists of the hash values and extra information (E) in order to resist transmission loss. Then, a signature (S) of packet hashes is computed. Next, both E and S are exposed to another erasure code function. Finally, the output of the second erasure code is divided into m pieces and appended to each packet. The use of erasure codes allows the ability to restore both the hash values and the signature in case of loss. A similar solution was proposed in [11], which is named Signature Amortization using Information Dispersal Algorithm (SAIDA). In their work, Park et al. use erasure code once, where the input to the erasure code consists of the packet hashes and the signature. However, erasure codes can resist only one threat model: packet loss. Erasure codes assume that packets are only lost but not corrupted in transit. Unfortunately, in real environments, packets could be lost, modifIed, delayed and dropped. These threats are defIned in [12] as pollution

978-1-908320-22/3/$25.00©2013 IEEE

attacks. In [12], Karlof et al. propose a solution to pollution attacks. Their solution is known as Pollution Resistant Authenticated Block Streams (PRABS). In their solution, which is based on SAIDA, each symbol output of the erasure code is augmented by additional information - witness information - to differentiate between legitimate symbols and invalid symbols. To obtain witness information, Merkle hash tree is constructed where symbols output of the erasure code are considered as leaves of the tree. Then, each symbol is augmented by the siblings along its path to the root. This information is used to partition symbols as valid or invalid. Then, only valid symbols are used to restore the original packet hashes and the corresponding signature. While this proposal overcomes the pollution attack problem, it has a large communication overhead compared to the abovementioned multicast authentication protocols. In the next subsection, signcryption techniques and its uses in multicast security is presented. B. Signcryption Techniques

In public key cryptography, encryption and signature schemes are basic primitives that provide privacy and authenticity. Cryptographers used to consider these two primitives as distinct building blocks that have to be designed and analyzed independently. On the other hand, there are many settings where both primitives are required (e.g., secure e mailing, where each message should be authenticated and encrypted.) A straightforward solution to achieve both privacy and authenticity is to comprise the known solutions of each of the two components. The sign-then-encrypt and encrypt-then sign paradigms are early methods to implement authenticated encryption schemes [13-15]. These schemes achieve the non repudiation property but they are costly in terms of communication and computation. The term signcryption was originally introduced and studied by Zheng in [16] with the primary goal of reaching greater effIciency than can be accomplished when performing the signature and encryption operations separately. Signcryption schemes [17-19] aim to simultaneously achieve the basic goals of encryption and signature schemes, namely confIdentiality and authenticity. Moreover, signcryption schemes must achieve non-repudiation, which guarantees that the sender of a message cannot later repudiate that she has sent the message. Namely, the recipient of a message can convince a third party that the sender indeed sent the message. In addition to satisfying the confIdentiality, authenticity and non-repudiation properties, some signcryption schemes are designed to achieve forward secrecy and past recovery [16]. The use of signcryption in multicast authentication is divided into two approaches [20]. The fIrst solution requires the signcryption of a message for n receivers. While this solution lowers the computation overhead, it suffers from the large communication overhead and the lack of resistance to packet loss. An example of this solution could be found in [1821]. The second solution is to use the technique of randomness [22]. Again this solution could not resist packet loss because of the need to receive all packets to ensure authentication. Duan et al. [20] proposed a scheme that is based on signcryption scheme which only needs one pairing computation to signcrypt a message for n receivers. This scheme lowers the

100


communication and computation overheads without solving the problem of packet loss. In [18], Pang et al. proposed an anonymous multi-recipient signcryption scheme, which is based on bilinear operation. Although, this scheme uses one bilinear operation to signcrypt a message for n receivers, it suffers from the fact that it needs high computation and communication overheads. All the abovementioned signcryption schemes could not resist packet loss, since it requires the receiving of the whole block of packets in order to be able to ensure the authenticity of the received message. In the next section, the description of the proposed protocol is illustrated. III.

THE PROPOSED PROTOCOL

In this section, a description of the proposed protocol is detailed. The proposed protocol is based on the idea of amortizing the signature over the signcrypted text. The new protocol uses signcryption technique to provide both confidentiality and authenticity, and to resist pollution attacks. Signcryption techniques aim to simultaneously achieve confidentiality, authentication and non-repudiation. Although, the use of signcryption techniques enhances communication and computation overheads, this solution suffers from the inability to resist packet loss. This is due to the fact that all the block of packets must be received by the designated recipients before performing authentication. In order to resist packet loss, the proposed protocol uses erasure code functions which allow the receiver to restore the original data under the condition that the loss rate does not exceed a certain value (R). The signcryption protocol used in our solution is described in [23]. The scheme in [23] is more efficient than all the previously presented schemes. It allows the recipient (verifier) to recover the message blocks upon receiving their corresponding signature blocks. The scheme is perfect for some application requirements and it is designed for packet switched networks. In order to perform the proposed protocol, the following parameters must be set. First, the System Authority (SA) selects a large prime number p such thatp- 1 has a large prime factor q. SA also picks an integer, g, with order q in GF(p). Letfbe a secure one way hash function. SA publishes p, q, g and! Each user, Uj, chooses a secret key x, E Zq and computes the corresponding public key Yj = gX; mod p. In addition, all the group users share a secret key Xs-grollp and its corresponding public key, Yp-group= gXs-group , which is used to encrypt group messages. The use of a public group key will reduce both the communication and computation overheads, since it requires the message to be signcrypted once instead to be signcrypted n times (where n is the number of receivers). This pair of keys must be changed in case of any membership change, i.e. a new member joins/leaves the group. Examples of solutions to solve the key distribution problem in case of a member join/leave were proposed in [24-25]. The problem of key distribution in case of joining/leaving the group is outside the scope of this paper. When a sender A wants to send a message to the whole group, it divides the stream into blocks of m packets (PJ, P2, P3, , Pm-2, Pm-" Pm). The value of these packets must be less than the value of p. The sender A, with secret key Xa and • • • • • . •

