An Efficient MAC-Signature Scheme for Authentication ... - IEEE Xplore

1 downloads 0 Views 298KB Size Report
Authentication in XOR Network Coding. Alireza Esfahani1, Alberto Nascimento2, Jonathan Rodriguez1, José Carlos Neves1. 1Instituto de Telecomunicaç˜oes, ...
An Efficient MAC-Signature Scheme for Authentication in XOR Network Coding Alireza Esfahani1 , Alberto Nascimento2 , Jonathan Rodriguez1 , Jos´e Carlos Neves1 1 Instituto de Telecomunicac ¸ o˜ es, Aveiro, Portugal {alireza, jonathan, jneves}@av.it.pt 2 Universidade de Madeira, Funchal, Portugal [email protected] until it is finally detected and discarded, which can result in a waste of network bandwidth. So far, several novel homomorphic hashing, signature and MACs [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], have been presented to address integrity against pollution attacks. Besides the above-mentioned cryptographic schemes, information-theoretic schemes [10], [11], are another mechanisms which are more efficient in terms of computation in comparing to cryptography schemes, but can detect polluted packets in sink nodes. In this paper, we propose a hybrid authentication (MACs and a signature) by using XOR network coding which can resist both normal and tag pollution attacks. In our scheme, the source generates multiple MACs for each message, where each MAC can authenticate only a part of message. The remainder of this paper is organized as follows. Section II presents the problem statement which includes system and threat models. Section III introduces our scheme. Section IV will analyse the achievable performance. Section V discusses the related works. We conclude the paper in Section VI.

Abstract—An inherent weakness of network coding is that it is vulnerable to pollute attacks from adversaries, which may jeopardize its advantages such as throughput enhancement. Message Authentication Code (MAC) is commonly used scheme to provide integrity against data pollution by appending data and shared-key dependent tags. However, this scheme results in a new type of pollution called tag pollution, where a packet with polluted tags may traffic multiple hops before detection and result in network bandwidth waste. We propose a hybrid technical scheme, called MSXOR, which can detect tag pollution with low communication and computation overhead. We address the pollution attacks by designing an efficient MAC scheme suitable for multicast XOR network coding, and tag pollution attacks by appending a signature of all the MACs. Our experimental results show that it slightly increases the computation complexity, for the sake of resisting to tag pollution. Index Terms—Network coding; message authentication code; pollution attack; tag pollution attack; signature.

I. I NTRODUCTION Network Coding is a promising technology which was presented for the first time by Ahlswede et al. [1] and it is being used in various applications these days, such as wireless mesh networks [2], wireless sensor networks [3] and peer-to-peer systems [4]. Against to traditional and classical commodity flow, in which information is only routed or replicated, information flow can also employ coding operations at intermediate nodes. Network coding is proven capable of achieving the network capacity [1] and lower energy consumption [5]. Instead of using linear combinations of the incoming packets [6], [7], a special network coding based on XOR operations was introduced in [8], [9]. Both normal network coding and XOR network coding are more susceptible to pollution attacks than traditional storeand-forward technique. If a pollution attack is not detected at the forwarders, the sink nodes can not recover the source messages. A more severe problem is even a small number of polluted messages can infect a large downstream nodes because the pollution propagates via recoding. To detect data pollution, Message Authentication Code (MAC) is a commonly used integrity scheme, which appends a short piece of information called tag with the message. This tag is a function of both the message and a secrete key. However, this scheme results in a new type of pollution called tag pollution. By tag pollution, an adversary aims to modify the tags (MACs) carried by packets rather than the contents of them. It is possible that a packet with polluted tags travels multiple hops

II. P ROBLEM S TATEMENT In this section, we discuss the system model, trust and threat models. A. System Model We consider a traditional multicast scenario which a source S wants to send packets M1 , M2 , · · ·, Mm to multiple sinks. Each message Mi is divided into n codewords which stand in finite field Fp where p is a prime number. Typically, each codeword is 128-bit long (blog2 pc). So, each source message Mi can be presented as a row vector such as: Mi = (mi,1 , mi,2 , · · ·, mi,n ),

