1 / 43

Multicast Authentication in Fully Adversarial Networks

Multicast Authentication in Fully Adversarial Networks. A. Lysyanskaya, R. Tamassia, N. Triandopoulos IEEE Symposium on Security and Privacy Oakland, May 2004. Presented by Michael Sirivianos. Outline. Problem Statement Prior Work Preliminaries Crypto Primitives and ECC’s

florence-chan
Télécharger la présentation

Multicast Authentication in Fully Adversarial Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multicast Authentication in Fully Adversarial Networks A. Lysyanskaya, R. Tamassia, N. Triandopoulos IEEE Symposium on Security and Privacy Oakland, May 2004. Presented by Michael Sirivianos

  2. Outline • Problem Statement • Prior Work • Preliminaries • Crypto Primitives and ECC’s • Network Model and Auth. Framework • Scheme Description • Comparison with other schemes • Conclusions

  3. Multicast Authentication Problem • The underlying network, is controlled byan adversary, which may • (a) drop or delay chosen packets, • (b) rearrange the orderof the packets in an arbitrary way, and • (c) inject new packetsinto the transmitted stream. • Prior work focused on less general models, where random and not selected, packets may be dropped andaltered, or no additional packets may be injected into thestream.

  4. Introduction • Any authentication scheme for multicast streams should verify as many as possible of the received packets without assuming the availability of the entire original stream. • Should resist against any types of attacks by an adversary, even when the adversary controls the underlying network. • Their solution is based on a combination of errorcorrectingcodes with standardcryptographic primitives.

  5. Prior Work • Sender signs all packets and receiver verifies all • Computationally expensive, B/W consuming. • Receiver/Verifier vulnerable to DoS attacks. • Signature amortization • Hash chain, • each packet pi includes ai. ai = h(pi+1). p1 is digitally signed. No packet loss is tolerated • Merkle-tree-based authentication • Each packet contains signed root hash and co-path node hashes. Tolerates losses. • Communication overhead grows logarithmically with the number of packets sent.

  6. Prior Work • Graph-Based Authentication. • Amortizing a signature over multiple hash chains. Tolerates losses. • A single-sink directed acyclic graph where each vertex corresponds to a packet. • A directed edge from packet pi to packet pj indicates that the authentication information aj in packet pj includes the h(pi ). p1 is the sink of the DAG and is digitally signed. • Validation proceeds backward along the edges of the graph. If pj has been validated and edge (pi, pj) exists, the validation of packet pi can be obtained comparing aj with h(pi) . • Offers probabilistic security guarantees.

  7. Hash Chain Authentication • Hash chain authentication • Any packet loss prevents authentication

  8. Graph-based Authentication • Graph based authentication • If we lose Pi and Pi+2, Pi+3 cannot be authenticated. You should not lose P1.

  9. Prior Work • Erasure codes are used to tolerate losses by dispersing packet information over multiple packets. • However a single packet injection by adv. can compromise correctness of the encoding. • Their solution involves one signature operation per stream and a constant sizeauthenticationoverhead per packet and tolerates a bounded non-random adversary.

  10. Contributions • Formally define multicast authentication in an (a, b) fully adversarial network. They define correctness and security of this scheme. • Propose scalable multicast authentication based on digital signatures, crypto hash functions and Reed-Solomon error correcting codes. • Prove correctness/security. All valid packets are recognized and invalid are rejected. • Analyze performance, discuss implementation choices. Transmission overhead is / b/a2

  11. Crypto Primitives • Public key signature scheme • Correct. Probability of the Verification algorithm accepting a correctly obtained signature is 1. • Secure against adaptive chosen-message attacks • Collision Resistant Hash Function H. • Efficient. Takes PT to compute H(x) • Collision Resistant. A probabilistic PT A can obtain x1 ¹ x2 s.t H(x1) = H(x2) with negligible probability

  12. Error Correcting Codes • Let S be an alphabet S = {1, 2, ..., q}, with |S| = q. An error correcting code [n, k]q is a function C : Sk! Sn, n > k • The redundancy helps in correcting up to e errors in a received message. If C(x) is received as y 2 Sn at most e characters of the alphabet in y can be unambiguously corrected to retrieve the original C(x). e depends on the code. • If all symbols of x appear among the symbols of C(x), then the code is systematic. • List-decoding allows to ambiguously correct even more errors. If C(x) is received as y 2 Sn, list-decoding provides a list of candidate messages, s.t. x belongs in this list.

