MLCC: A new hash-chained mechanism for multicast source ...

INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS Int. J. Commun. Syst. 2009; 22:1069–1087 Published online 8 December 2008 in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/dac.988

MLCC: A new hash-chained mechanism for multicast source authentication H. Eltaief∗, † and H. Youssef Research Unit PRINCE ISITCom of Hammam Sousse, University of Sousse, Tunisia

SUMMARY Asymmetric cryptography has been widely used to generate a digital signature for message authentication. However, such a strategy cannot be used for packet authentication. Neither the source nor the receiver will be capable of handling the computational cost of asymmetric cryptography. For unicast communication, the solution adopted is based on symmetric cryptography. Solutions based on symmetric cryptography do not scale for multicast communication. Several solutions have been reported to authenticate multicast streams, with the possibility of packet losses. Proposed solutions are based on the concept of signature amortization, where a single signature is amortized on several packets. In this paper we present a new mechanism for multicast data source authentication based on signature amortization. Multi-layers connected chains divides the packet stream into a multi-layer structure, where each layer is a two-dimensional matrix. The hash of a packet is included into a forward chain of packets within the same layer as well as a downward chain of packets across multiple layers. The values of the key parameters that influence the mechanism efficiency as well as its performance are selected following a mathematical analysis. Comparisons of performance results with the well-known efficient multi-chained stream signature scheme as well as a recently reported scheme multiple connected chains model show that the proposed mechanism achieves a stronger resistance to packet losses with low overhead and high authentication probability. Copyright q 2008 John Wiley & Sons, Ltd. Received 11 June 2008; Revised 15 September 2008; Accepted 28 October 2008 KEY WORDS:

multicast source authentication; signature amortisation; overhead; loss resistance; authentication probability

1. INTRODUCTION Nowadays, numerous applications require group communication such as the distribution of stock quotes, Pay Per View services, videoconferencing, TV, radio broadcasts, etc. Among the security requirements of several of these multicast applications is the authentication of the data source.

∗ Correspondence †

to: H. Eltaief, Research Unit PRINCE ISITCom of Hammam Sousse, University of Sousse, Tunisia. E-mail: [email protected]

Copyright q

2008 John Wiley & Sons, Ltd.

1070

H. ELTAIEF AND H. YOUSSEF

Asymmetric cryptography has been widely used to generate a digital signature for message authentication. However, such a strategy cannot be used for packet authentication, especially in the case of high data rates. Neither the source nor the receiver will be capable of handling the high computational cost of asymmetric cryptography. In the case of unicast communication, the solution adopted is based on symmetric cryptography, where the sender and receiver share the same secret key. Solutions based on symmetric cryptography do not scale for multicast and broadcast communication. Signing each packet in the stream for the purpose of authentication results in a great computation and communication overhead at both the sender and receivers, even if fast signing algorithms are used [1, 2]. To avoid this problem, the most efficient alternative is to amortize a single signature over a group of packets. The mechanisms that use such an alternative are known as amortization mechanisms or hash-chained mechanisms. They are usually efficient in terms of overhead [3, 4]. The most used such mechanisms are efficient multi-chained stream signature (EMSS) [5] and augmented chain [6]. They append the hash of a packet to several other packets in order to increase robustness against packet losses and achieve higher authentication probability, at the expense of an overhead increase. Most of reported schemes randomly select the number of hashes appended to each packet. They also lack a rigorous mathematical analysis of the chain structure to evaluate their efficiency in terms of loss resistance and overhead. How to construct the hash chains remains an open problem [7]. In this paper we introduce a new hash chain construction mechanism called multi-layers connected chains (MLCC). It is an amortization mechanism that seeks to achieve a strong resistance against packet losses while reducing the overhead. The MLCC mechanism constructs multiple connected (MC) chains, each chain connects some packets together which are arranged in layers. Increasing the number of chains, the number of packets per chain or both for MLCC improves packet loss resistance and reduces the overhead. The parameters that have most impact on MLCC performance are determined in advance through a rigorous mathematical analysis. The analytical model proposed allows also the evaluation of various performance metrics of MLCC such as the authentication probability. Another contribution of this paper is an analytical evaluation of EMSS in terms of overhead and authentication probability. This paper is organized as follows. Section 2 presents previous works on stream authentication schemes. In Section 3 we introduce the MLCC model. In Section 4 we analyze the efficiency of the proposed scheme in terms of overhead and loss resistance. Section 4 also presents the analysis of the authentication probability as well as the buffer and delay requirements for both the MLCC sender and receiver. Performance comparison with other approaches of the same category is presented in Section 5. We conclude in Section 6.