(1)

where i = 1, · · ·, m. We denote the encoded messages as E. In XOR network coding, an encoded message can be represented as E = α1 M1 ⊕ α2 M2 ⊕ · · · ⊕ αm Mm ,

(2)

where αi ∈ {0, 1} for i = 1, · · ·, m. The forwarders and the sinks can use the encoding vectors to verify the received messages. For XOR network coding, our scheme encodes the codewords over a field of size 2, although it still divides the codewords into 128-bit long. 1

The basic idea of this work has been shaped from [16]. We assume that each node picks a fixed number of keys randomly from a large global key pool and a public key. Through meticulously managing the key pool size and the number of keys which each node picks, we can be certain that any two nodes have same probability to find some shared keys [24]. The source uses its keys to generate message authentication codes (MACs) for its messages, and private key to generate a signature for the MACs. Since the forwarders have the shared keys do the verification in two phases: first verify the MACs of received messages with using their shared keys, second verify the signature with using the public key, otherwise, and if they don’t have any shared key, the forwarders verify only the signature. We depict the idea of [16] and our model in Fig. 1.

TABLE I L IST OF N OTATIONS m n p q E, ej t u Sign c w − → β − → h g K, |K| r

The number of packets per generation The number of codewords of each packet A large random prime number A large random prime number such that p|(q − 1) Encoded message and its j-th codeword The number of tags of each packet The number of codewords used for each tag The signature of t MACs The representation of all key indexes and MACs The total symbols is used for private and public key The vector of private key which has w symbols in field size of p The vector of public key which has w symbols in field size of q The generator The poll of shared keys and its size The seed value

A. The Proposed Model A MSXOR is defined as a triple of probabilistic polynomial time (PPT) algorithms, (Setup, MAC-Sign, Verify): •Setup: The source sets security parameters, chooses its shared keys and private key, and also defines its hash and signature functions. This phase is done offline. •MAC-Sign: The source calculates and appends the authentication information such as the hashes, MACs and signatures. •Verify: Verification is based on encoding vectors, authentication information, shared secret keys and the public key. If verification succeeds, the received messages are accepted and will be used for further encoding or decoding, otherwise, they are discarded. Fig. 1. In the top and middle of above picture, the idea of [16] is represented. The packet will be discarded in next hop if it has shared keys, or needs to travel more hops to detect the polluted codeword, however, tag pollution could not support and result is in wasting the bandwidth. In the bottom, our scheme is depicted which could resist tag pollution and result would be in saving bandwidth overhead.

B. The Construction Based on the above model, we propose our construction: • Setup – Two random prime numbers p and q which p|(q −1), using a generator g of order p in Fq . → − – Sample w symbols as the private key β = R (β1 , β2 , ..., βw ) ← − Fw−1 F∗p , and according to the p private key and generator, public key will be deter→ − mined as h = (g β1 , g β2 , ..., g βw ) ∈ F∗q . – Given t and u , where they are the number of MACs attached to each source message and the number of codewords used to generate each MAC, respectively. – t random keys k1 , k2 , ..., kt from a global key pool K. – A hash function h : Fup → Fp , where Fp is a finite field of size p. – A pseudo-random function f : [1, m] → [1, m], where f is public. – t random integers r1 , r2 , ..., rt , where each rj ∈ [1, m] for j = 1, ..., t. Each rj represents the indexes of codewords which were used for each MACs. • MAC-Sign The source calculates t MACs and attaches them to the message. The signature also will be appended to the message. Each MAC is calculated by encrypting the hash of u randomly selected codewords using a random key

