A Secure Active Packet Transfer Using Digital Signature Schemes with ...

Download PDF
12 downloads 242438 Views 136KB Size Report
Comment
formed digital signature schemes with message recovery, at active network en- .... ing key P_A from its database, SA, and sends it to node C using its IP ad-.
A Secure Active Packet Transfer Using Digital Signature Schemes with Message Recovery Youngsoo Kim, Minho Han, Jungchan Na, Seungwon Sohn, and Cheehang Park1 1

Electronics and Telecommunications Research Institute, 161, Gajeong-Dong, Yuseong-Gu, Daejeon, 305-350, Korea {blitzkrieg, mhhan, njc, swsohn, chpark}@etri.re.kr http://www.etri.re.kr

Abstract. Active networks represent a new approach to network architecture. Active networks provide a much more flexible network infrastructure than traditional networks do. Flexibility is a powerful merit of active networks, but it can raise considerable security problems. Current active network researches have applied diverse techniques to solve them. Cryptographic technique is one way of protecting active networks. However it should not be applied conventionally, since active network paradigm is different from traditional one. It means that, at active network environments, active packets contain programmable codes should perform computations on intermediate-nodes as well as end-nodes. That is, since the packet sending-node does not know intermediate receiving-node, it cannot apply traditional cryptographic techniques can process each other only between end-nodes. This paper proposes a secure method for transferring active packets and performing computations using a transformed digital signature schemes with message recovery, at active network environment that intermediate packet receiving-nodes are not fixed. The proposed scheme uses transformed public key digital signature scheme that signing/verifying key pairs have almost same bit length and the verification-key storing server plays the role of key management server.

1 Introduction Active networks represent a new approach to network architecture. Nodes (routers, switches, etc.) can perform computations on user data flowing through them, and users can program the network, by supplying their own programs to perform these computations[1]. Active networks provide a much more flexible network infrastructure, with increased capabilities. On the other hand, they are obviously more complex than traditional networks and raise considerable security problems. Current active network researches have applied diverse techniques to solve them[2]: packet authentication, monitoring/control, and cryptographic techniques, and so on. Specially, cryptographic techniques should not be applied traditionally, since active network paradigm is different from traditional one. It means that, at active network environments, active packets contain programmable codes should perform computations on intermediate-nodes as well as end-nodes[3][4]. That is, since the packet sending-node

1

does not know intermediate receiving-node except end receiving-node, it cannot apply traditional cryptographic techniques perform handshaking only between endnodes to authenticate and exchange data each other. This paper proposes a secure method for transferring active packets and performing computations using a transformed digital signature schemes with message recovery, at active network environment that intermediate packet receiving-nodes are not fixed. The proposed scheme has the following differences from traditional public key digital signature schemes: Bit length of Verifying key(public key) is long enough similar to that of signing key(private key)1. In case of traditional public key digital signature schemes, verifying key is very small (i.e. bit length of it is short), and then anyone can verify signatures easily. On the other hand, signing key should be very big (i.e. bit length of it is long), to make it infeasible to forge signatures. That is, this mechanism can provide integrity by making it difficult, for attackers, to compute signing key. However, the proposed scheme has similar big verifying key making it hard to verify signatures without verifying key. And then verifying key and signing key have similar computing complexities. Namely, big signing key provides integrity and big verifying key provides confidentiality. Only authorized nodes can access verification-key storing server. In traditional public key mechanisms, all public keys, signed by a certification authority with each identity, are stored in public key directory and opened to the public. However, verification-key storing server does not open verifying keys to the public and let only authorized nodes know their own. The rest of the paper is organized as follows: We describe some active network components and set up network environment in Section 2. In Section 3, we list some requirements and we propose our scheme in Section 4. Finally, we consider security and performance, and conclude our idea in section 5.

2 Some components and network setups An active network is made up of many components. The followings are some components that our scheme needs: General node: It can be general routers or switches. It stores and forwards packets. Active node: It can be active routers or switches that perform computations on active packets. It stores, computes, and forwards active packets.

1

In proposed mechanism, a word “public” does not have meaning any more, since verificationkey storing server does not open verifying keys to the public and let only authorized nodes know it. Namely, we borrow only mechanism of public key digital signature scheme, but have no keys to open to the public.

2

Verification-Key storing Server (VKS): It stores verification-keys of authorized nodes. When an authorized node requests to get a key for verifying a signature, it sends the key after checking whether he is an authorized node or not. At active network environments, active nodes and general nodes exist together. Fig.1 depicts this situation.

Fig. 1. Active network environments and an active packet

Active node A only knows the final receiving-node (end-node) F’s IP address. It does not know that of intermediate receiving node such as node B, node C, node D, or node E. Also, if general nodes (e.g. node B, node D, or node E) receive an active packet from node A, they just forward it to the neighboring nodes.