2. RELATED WORK One solution to the multicast authentication problem is to use the private key of the sender to sign a hash of each packet of the message. This solution suffers from the high computation and communication overheads since signature algorithms require large computation and produce relatively large signatures (about 1024 bits) [8]. To solve the multicast authentication problem, two categories of approaches have been proposed: design more efficient signature schemes and amortize the cost of signature over several packets. For the first category, efficient digital signature schemes have been proposed by Rohatgi [1] and Wong and Lam [2]. Although these schemes overcome the computational problem, they suffer from communication overhead problem, which makes them impractical Copyright q

2008 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2009; 22:1069–1087 DOI: 10.1002/dac

MLCC: A NEW HASH-CHAINED MECHANISM

1071

for real-time applications (e.g. live broadcast). Perrig [9] proposed BIBA, a one-time signature and broadcast authentication protocol. BIBA has a low verification overhead and a relatively small signature size. BIBA enhances the computation overhead. Further, its communication overhead is slightly smaller than a traditional public key signature. However, the process of generating the authentication information is relatively slow since it requires about 2∗t hash computations, where t is in the order of 1024 bits. Also the problem with BIBA is the required bandwidth to distribute the public key (which is in the order of 10 kbytes) of each BIBA instance to all receivers. The second category of approaches consists of the amortization of the signature over several packets as proposed in Wong and Lam [2], Gennaro and Rohatgi [10], and Golle and Modadugu [6]. Early work was done by Gennaro and Rohatgi [10]. The stream is divided into blocks of m packets (P1 , P2 , P3 , . . . , Pm−2 , Pm−1 , Pm ) and a chain of hashes is used to link each packet to the  one preceding it. The hash of Pm (H (Pm )) is appended to Pm−1 to form a new packet (Pm−1 )    containing both Pm−1 and H (Pm ). Then, the hash of Pm−1 (H (Pm−1 )) is appended to Pm−2 to   ), which contains both Pm−2 and H (Pm−1 ). This procedure is repeated form a new packet (Pm−2   until forming P1 , which contains P1 and H (P2 ). Finally, the hash of P1 (H (P1 )) is signed. Then,  the stream sent to the receivers contains the signature of H (P1 ), followed by P1 , P2 , . . . , Pm−1 , Pm . Upon receiving the stream, each receiver checks the signature of the sender and uses the chain of hashes to authenticate subsequent packets. Although this approach solves the problem of the computation and communication overheads, it has a major drawback that in case of any packet loss, the authentication chain is broken and subsequent packets cannot be authenticated. However, many of multicast applications are running over IP networks where several packet losses could occur. Therefore, multicast authentication protocols must resist packet losses. Golle and Modadugu [6] solve this problem by appending the hash of a packet to two other packets: the 1st and the ath successor packets. Only the final packet Pm is signed using the private key of the sender. Their solution is based on the property that losses over the Internet occur in bursts and their solution can resist packet burst losses of length a −1. Other enhancements to the basic scheme were proposed in order to resist a larger burst loss. However, several burst losses may occur during a block transmission. The proposed solution is not optimized for this situation. Also this solution suffers from the fact that the communication overhead for some packets equals to five hashes. For the SHA algorithm, the hash output is of 20 bytes; therefore, the communication overhead will be equal to 100 bytes, which is comparable to a signature length. Wong and Lam [2] proposed another solution to solve the problem of packet losses. In their proposal, the stream is divided into blocks of m packets (P1 , P2 , . . . , Pm−1 , Pm ), where m is a power of 2, and a binary tree of hashes is constructed. The hashes of the m packets correspond to the leaves of the tree and only the root of the tree needs to be signed. Each parent corresponds to the hash of its children. For example, consider the tree of a block of eight packets. The tree will have 8 leaves Hi , i = 1, . . . , 8, where Hi = hash(Pi ). Then, the four parent nodes of the leaves are H[i;i+1] = hash(Hi Hi+1 ), i = 1, . . . , 7, where ‘’ is the concatenation operator. The root is H[1;8] = hash(H[1;4] H[5;8] ) . In order to authenticate any packet, the sibling of each node along its path to the root and the corresponding signature must be appended. For example, to authenticate P5 , the following sequence must be received: P5 , H6 ,  H[7;8] , H[1;4] , H[1;8] , and the signature of H[1;8] . The receiver calculates H5 , then H[5;6] using    H5 and H6 . Then, it calculates H[5;8] using H[5;6] and H[7;8] . Finally, it calculates H[1;8] using   H[5;8] and H[1;4] and checks that H[1;8] equals H[1;8] using the received signature. If the check is correct, the received packet is declared authentic. Each packet carries the information required for its authentication. For example, packet P5 carries with it H6 , H[7;8] , H[1;4] , H[1;8] , and signature Copyright q

