31-10-2016, 12:27 PM
1462431761-MABS20Multicast20Authentication20Based20on20Batch20Signature.pdf (Size: 2.03 MB / Downloads: 3)
Abstract—Conventional block-based multicast authentication schemes overlook the heterogeneity of receivers by letting the sender
choose the block size, divide a multicast stream into blocks, associate each block with a signature, and spread the effect of the
signature across all the packets in the block through hash graphs or coding algorithms. The correlation among packets makes them
vulnerable to packet loss, which is inherent in the Internet and wireless networks. Moreover, the lack of Denial of Service (DoS)
resilience renders most of them vulnerable to packet injection in hostile environments. In this paper, we propose a novel multicast
authentication protocol, namely MABS, including two schemes. The basic scheme (MABS-B) eliminates the correlation among packets
and thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation, and communication
overhead due to an efficient cryptographic primitive called batch signature, which supports the authentication of any number of packets
simultaneously. We also present an enhanced scheme MABS-E, which combines the basic scheme with a packet filtering mechanism
to alleviate the DoS impact while preserving the perfect resilience to packet loss.
INTRODUCTION
MULTICAST [1] is an efficient method to deliver multimedia
content from a sender to a group of receivers
and is gaining popular applications such as realtime stock
quotes, interactive games, video conference, live video
broadcast, or video on demand. Authentication is one of
the critical topics in securing multicast [2], [3], [4], [5], [6],
[7] in an environment attractive to malicious attacks.
Basically, multicast authentication may provide the following
security services:
1. Data integrity: Each receiver should be able to
assure that received packets have not been modified
during transmissions.
2. Data origin authentication: Each receiver should be
able to assure that each received packet comes from
the real sender as it claims.
3. Nonrepudiation: The sender of a packet should not be
able to deny sending the packet to receivers in case
there is a dispute between the sender and receivers.
All the three services can be supported by an asymmetric
key technique called signature. In an ideal case, the sender
generates a signature for each packet with its private key,
which is called signing, and each receiver checks the validity
of the signature with the sender’s public key, which is
called verifying. If the verification succeeds, the receiver
knows the packet is authentic.
Designing a multicast authentication protocol is not an
easy task. Generally, there are following issues in real world
challenging the design. First, efficiency needs to be
considered, especially for receivers. Compared with the
multicast sender, which could be a powerful server,
receivers can have different capabilities and resources. The
receiver heterogeneity requires that the multicast authentication
protocol be able to execute on not only powerful
desktop computers but also resource-constrained mobile
handsets. In particular, latency, computation, and communication
overhead are major issues to be considered. Second,
packet loss is inevitable. In the Internet, congestion at
routers is a major reason causing packet loss. An overloaded
router drops buffered packets according to its preset control
policy. Though TCP provides a certain retransmission
capability, multicast content is mainly transmitted over
UDP, which does not provide any loss recovery support. In
mobile environments, the situation is even worse. The
instability of wireless channel can cause packet loss very
frequently. Moreover, the smaller data rate of wireless
channel increases the congestion possibility. This is not
desirable for applications like realtime online streaming or
stock quotes delivering. End users of online streaming will
start to complain if they experience constant service
interruptions due to packet loss, and missing critical stock
quotes can cause severe capital loss of service subscribers.
Therefore, for applications where the quality of service is
critical to end users, a multicast authentication protocol
should provide a certain level of resilience to packet loss.
Specifically, the impact of packet loss on the authenticity of
the already-received packets should be as small as possible.
Efficiency and packet loss resilience can hardly be
supported simultaneously by conventional multicast schemes. As is well known that existing digital signature
algorithms are computationally expensive, the ideal approach
of signing and verifying each packet independently
raises a serious challenge to resource-constrained devices.
In order to reduce computation overhead, conventional
schemes use efficient signature algorithms [8], [9] or
amortize one signature over a block of packets [10], [11],
[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],
[24], [25], [26] at the expense of increased communication
overhead [8], [9], [10], [11] or vulnerability to packet loss
[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],
[24], [25], [26].
Another problem with schemes in [8], [9], [10], [11], [12],
[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],
[25], [26] is that they are vulnerable to packet injection by
malicious attackers. An attacker may compromise a multicast
system by intentionally injecting forged packets to
consume receivers’ resource, leading to Denial of Service
(DoS). Compared with the efficiency requirement and packet
loss problems, the DoS attack is not common, but it is still
important in hostile environments. In the literature, some
schemes [27], [28], [29], [30], [31], [32] attempt to provide the
DoS resilience. However, they still have the packet loss
problem because they are based on the same approach as
previous schemes [10], [11], [22], [23], [24], [25], [26].
Recently, we demonstrated that batch signature schemes
can be used to improve the performance of broadcast
authentication [5], [6]. In this paper, we present our
comprehensive study on this approach and propose a novel
multicast authentication protocol called MABS (in short for
Multicast Authentication based on Batch Signature). MABS
includes two schemes. The basic scheme (called MABS-B
hereafter) utilizes an efficient asymmetric cryptographic
primitive called batch signature [33], [34], [35], [36], [37], [38],
[39], [40], [41], [42], [43], [44], which supports the
authentication of any number of packets simultaneously
with one signature verification, to address the efficiency
and packet loss problems in general environments. The
enhanced scheme (called MABS-E hereafter) combines
MABS-B with packet filtering to alleviate the DoS impact
in hostile environments. MABS provides data integrity,
origin authentication, and nonrepudiation as previous
asymmetric key based protocols. In addition, we make the
following contributions:
1. Our MABS can achieve perfect resilience to packet
loss in lossy channels in the sense that no matter
how many packets are lost the already-received
packets can still be authenticated by receivers.
2. MABS-B is efficient in terms of less latency,
computation, and communication overhead. Though
MABS-E is less efficient than MABS-B since it
includes the DoS defense, its overhead is still at the
same level as previous schemes.
3. We propose two new batch signature schemes based
on BLS [36] and DSA [38] and show they are more
efficient than the batch RSA [33] signature scheme.
The rest of the paper is organized as follows: We briefly
review related work in Section 2. Then, we present a basic
scheme for lossy channels in Section 3, which also includes
three batch signature schemes based on RSA [33], BLS [36