978-1-908320-22/3/$25.00©2013 IEEE

public key Ya =gXa , uses the following steps before sending the multicast message: Pick random numbers k, I Zq and set ro = 0, then compute Y;-group modp and t = l modp. (2) Compute: rj = P, .f(r, -I (8 Y;-group ) mod p, for i = 1, 2, ....., m. (3) Compute: s= k- r . xamod q,where r= fer/,r2,r3,... ,rm ) . l (4) Then, the sender computes CI = g mod p and C2 = rm . yJ-group modp. (5) Next, the sender applies the erasure code function on r, CI, C], sand t. The output of the erasure code function is divided into m-l parts (TI' T], ..., T m_ I), where each part is appended to each packet output of the signcryption algorithm. Then, the sender broadcasts the following message: (rl II TI, r2 II T], .. , rlll_1 II T m -a. Fig. 1 illustrates the steps required to perform the proposed protocol. In order to be able to restore and authenticate the received block, it is sufficient to receive m(1-R) packet. Loss in one packet will only affect the retrieval of this packet and the following one, the remainder of the block could be retrieved. After receiving the sent message, each recipient checks the signature by comparing tXs-group to (YJ-g roup . y�p -group -group mod p. If the check doesn't mod p), where Yap-group = y; hold, this indicates that the received packets are modified and must be discarded. On the other hand, if the check holds, then each recipient calculates rm = C2 . C;Xb mod p. Finally, each recipient recovers message blocks using the following equation:P, = r, .f(rj-I (8 tXbrl modp, for i = 1 ,2, ....., m and ro = O. One advantage of the proposed protocol, since it is based on signcryption techniques, is that it provides both confidentiality and authenticity in one step. Consequently, the computation overhead decreases, this makes the proposed protocol suitable for real-time applications. To decrease the communication overhead, which is considered one of the major drawbacks of using signcryption techniques, we use a pair of group public key. This eliminates the need to encrypt the message using each recipient's public key and as a result, lowers the communication overhead. Other advantage of the proposed protocol is that it could resist both packet loss and pollution attacks with low computation and communication overheads. In the next section, a comparison of the proposed protocol with other multicast authentication protocols is carried out. (1)

*

IV.

COMPARISON OF THE PROPOSED PROTOCOL WITH OTHER MULTICAST AUTHENTICATION PROTOCOLS

In order to conduct a comparison between Wong-Lam, Pannetrat-Molva, SAIDA, PRABS, Pang et al. and the proposed protocol, the following general assumptions are considered: The stream to be authenticated is divided into blocks of m packets (of length smaller than that of the prime number p mentioned in the previous section). The calculations are specified for the authentication of one block.

101


Hash Function

! The output message: rdl T" r211 T2, . . . . . . . . . . . . ,rm-dl Tm_,

Figure l.

The proposed protocol architecture.

The loss rate must be less than R. The length of p = length of q = Len_P. The length of the hash functions output equals 'Hout', the signature length equals 'Sigout', and the length of the erasure code output 'Eout' is given by: Eout = Ein * (1+R) where, Ein represents the length of the erasure code input and R corresponds to the loss rate. The comparison will be undertaken according to the following criteria: The computation overhead: the processing needed at the sender or at the receiver for m packets. The communication overhead: the length of authentication information appended to each packet in order to achieve authentication. Delay at the sender and the receiver: delay at the sender is the number of packets that need to be processed before stream transmission and delay at the receiver is the number of packets that need to be received before authenticating the received packet. Resistance to packet loss: the type of loss that the scheme resists. Resistance to pollution attacks

978-1-908320-22/3/$25.00©2013 IEEE

Ability to provide both authenticity and confidentiality Table I shows the comparison between Wong-Lam, Pannetrat-Molva, SAIDA, PRABS, Pang et al. and the proposed protocol. In the table, H represents one hash function operation, E represents one erasure code function operation, Mut represents one modular multiplication, Bit represents one linear pair operation, Add represents one modulo add operation, Exp represents one modular exponentiation operation, and Sig represents one signature operation. Table II shows the computation overhead per block for the abovementioned schemes. In Table II, the following parameters are assumed: m = 128 packets and assuming the use of RSA algorithm which is based on a modulus of 1024 bits. Table III shows the communication overhead per packet in bytes for the abovementioned schemes for different loss rate values. In Table III, the following parameters are assumed: m = 128 packets, Hout = 16 bytes (assuming MD5 algorithm), Sigout = 128 bytes (assuming RSA algorithm), and Len_P = 128 bytes. The following facts could be deduced from the tables: Table I shows that all the compared schemes have a delay at the sender, which is equivalent to the processing

102


) the TABLE!.

Computation overhead

COMPARISON BETWEEN WONG-LAM, PANNETRAT -MOLVA, SAIDA,PRABS AND THE PROPOSED PROTOCOLS

WongLam

PannetratMolva

SAlDA

PRABS

Pang et al.

Ours

(2m-l)H

mH+2E+ Sig

mH+£+ Sig

mH+E+(2m-l)H

m(Bil+2Add+

mMu/+E+mH

+ Sig

6Mul+Exp

+Sig

+2H)

Communication overhead Delay: - At the sender - At the receiver (assume no packet is lost) Resistance to packet loss Resistance to pollution attacks Authenticity and confidentiality are provided

(HouIR+

(Hout+Sigoullm)*

(Hout+Sigoullm)

Hout+

Sigoullm)

(l+R)

(l+R) +

Sigout

*(l+R)

m

m

m

m

0

m

0

m(l-R)

m(l-R)

m(l-R)

0

m(l-R)

Loss rate