B. Threat Model and Goal In this paper, we assume the entire source and sinks are always trusted and there is not any possibility to forge them. But the intermediate nodes may be malicious. The adversaries can control everything such as ability of monitoring the input, output and all operations. They can inject corrupted packets to pollute the network. They may also modify other part of each packet. Moreover, we consider that they have limitation in computation power, and can only perform in polynomialtime. Our goal is to design an efficient scheme that can detect both normal and tag pollution attacks. In this approach, polluted messages are detected immediately or after travelling maximum 3 hops [16]. III. MSXOR SCHEME Here, we propose MSXOR (MAC Signature XOR) scheme, which provides integrity and authentication protection for a XOR coded network using Message Authentication Code and Signature. All the notations used in this paper are defined in Table I. 2

from the key pool. The signature is calculated using the inner product of all MACs and the private key. More precisely, the source generates and transmits (Mi , idi,1 , M ACi,1 , ..., idi,t , M ACi,t , Sign),

assumed to be polluted and will be discarded if the result comparison is not same. 7) It checks the verification of signature for detecting tag pollution by calculating δ as:

(3)

w−1 Y

where i = 1, ..., m, also we define the detail of each MAC as M ACi,j = E(idi,j , rj , hi,j )ki,j ,

δ=(

(7)

i=1

The message is rejected if δ 6= 1 , otherwise the verification phase succeeds and the message is accepted. For example, if a forwarder receives a message E = Mi ⊕ Mj , according to the shared key which he has, it can decrypt M ACi,l and M ACj,l of messages Mi and Mj , respectively. From the decrypted MACs, it further knows that the MACs are calculated from the codewords of indexes x, y and z, then the forwarder accepts message E if it satisfies the following equation: ex ⊕ ey ⊕ ez = hi,l ⊕ hj,l (8)

(4)

where E(.) denotes encryption using key ki,j , idi,j is the indexes of the key, and h is the XOR of u selected codewords hi,j = mi,rj,1 ⊕ ... ⊕ mi,rj,u

(hi )ci .(hw )Sign ) mod q

(5)

which r is chosen for the seed of u codewords, and j = 1, ..., t. For the signature, we reorganize the MACs. To further reduce the length of a message, we can attach only one index of key, where other indexes form a hash chain that can be generated from the attached index [16]. So, according to the depiction in Fig. 2, we totally have N = t ∗ (log2 |K| + log2 n + log2 p) + log2 |K| + log2 p bits appended to each message, and we estimate the total N e. number of symbols which needs is w = d log2 p

where ex , ey and ez are the corresponding codewords of message E; hi,l and hj,l are the hashes encrypted in M ACi,l and M ACj,l . C. Security Analysis In our scheme, the adversary first checks out how many shared keys he has and identifies the corresponding MACs that he can decrypt. Our purpose is to resist tag pollution by appending a signature to the messages computed from the MACs. The detailed of the minimum number hops which needs to detect a polluted message can be found in [16]. Theorem 1. The MSXOR scheme is secure against tag pollution. Proof. If an adversary wants to change a MAC, he needs to find a signature which could satisfy the Equation (6). In other words, he must to solve the following equation:

Fig. 2. MACs representation. The source attaches only one index of key, where other (t − 1) indexes form a hash chain that can be generated from the attached index, one symbol for the signature, and t MACs, where each MAC has: (1) the hash, that is, log2 p bits; (2) one random seed used to identify the indexes of codewords, which is of log2 n bits; and (3) one index of random key, which is of log2 |K| bits

w−1 Y

δ=(

(9)

i=1

As the public key was made by private key and a generator, an adversary doesn’t have enough chance for recovering private key, and he must solve the discrete logarithm problem. So it means our signature could resist tag pollution.