  13. Reed Solomon Code • Based on properties of univariete polynomials over finite fields. • A systematic [n, k+1]q Reed-Solomon code, where k < n · q, consists off: • Alphabet: A finite field Fq with q being a prime power. • Encoder: A functionC: Fqk+1! Fqn, where n > k.

  14. Reed Solomon Encoder • Takes input the parameters n and k, and k+1 points (i, yi), i 2 Fq, yi2 Fq, for 1 · i · k + 1. • Use polynomial interpolation to find a unique polynomial p 2 Fq[x] over Fq and of degree at most k, s.t. p(i) = yi. • Outputs points (i, p(i)), for 1 · i · n. • The ratio n / k < 1 is called the rate of the code. • This is a systematic code.

  15. Reed Solomon Decoder • The decoder takes as input n and k, the max number of errors e, and n points (xi, yi), 1 · i · n and list-decodes. • It outputs a list of polynomials p 2 Fq[x] of degree at most k, s.t. in no more than e values of i, we have yi¹ p(xi) • The used decoder for [n, k+1]q Reed-Solomon code is PT and is due to Guruswami and Sudan.

  16. Reed Solomon Decoder • The GS-Decoder is based on an algorithm that performs polynomial reconstruction • given k and t, and given n points {(xi, yi), 1 · i · n}, where xi, yi2 Fq, find a list of all the polynomials p 2 Fq[x] of degree at most k s.t. yi = p(xi) for at least t values of i.

  17. Network Model • A fully adversarial network is controlled by an adversary. The adversary can: • cause packets of her choice to be lost; • inject packets (either random ones or with a specific malicious structure) • arbitrarily alter, delay or rearrange packets • Reasonable to expect some reliability from the network and that the adversary will not drop or inject too much packets because the receiver will not use and authenticate the received stream.

  18. Network Model • Parameters: • Packets in send stream, n • Packets in received stream, r • Survival rate, a • Flood rate, b • An (a, b)-network • The receiver stream contains at least a¢ nvalidpackets. • The received stream contains at most b¢n packets. • If r < a¢n, the problem is packet loss. • If r > b¢n, the problem is DoS

  19. Authentication Model • The authentication algorithm has input: • (SK, PK): secret and public key. • GID: the group ID • n: the number of packets to be authenticated • a, b: the survival and flood rate. • DP: the data packets to be authenticated. • It outputs the authenticated (signed) packets. • AP = {a1, …an}

  20. Authentication Model • The decoder algorithm has input • PK, GID, n, (a, b) and RP = {r1, … rm}, the received packets. In the absence of adversarial behavior RP = AP. • The decoder • Rejects the input when the # of valid received packets is less than an, or more than (b-a)n packets are injected by the adversary. • Or produces the output packets OP = {p1’,..pn’} pi = Æ corresponds to not received authenticated packet.

  21. Authentication Correctness and Security • The scheme is secure and correct if the adversary A wins negligibly often in this game: • A has access to the auth, thus it can give it input the values (PK, GIDi, ni, ai, bi, DPI) and obtain APi. But, A cannot issue more than one query for the same GID. • A outputs a GID, the values, n, a, b and a set of packets RP.