2008 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2009; 22:1069–1087 DOI: 10.1002/dac

1072

H. ELTAIEF AND H. YOUSSEF

of H[1;8] . Therefore, any packet loss will not affect the ability of the receiver to authenticate packets arriving after the loss. This solution has the drawback of including large authentication information within each packet. If a block of packets contains m packets, then each packet includes log2 (m)+1 hashes in addition to the signature. This amount of authentication information presents an important communication overhead and requires buffering at the receivers that may be limited in storage resources. Furthermore, the sender must generate the entire tree of hashes prior to the transmission of any packet of the block. The value of m has a large impact on the mechanism performance, since increasing values of m result in lower computational overhead at the expense of larger delay and communication overhead. Perrig et al. [5, 11, 12] proposed efficient solutions for the authentication problem named timed for efficient stream loss-tolerant authentication (TESLA) and EMSS. TESLA is based on authenticating packets using MACs and revealing the MAC keys after a certain time interval. First, the stream is divided into blocks of m packets each. Then, the sender picks a random key K m and calculates m keys by applying a pseudorandom function (F) m times. For example, K m−1 = F(K m ), K m−2 = F(K m−1 ), and so on. These keys are used to calculate MACs to authenticate  , it consists of packet P the received stream. Considering the transmitted packet Pi−1 i−1 itself,  the calculated key K i−2 , and a MAC calculated over Pi−1 and K i−2 using K i−1 . Packet Pi−1  is authenticated after receiving Pi where K i−1 is revealed. Although these solutions have low communication and computational overhead, they have the major drawback of requiring that the sender and the receivers maintain synchronized clocks. Also, TESLA does not resist packet losses. EMSS, the second solution proposed by Perrig et al. [5], where they introduced the notion of redundant hash-chaining, which means that each packet of the stream is hash-linked to several target packets. Thus, even if some packets are lost, a received packet is verifiable if it remains a hash-link path that relates the packet to a signature packet. For a given packet, EMSS chooses target packets randomly. Hence, EMSS provides more or less probabilistic guarantees that it remains a hash-link path between the packet and a signature packet, given a certain network packet loss ratio. EMSS operates as follows. When a packet is presented to be sent, the source embeds some hashes of other packets in this packet and computes the overall hash code. This hash code is buffered to be included later in d target packets chosen randomly by the sender (where d is the redundancy degree). In order for the sender to continuously assure the authentication of the stream, the source sends periodic signature packets. To verify the authenticity of received packets, a receiver buffers received packets and waits for their corresponding signature packet. The signature packet carries the hashes that allow the verification of few packets. These latter packets carry, in turn, the hashes that allow the verification of other packets, and so on until the authenticity of all received packets is verified. The main drawback of this scheme is that receivers experience latencies before verifying received packets, since they must wait for the signature packet corresponding to the received packets. Finally, Abuein and Shibusawa [13] proposed a graph-based amortization scheme for multicast streams authentication named MC chains model . Their model achieves stronger resistance against packet loss while reducing the overhead. The proposed scheme divides a stream of N packets into blocks, where each block consists of some packets. A sender appends the hash Hi of a packet Pi to specific other packets to achieve robustness against packet losses. For each block the sender then concatenates hashes of specific packets together and signs them using his private key. The sender sends a signature packet at the end of each block. Appending hashes to other packets and to the signature packets enables the receivers to authenticate the received packets. The main drawback of this scheme is that the sender and receivers have to buffer a relatively large number of packets. Copyright q