3 Requirements To develop our idea, we need some requirements: We use the digital signature scheme with message recovery[5]. It has the feature that the message, the executable codes in this paper, signed can be recovered from the signature itself. A digital signature scheme with message recovery is defined as a digital signature scheme for which a priori knowledge of the message is not required for the verification algorithm[6]. Examples of mechanisms providing signatures with message recovery are RSA[7], Rabin[8], and NybergRueppel[9] public-key signature schemes.

3

The key pair generation algorithm for digital signature schemes with message recovery as follows: ① Active node n should select a set S_n = {S_n,k : k ∈ R} of transformations. S_n,k is a 1-1 mapping from MS to S and is called a signing transformation. (MS is the signing space, S is the signature space, and R denotes the set of real number) ② S_n defines a corresponding mapping P_n with property that P_n◎S_n,k is the identity map on MS for all k ∈ R. P_n is called a verification transformation and is constructed such that it may be computed without knowledge of the signer’s signature key. ③ Node n’s signature key is the set S_n; Node n’s verification key is P_n. The redundancy function R and its inverse function R-1 are publicly known. The length of signing key is almost same as that of verifying key. (i.e. two keys have the same degree of computation complexity) The first active sending-node generating active packets would like to transfer those active packets that contain executable codes in the payload part to the target active node securely. Also, it wants to have all intermediate active nodes, as well as end node, execute those packets and let the final receiving-node know about intermediate results. We assume that authorized nodes do not cheating, such as forging signatures or giving keys to attackers. Verification-Key storing Server should not compromised. The followings are some notations used our proposed scheme: ID_n: Active node n’s identity. Each node’s unique IP address can be used as personal identity. PGM: Target executable codes the destination node receives and intermediate nodes perform computations. It is contained in the payload part of an active packet. R(M): Redundancy function for M R-1(M): Inverse function of redundancy function R for M VKS: Storing server for verification-keys. It is an acronym for Verification-Key storing Server. S_n: Signing key for active node n P_n: Verifying key for active node n S_VKS: Signing key for VKS P_VKS: Verifying key for VKS In: An active packet generated by active node n INFO: Some information needs for signing or verifying, such as the digital signature scheme used. SigS_n(M): Signature for M using active node n’s signing key S_n VerP_n(S): Verification for a signature S using active node n’s verifying key P_n RESULT_n: Some execution result for PGM by active node n REQ(P_n): A request message for verifying key P_n. VKS receives this message and sends the key to the request node, after finishing the authentication process.

4

4 The proposed scheme In this chapter, we propose a scheme for transferring active packets securely. At first, we describe the initialization process (i.e. preliminary registration process and key pair generation process) and explain main process in detail.

Fig. 2. Operation processes of the proposed scheme

4.1 Initialization process If active node n would like to perform a preliminary registration and get the signing key S_n, active node n and VKS perform the following 4 steps: 1.

2. 3.

4.

An active node n creates a signing key S_n to be used for signing the target program, and a corresponding verifying key P_n to be used by other active nodes for verifying signatures. Active node n shows its IP address and verifying key P_n to VKS, and he requests for registration. VKS generates Sn using its signing key S_VKS. Sn is a signing value for active node n’s IP address and verifying key P_n. VKS stores this value at database. Sn = {SigS_VKS(R(ID_n, P_n))}……………………(1) VKS issues active node n’s signing key S_n and its own verifying key P_VKS to it, and node n saves these values.

5

4.2 Main process 1.

2.

3.

4.

5.

6.

7. 8.

Active node A generating active packets would like to transfer those active packets contain PGM to the target active node F securely. Also, it wants to have all intermediate active nodes, as well as end node, execute those packets and let the final receiving node know about intermediate results. At first, active node A calculates redundancy function value R(PGM) for target executable code PGM. It generates a signature for R(PGM) with its signing key S_A. Attaching its own IP address, destination node F’s IP address, and INFO (e.g. digital signature algorithm used, etc) to that signature, it yields IA and sends it to the neighboring node. IA = {SigS_A(R(PGM)), ID_A, ID_F, INFO}…….……….(2) General node B, one of the neighboring nodes of node A, receives active packet IA and checks destination IP address. Since this value is different from B’s IP address, it forwards IA to the neighboring node again. Receiving IA, active node C becomes to know the fact that active node A sent it and destination node is active node F. It needs A’s verifying key P_A to verify the signature included in IA and execute code PGM. Therefore, it generates JA and sends it to VKS. JA comprises the signing value of node A’s IP address ID_A and redundancy value of REQ(P_A) with S_C and its IP address ID_C. JA = {(SigS_C(R(REQ(P_A), ID_A))), ID_C}…………….(3) VKS receives JA and checks that node C is an authorized active node, using node C’s IP address. Verifying the signature included in JA with P_C stored in database, VKS becomes to know that active node C wants to get node A’s verifying key. So, it copies the signing value for node A’s verifying key P_A from its database, SA, and sends it to node C using its IP address. KA = R-1{VerP_C(SigS_C(R(REQ(P_A),ID_A)))} ……… …(4) SA = {SigS_VKS(R(ID_A, P_A))}……………………(5) Receiving SA from VKS, active node C verifies SA using P_VKS and get active node A’s verifying key P_A using inverse redundancy function R-1. It verifies received active packet IA, executes PGM included in payload part of IA, and gets RESULT_C. TA = R-1{VerP_VKS(SA)} = (ID_A, P_A) ….…..……….(6) QA = R-1{VerP_A(SigS_A(R(PGM)))} = PGM.…………….(7) Since active packet IA’s destination node is not node C, it generates another active packet IC, contains PGM and RESULT_C, and sends it to the neighboring node. IC = {SigS_C(R(PGM, RESULT_C)), ID_C, ID_F, INFO}………(8) Receiving IC, general node D and E forwards it to the neighboring node again. Receiving IC, active node F becomes to know the fact that active node C sent it and destination node is node F itself. It needs C’s verifying key P_C to verify the signature included in IC and execute code PGM. Therefore, it generates JC and sends it to VKS. JC comprises the signing value of node