  22. Authentication Correctness and Security • The adversary wins if: • Violates the (a, b)-correctness property. • Managed to construct RP set s.t. even if it contains at least aini packets of some authenticated packet set APi for GIDi = GID, the decoder failed to identify all the correct packets. • The following must hold: 

  23. Authentication Correctness and Security • (a, b)-correctness property violation. • For some i, the adversary’s query i contained GIDi = GID, ni = n, ai = a, DPi = {p1, … pn} = DP and got APi = {a1, …an} = AP • At least a n of the authenticated packets are in RP. • |RP| ·b n • For some 1 · j · n, pj is the j’th packet in DP, s.t. a corresponding authenticated aj was received. However, it was not decoded correctly, i.e: pj’ <- Decode(PK, GID, a, b, RP), but pj’ ¹ pj

  24. Authentication Correctness and Security • The adversary also wins if: • Violates the security property. • Managed to construct RP set s.t. the decoder outputs packets {p1’, … pk’} that were not authenticated by the authenticator for GID. • The following must hold: 

  25. Authentication Correctness and Security • security property violation. • The authenticator was not queried with GID and n. However, the decoder did not reject, instead output unauthenticated packets. • The authenticator was queried with GID, n, a, b and the original data packets. The decoder does not reject, however an output packet pj’ ¹Æ is different from the original pj.

  26. Scheme Description-Authenticator • On input PK, SK, DP = {p1, pn}, a and b. e 1. For 1 · i · n, compute the hash hi = H(pi). Digitally sign: sà (h1 || h2 || … hn || GID) 2. S = (h1 || h2 || … hn || s) is authentication information. 3. Need to guarantee that if only an packets survive and a large number (b-a)n are injected, the receiver still gets all the authentication information. S is encoded using a [n, pn+1]q Reed-Solomon Code with and 0 < e < 1 (decoder error tolerance)

  27. Reed Solomon Encoder • Takes input the parameters n and k, and k+1 points (i, yi), i 2 Fq, yi2 Fq, for 1 · i · k + 1. • Use polynomial interpolation to find a unique polynomial p 2 Fq[x] over Fq and of degree at most k, s.t. p(i) = yi. • Outputs points (i, p(i)), for 1 · i · n. • The ratio n / k < 1 is called the rate of the code. • This is a systematic code.

  28. Scheme Description-Authenticator 4. Split S into pn+1 substrings of equal size s = If S is not an exact multiple of pn + 1, pad S with 0’s. Each substring is viewed as a value in Fq, with q = 2s. 5. Treat the resulting set of pn+1 field elements as an input to the Reed-Solomon encoder. Compute codeword C(S) using the [n, pn + 1]q Reed-Solomon code. C(S) consists of n elements in Fq, denoted as (s1, . . . , sn). • OutputAP = {a1, . . . , an}, where for 1 · i · n, we have ai = GID || i || pi || si.

  29. Reed Solomon Decoder • The GS-Decoder is based on an algorithm that performs polynomial reconstruction • given k and t, and given n points {(xi, yi), 1 · i · n}, where xi, yi2 Fq, find a list of all the polynomials p 2 Fq[x] of degree at most k s.t. yi = p(xi) for at least t values of i.

  30. Scheme Description-GS-Decoder • On Input: n, a, b, and m points (xi, yi), 1· i · m. 1. Run the GS-Decoder, on input and get L. If L is empty, reject. 2. Process L = {Q1(x), . . . ,Qf(x)} for each Qj(i) 2 L, evaluate Qj(i) for 1 · i ·pn + 1 and let the string Qj(1) || Qj(2) ||· · ·|| Qf(pn + 1) be a candidate codeword ci. • Output: List of all computed candidates {c1, . . . , cf} or reject.

  31. Scheme Description-Their Decoder • On Input: PK, GID, n, a, b, and received packets RP = {r1,… rm} 1. View ri2 RP as ri = GIDi || ji || pi || si 2. Discard non conforming packets, e.g GIDi¹ GID or jiÏ [1..n] .Let (r1’, … rm’) be the remaining in RP. 3. If m’ < an or m’ > bn reject 4. For 1 · i · m’, set (xi, yi) = (ji, si) 5. Run Modified GS-decoder on n, a, b, and the m’ points (xi, yi). If it rejects reject, o.w. obtain candidate codewords for S, (ci … cf)