Finally, the signature is presented as the following equation: Pw−1 − i=1 βi ci Sign = ( ) mod p (6) βw •

0

(hi )ci .(hw )Sign ) mod q = 1

Verify Verification phase is done at each forwarder nodes and sink nodes according to the following steps: 1) It checks the availability of shared key. 2) It decrypts the corresponding MACs if it found at least one shared key, otherwise it goes to step 7). 3) It generates the indexes of u codewords. 4) It calculates the hash of these codewords according to Equation (4). 5) In this step, we need to decode the hash of those MACs which had shared keys. 6) It checks the equality of hash of the received message which was calculated in step 4) and hash of u codewords which was calculated in step 5). The received message is

IV. P ERFORMANCE A NALYSIS In this section, MSXOR security, the type of available threats, communication and computation overhead will be presented. A. Threat Analysis We analyze adversary behaviours with different levels of knowledge, and discuss possible countermeasures as follows: • Without any shared keys with the source, an adversary may randomly pollute a message (or the MACs attached to the message). This pollution can be easily detected, since the adversary does not know how to generate valid MACs . 3





exponentiation, and w − 1 multiplication operations. Table II summarizes the computation complexity comparison of MSXOR and [16]. According to the key distribution, the polluted codewords are not detected immediately and it needs to travel at least 3 hops (if t = 10), or 8 hops (if t = 5) [16]. In the other words, by increasing the number of tags, the number of hops needs for travelling would be decrease, although overhead also will be increased. In the other side, MSXOR’s behaviour is similar to [16] in terms of data pollution, however, it could detect tag pollution in next hop. To conclude this section: • MSXOR incurs a relatively low communication overhead which is almost equal to [16] whenever the number of coded packets is increased. • MSXOR slightly increases the computation complexity, for the sake of resisting to tag pollution.

By having one shared key, the adversary knows what codewords are authenticated by the corresponding MAC, and it may pollute those codewords of a message and generate a false MAC matching the polluted codewords. This pollution can be detected from another unpolluted MAC that happens to authenticate only one exchanged (or polluted) codeword. An adversary may try to replace all the MACs. However, this pollution can be detected by the signature which has already been attached.

B. Communication Overhead Each source message, which has n codewords with each of log2 p bits. So, the bit-length of a source message is nlog2 p. In our scheme, the source message is attached t MACs. For each MAC we need to consider: (1) the hash which needs log2 p bits; (2) one random seed used to identify the indexes of codewords, which is of log2 n bits; and (3) one index of random key, which is of log2 |K| bits . Our scheme also attaches the indexes of t keys to each source message and each index is of log2 |K| bits. As we explained in section III, we can attach only one index of key, instead of t indexes to the message. Moreover, the signature is one symbol long equalling to log2 p bits. Hence, our scheme has the following communication overhead: t(log2 |K| + log2 n + log2 p) + log2 |K| + log2 p (10) n log2 p

V. R ELATED W ORK General speaking, most of the research in the field of data pollution and tag pollution attacks consider two types of security mechanisms: information-theoretic schemes, and cryptographic schemes. Although information-theoretic schemes [10], [11] have the better computation performance, but they have some drawbacks like: the limitations on number of eavesdroppers, intruders and detecting the polluted messages only at sinks which are the main motivation to interest to the cryptographic schemes. Cryptographic schemes are categorized as: homomorphic hashing schemes, homomorphic signature schemes and homomorphic MACs. (1) homomorphic hashing schemes which rely on extra secure channels to transmit. In addition, they need more computation process and also they are more expensive [12], [13]. (2) homomorphic signature schemes which have been based on Weil pairing over elliptic curves was introduced for the first time by Charles, Jain and Lauter [22]. In this scheme, the calculation of signature covers a whole augmented message. Yu et al. [14] proposed a homomorphic signature function which allows the relay nodes to verify received message by generating the signatures and without contacting the source. In Yu’s scheme, the communication does not need any extra secure channel. (3) the basic definition of homomorphic MAC defined by Agrawal et al. [18]. The idea relies on only collusion resistant and it is susceptible to tag pollution attacks. Kehdi et al. [20] presented homomorphic MACs scheme which they use null keys for verification. As it enters a lot of null keys in each generation, it could incur a high bandwidth overhead and it is vulnerable to tag pollution attacks. RIPPLE [19] was proposed to counteract against the tag pollution problem. Global synchronization among all nodes is the problem of this scheme. In [21], the authors presented a hybrid-key cryptography approach which could protect both data and tag pollutions.