6

C’s IP address ID_C and redundancy value of REQ(P_C) with S_F and its IP address ID_F. JC = {(SigS_F(R(REQ(P_C), ID_C))), ID_F}……………….(9) 9. VKS receives JC and checks that node F is an authorized active node, using node F’s IP address. Verifying the signature included in JC with P_F stored in database, VKS becomes to know that active node F wants to get node C’s verifying key. So, it copies the signing value for node C’s verifying key P_C from its database, SC, and sends it to node F using its IP address. KC = R-1{VerP_F(SigS_F(R(REQ(P_C),ID_C)))} ….…….…(10) SC = {SigS_VKS(R(ID_C, P_C))}……………………(11) 10. Receiving SC from VKS, active node F verifies SC using P_VKS and get active node C’s verifying key P_C using inverse redundancy function R-1. It verifies received active packet IC and gets PGM and RESULT_C included in payload part of IC. After checking RESULT_C, active node C’s execution result, active node F executes PGM. Finally, it gets RESULT_F and finishes this protocol. TC = R-1{VerP_VKS(SC)} = (ID_C, P_C) ….…..……….(12) -1 QC = R {VerP_C(SigS_C(R(PGM, RESULT_C)))} = PGM, RESULT_C..(13)

5 Concluding remarks (Integrity and authentication) Since the digital signature scheme used is a heuristically existentially unforgeable signature scheme, it is infeasible for a malicious node to forge signatures. Furthermore, VKS plays the role of certification authority, so it provides mutual authentication between active nodes. (Confidentiality) VKS restricts authority of verification for signatures by access control. Therefore, an unauthorized node, has no authority of accessing to VKS, cannot verify signatures. Also, since bit length of verifying key is long enough, it is difficult for a malicious node to compute to get the key. (Performance) Owing to handicap of active networks that intermediate active nodes are not fixed, number of interactions between nodes are little bit large comparing to that of traditional network[10]. For transition from traditional network environment to active network environment, performance is one of the most important factors, so the research of reducing number of interactions should be continued.

References 1. K.Psounis, “Active networks: Applications, Security, Safety, and Architectures”, IEEE Communications Surveys, 1999. 2. M.S.Greenberg, J.C.Byington, and D.G.Harper, “Mobile Agents and Security”, IEEE Communications Magazine, Vol.36, No.7, 1998. 3. T.Sander and C.F.Tschudin, “Towards Mobile Cryptography”, TR 97-049, ICSI, 1997

7

4. Y.S.Kim, J.C.Na, S.W.Sohn, “A Secure Method for Transferring Active Packets”, Proc. of WSEAS'01, Cairns, Australia, Dec.17-21, pp.259-262, 2001. 5. A.J.Menezes, P.C.Oorschot, and S.A.Vanstone, “Handbook of Applied Cryptography”, CRC Press, 1997, pp.547-550. 6. B.Schneier, “Applied Cryptography: Second Edition”, Wiley, 1996, pp.185-187. 7. R.L.Rivest, A.Shamir, and L.Adleman, “A method for obtaining digital signatures and public key cryptosystems”, Communications of the Association for Computing Machinery, Vol.22, No.2, 1978, pp.120-126. 8. M.O.Rabin, “Digital Signatures and Public-Key Functions as Intractable as Factorization”, MIT Laboratory for Computer Science, Technical Report, MIT/LCS/TR-212, Jan 1979. 9. K.Nyberg and R.A.Rueppel, “Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem”, Proc. of Eurocrypt’94, Springer-Verlag, 1995 10. Y.S.Kim, J.C.Na, S.W.Sohn, “A Secure Active Packet Transfer using Cryptographic Techniques”, Journal of The Korean Institute of Information Security and Cryptology, Vol.12, No.2, 2002, pp.135-145.

8