2008 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2009; 22:1069–1087 DOI: 10.1002/dac

MLCC: A NEW HASH-CHAINED MECHANISM

1073

In this paper, we propose MLCC, a new mechanism for multicast source authentication based on signature amortization. Like MC, MLCC is a graph-based amortization scheme. Whereas MC adopts a two-dimensional chaining, MLCC constructs multiple chains arranged in layers where each layer is a two-dimensional structure. As shall be shown in the performance comparison section, the layered structure results in a noticeable improvement with respect to the overhead, loss resistance, the authentication probability, as well as the buffer and delay requirements for both the sender and receiver.

3. MULTI-LAYER CONNECTED CHAINS (MLCC) The notation used in this paper is presented in Table I. A packet P ji is defined as a message M ij a source sends to the receivers while appending the required authentication information. P ji corresponds to packet number i +( j ∗nline∗ncol) in the original stream where j indicates the layer and i the order of the packet in that layer (P ji = Pi+( j∗nline∗ncol) , 1inline∗ncol and 0 j nlay−1) and M ij corresponds to message number i+( j ∗nline∗ncol) in the original stream where j indicates the layer and i the order of the packet in that layer (M ij = Mi+( j∗nline∗mcol) , 1inline∗ ncol and 0 jnlay−1). MLCC divides a stream of nmes messages into nlay layers, each containing nline∗ncol messages. The source appends the hash H (P ji ) of a packet P ji to other specific packets to achieve robustness against packet losses. Each nhcol+1 consecutive layers form a block. For each block a signature packet Psig is generated. Psig consists of the hashes of specific packets signed using the source private key. This packet is sent by the source at the end of each block. In our proposed MLCC approach, the hash H (P ji ) of each packet P ji is appended

Table I. Notation. Symbol

Representation

nmes nline ncol nhsig nhcol

the the the the the

nhline

the number of packets (P ji  ) that contain the hash of P ji where (i  = i) the total number of packets that contain the hash of P ji the signature size (RSA is 128 bytes) the hash size (for SHA-512, it is equal to 64 bytes) the communication overhead per packet in bytes the number of signature packets the loss resistance the number of layers the length of the expected burst loss the number of consecutive signatures loss the necessary buffer size the total number of hashes added for a stream

 

nlay lb nsigl

 

Copyright q

of of of of of

messages in the stream chains in a layer (line number) packets in the chains of the same layer (column number) hashes appended in the signature packet  packets (P ji  ) that contain the hash of P ji where (i  = i, j  = j) 

nhline+nhcol s h nsig

number number number number number

2008 John Wiley & Sons, Ltd.

Int. J. Commun. Syst. 2009; 22:1069–1087 DOI: 10.1002/dac

1074

H. ELTAIEF AND H. YOUSSEF

to the following packets: i+(nhline−1)∗nline

(i) nhline packets P ji+1 , P ji+nline , P ji+2∗nline , . . . , P j i , Pi , . . . , Pi (ii) nhcol packets P j+1 j+2 j+nhcol .

;

Let A(nline, nhline, nhcol) denote the set of the packets that contain H (P ji ) where A(nline, nhline, nhcol) i+(nhline−1)n

= {P ji+1 , P ji+nline , P ji+2∗nline , . . . , P j

i i i , P j+1 , P j+2 , . . . , P j+nhcol }

(1)

Figure 1 shows the appended hashes to each packet according to the MLCC approach. For each block, nhsig hashes are concatenated together and signed using the sender private key. Let E(nhsig) be the set of the nhsig packets that have their hashes appended to Psig : E(nhsig) = {PS1 , PS2 , . . . , PSnhsig }

(2)

where S1