By fixing |K| = 100, u = 128 and n = 256, we need to have log2 100 ' 7 bits for the indexes of shared key and log2 256 = 8 for the indexes of codewords. As the value of log2 |K| and log2 n are much smaller in comparing to log2 P , we can summarize the communication overhead as (t+1) n . The bandwidth overhead comparison of our scheme and [16] is depicted in Fig. 3, where MSXOR’s behaviour is almost similar to [16], and this equality is explicit whenever the number of coded packets is increased.

Fig. 3. The bandwidth overhead comparison, where t is the number of tags appended to each message. By increasing the number of coded packets, our scheme and [16] have similar behaviour.

C. Computation Overhead Recall that to append t MACs and a signature, t ∗ u XOR and w multiplication operations are needed in our scheme. Moreover, for verification, we consider that all the relay nodes have shared keys and each nodes needs to verify the message. So, as shown in equation (8), MSXOR needs t ∗ u XOR, w 4

TABLE II C OMPUTATION COMPLEXITY Phase MAC-Sign Verify

[16] t ∗ u (XOR) t ∗ u (XOR)

MSXOR t ∗ u (XOR) + w (Multiplication) t∗u (XOR) + w (Exponentiation) + w−1 (Multiplication)

They append some tags and a signature which could resist both data and tag pollution attacks. Later, the authors in [23] proposed a hybrid-key method to prepare both polluted packets and locations of attackers. They introduced a homomorphic MAC scheme which is a cooperative defense system that could protect messages against data and tag pollution attacks. The comparison of those algorithms summarizes in Table III.

[2] S. Chachulski, M. Jennings, S. Katti, and D. Katabi, “Trading structure for randomness in wireless opportunistic routing,” in Proc. of ACM SIGCOMM, Aug. 2007. [3] D. Petrovic, K. Ramchandran, and J. Rabaey, “Overcoming Untuned Radios in Wireless Networks with Network Coding,” in IEEE Transactions on Information Theory, Vol 52, No. 6, pp. 2649-2657, 2006. [4] C. Gkantsidis and P. Rodriguez, “Network Coding for Large Scale File Distribution,” in Proc. IEEE INFOCOM, 2005. [5] Y. Wu, P. A. Chou, and S.-Y. Kung, “Minimum-energy multicast in mobile ad hoc networks using network coding,” IEEE Trans. on Communications, vol. 54, no. 11, Nov. 2005. [6] S.Y. R. Li and R. W. Yeung, “Linear Network Coding,” IEEE Transactions on Information Theory, vol. 49, no. 2, pp. 371-381, 2003. [7] T. Ho, R. Koetter, M. M´edard, D.R. Karger, and M. Effros, “The Benefits of Coding over Routing in a Randomized Setting,” Proc. IEEE Intl Symp. Information Theory, 2003. [8] S. Katti, H. Rahul, W. Hu, D. Katabi, M. M´edard, and J. Crowcroft, “XORs in The Air: Practical Wireless Network Coding,” in ACM SIGCOMM, 2006. [9] Y. Wu, P. Chou, and S. Kung, “Information Exchange in Wireless Networks with Network Coding and Physical Layer Broadcast,” in CISS , 2005. [10] T. Ho, B. Leong, R. Koetter, M. M´edard, M. Effros, and D. Karger, “Byzantine modification detection in multicast networks using randomized network coding,” in Proc. of IEEE International Symposium on Information Theory, Jun. 2004. [11] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, and M. M´edard, “Resilient network coding in the presence of byzantine adversaries,” in Proc. of IEEE INFOCOM, May 2007. [12] M. Krohn, M. Freedman, and D. Mazieres, “On-the-fly verification of rateless erasure codes for efficient content distribution,” in Proc. of IEEE Symposium on Security and Privacy, May 2004. [13] C. Gkantsidis and P. Rodriguez, “Cooperative security for network coding file distribution,” in Proc. of IEEE INFOCOM, Apr. 2006. [14] Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An efficient signaturebased scheme for securing network coding against pollution attacks,” in Proc. of IEEE INFOCOM, Apr. 2008. [15] F. Zhao, T. Kalker, M. Medard, and K. J. Han, “Signatures for content distribution with network coding,” in Proc. of IEEE International Symposium on Information Theory, Jun. 2007. [16] Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An efficient scheme for securing XOR network coding against pollution attacks,” in Proc. Of IEEE INFOCOM, Apr. 2009. [17] D. Boneh, D. Freeman, 1. Katz, and B. Waters, “Signing a linear subspace: Signature schemes for network coding,” in Proc. of International Conference on Practice and Theory in Public Key Cryptography, 2009. [18] S. Agrawal and D. Boneh, “Homomorphic MACs: MAC-based integrity for network coding,” in Proc. of International Conference on Applied Cryptography and Network Security, Jun. 2009. [19] Y. Li, H. Yao, M. Chen, S. Jaggi, and A. Rosen, “RIPPLE authentication for network coding,” in Proc. of IEEE INFOCOM, Mar. 2010. [20] E. Kehdi and B. Li, “Null keys: limiting malicious attacks via null space properties of network coding,” in Proc. of IEEE INFOCOM, Apr. 2009. [21] P. Zhang, Y. Jiang, C. Lin, H. Yao, A. Wasef, and X. Shen, “Padding for orthogonality: Efcient subspace authentication for network coding,” in Proc. IEEE INFOCOM, pp. 10261034, 2011. [22] D. Charles, K. Jain, and K. Lauter, “Signatures for network coding,” in Proc. 40th Annual Conf. Inf. Sci. Syst., pp. 857863, 2006. [23] A. Le, A. Markopoulou, “Cooperative Defense Against Pollution Attacks in Network Coding Using SpaceMac,” IEEE Journal on Selected area in communications, vol. 30, No. 2,pp.442,449, February 2012. [24] Z. Yu and Y. Guan, “Key Pre-Distribution Scheme Using Deployment Knowledge for Wireless Sensor Networks,” in IEEE/ACM IPSN, 2005.