  32. Scheme Description-Decoder 6. For 1 · i · n, set hi = Æ, j = 1. While j · f • Parse cj as string h1j || … hnj || s • If VerifyPK(GID|| h1j || … hnj, s) = 1 set hi = hij and break; o.w. increase j 7. If hi = Æ for 1 · i · n, reject. Else compute the output packets. As follows: • Initialize pi’ = Æ, 1 · i · n. • For 1 · i · m’: View ri as ri = GID || j || pj || sj, s.t. j 2 [1..n] If H(pj) = hj, set pj’ = pj . 8. Output {pi’,… pn’}

  33. Proof of correctness & security • Proof by contradiction: Suppose there is adversary A who manages to break the (a, b)-correctness or security of the scheme with non-negligibleprobabilityp(k). Then one of these events must be true: • With probability (at least) p(k)/2, A violates the (a, b)-correctness property. • With probability (at least) p(k)/2, A violates the security property. • They show that a non-negligible probability of either events contradicts the security properties of the used signature scheme and hash function

  34. Correctness-Proof sketch • Prove the claim by exhibiting a reduction. This reduction transforms an attack that violatesthe correctnessof their scheme, into an attack on the underlying signaturescheme. • Input to reduction is the PK. Reduction gets oracle access to the signer. It sets up PK = (PKs, H). • Invokes the adversary on input PK • Now needs to answer adversaries queries to authenticator.

  35. Correctness Proof sketch • The reduced authenticator in order to respond to a query (GIDi, ai, bi, ni, DPi) runs with the following modification: • Don’t compute signature sI obtain it my querying the sign oracle. • Everything else proceeds as before. • The view of the adversary in this reduction is identical to the real-life view. • Thus, with same prob. A violates the correctness property. • The following hold for its output.

  36. Correctness Proof Sketch • (a, b)-correctness property violation. • For some i, the adversary’s query i contained GIDi = GID, ni = n, ai = a, DPi = {p1, … pn} = DP and got APi = {a1, …an} = AP • At least a n of the authenticated packets are in RP. • |RP| ·b n • For some 1 · j · n, pj is the j’th packet in DP, s.t. a corresponding authenticated aj was received. However, it was not decoded correctly, i.e: pj’ <- Decode(PK, GID, a, b, RP), but pj’ ¹ pj

  37. Security Proof sketch • Set up the reduction in exactly the sameway as before. The adversary’sview in the reduction is the same as in real life. • So, as often as in real life, the adversary will violate the securityproperty of their scheme, namely, one of the followingwill hold: • The authenticator was not queried with GID and n. However, the decoder did not reject, instead output unauthenticated packets. • The authenticator was queried with GID, n, a, b and the original data packets. The decoder does not reject, however an output packet pj’ ¹Æ is different from the original pj.

  38. Analysis • Authenticator computational cost: • n constant cost hashes and one signature • Reed-Solomon is a poly-interpolation of pn+1 positions and poly-evaluation in n – pn-1 positions. Requires O(nlogn) field ops • Decoder computational cost: • O(n2) processing time and O(1) signature verifications and O(n) hash values are computed.

  39. Analysis • Communication cost: • The total size of authentication information is • So, constant per-packet overhead • The larger the p, the smaller the overhead. Largerp means larger a and/or smaller b.

  40. Comparisons

  41. Conclusion • General framework for the multicast authentication problem in network controlled by bounded adversary. Which is the most realistic! • Unlike previous works does not address just randomly erroneous networks but fully adversarial ones. • Shown to be secure as the sign-all solution but incurs constant overhead • Decouples verification and attack detection using the an and bn thresholds

  42. Discussion • How to determine the a, b parameters in a pragmatic way? (The adv. could inject enough packets to prevent authentication without triggering a DDoS alarm. Could drop enough packets to prevent authentication without excessive packet loss) • In Merkle trees the computational cost is O(n) while in this scheme it is O(n^2). However, its communication cost scales much better. • Implementation? • Other ECC’s? • Uses the signature crypto primitive to unambiguously list-decode an ECC.

  43. Thank you

More Related