TABLE III C OMPARISON OF RELATED WORKS IN TERMS OF KEY TYPE , DATA AND TAG POLLUTION RESISTANT. Scheme [16] MacSig [21] RIPPLE [19] MSXOR

Type of Key Symmetric Hybrid Symmetric Hybrid

Data pollution Y Y Y Y

Tag pollution N Y Y Y

VI. C ONCLUSION AND F UTURE W ORK In this paper, we study how to achieve authentication in a XOR-coded network. We consider the condition of being the adversaries who can do both normal and tag pollution attacks. The basic idea is to append some MACs and a signature for those MACs, it also exploits probabilistic key pre-distribution. We propose a hybrid-key based authentication scheme, called as MSXOR, which our demonstration shows it can effectively resist both normal and tag pollution attacks, while burring a low bandwidth and computation overhead than existing one. The drawback of appending all MACs which are belong to multiple sources will be studied for future work. Proposing an efficient MAC-Signature scheme which is based on normal network coding has also remained for future work. ACKNOWLEDGMENT The research leading to these results has received funding from FEDER through Programa Operacional Factores de Competitividade COMPETE and national funding from FCT Fundao para a Ciłncia e a Tecnologia under the project PTDC/EEA-TEL/119228/2010 SMARTVISION, and from the European Communitys Seventh Framework Programme [FP7/2007-2013] under grant agreement n 285969 [CODELANCE]. The authors also would like to acknowledge the project N. 23183 NEWPASS, co-financed by the European Funds for Regional Development (FEDER) by COMPETE (POFC) of QREN, and labelled as CA206-NewP@ss by the European EUREKA-CATRENE programme. R EFERENCES [1] R. Ahlswede, N. Cai, S. R. Li, and R. W. Yeung, “Network Information Flow,” IEEE Transactions on Information Theory, vol. 46, no. 4, pp. 1204- 1216, July 2000.

5