Comparison analysis in Multicast Authentication based on Batch Signature (MABS) in Network Security
CCOMPARISON ANALYSIS IN MULTICASTAUTHENTICATION BASED ON BATCH SIGNATURE(MABS) IN NETWORK SECURITY
Srikanth Bethu a , K Kanthi Kumar b ,MD Asrar Ahmed c ,S.Soujanya da Assistant Professor,Department of Computer Science and Engineering, Holymary Institute ofTechnology and Science, JNTU Hyderabad - 501 301 India, Contact: [email protected] b Associate Professor, Department of Electronics and Communications Engineering, Holymary Instituteof Technology and Science, Hyderabad c M.tech ,Department of Computer Science and Engineering, Osmania University,Hyderabad. d Assistant Professor,Department of Computer Science and Engineering, Holymary Institute ofTechnology and Science, JNTU Hyderabad
Conventional block-based multicast authentication schemes overlook the heterogeneity of receivers by lettingthe sender choose the block size, divide a multicast stream into blocks, associate each block with a signature, andspread the effect of the signature across all the packets in the block through hash graphs or coding algorithms.The correlation among packets makes them vulnerable to packet loss, which is inherent in the Internet andwireless networks. Moreover, the lack of Denial of Service (DoS) resilience renders most of them vulnerable topacket injection in hostile environments. In this paper, we propose a novel multicast authentication protocol,namely MABS, including two schemes. The basic scheme (MABS-B) eliminates the correlation among packetsand thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation,and communication overhead due to an efficient cryptographic primitive called batch signature, which supportsthe authentication of any number of packets simultaneously.so we discuss their comparisons and performanceevaluation of Packet Loss, Comparisons over Lossy Channels, Comparisons of Signature Schemes, computationa-tional overheads etc.
Keywords :
Denial of Service (DoS) ,MABS,MABS-BSignature Schemes.
1. INTRODUCTION
Generally, there are following issues in realworld challenging the design. Efficiency: Whilethe sender of multimedia content is usually apowerful server, receivers can have different capa-bilities and resources. Resilience to packet loss:Packet may be lost during wireless transmission.In the Internet, congestion at routers is a majorreason causing packet loss.Resilience to denial of service (DoS) attacks:Forged packets injected into a multicast streamincrease the workload of receivers and cause thedrop of authentic packets, leading to DoS. A cer-tain level of resilience to DoS attacks should be provided. Recently, batch signature schemes canbe used to improve the performance of broadcastauthentication [2], [3].In this paper, we present comprehensive studyon this approach and propose a novel multicastauthentication protocol called MABS. MABSuses an efficient asymmetric cryptographic prim-itive called batch signature [3],[4], [5], which sup-ports the authentication of any number of packetssimultaneously with one signature verification, toaddress the efficiency and packet loss problems.MABS provides data integrity,data origin authen-tication, and non-repudiation. In addition, wemake the following contributions:1 a r X i v : . [ c s . CR ] N ov Srikanth Bethu, et al., (i) Our MABS can achieve perfect resilience toPacket loss in lossy channels in the sensethat no matter how many packets are lostthe already received packets can still be au-thenticated by receivers.(ii) MABS-B is efficient in terms of less authen-tication latency, computation, and commu-nication overhead. Though MABS-E is lessefficient than MABS-B since it includes theDoS defense.(iii) We propose two new batch signatureschemes based on BLS and DSA and showthey are more efficient than the batch RSA[5] signature scheme.
The definition of the host group model providesa summary of the key properties of multicast: ahost group is a set of network entities sharing acommon identifying multicast address, all receiv-ing any data packets addressed to this multicastaddress by senders (sources) that may or may notbe members of the same group and have no knowl-edge of the groups membership. This definitionhighlights the three main properties of multicast:(i) All members receive all packets sent to theaddress: Multicast routing delivers all pack-ets sent to the multicast address to all mem-bers of the multicast group.(ii) Open group membership: Multicast pro-vides an open group model and allowsgroup membership to be transparent to thesource.
Multicast routers execute a multicast routingprotocol to define delivery paths that enable theforwarding of multicast datagrams across an in-ternetwork. The Distance Vector Multicast Rout-ing Protocol (DVMRP) is a distance-vector rout-ing protocol, and Multicast OSPF (MOSPF) is anextension to the OSPF link-state unicast routingprotocol.A multicast protocol enables a sender to effi-ciently disseminate digital media data to manyreceivers. Due to the time sensitive requirement Table 1Difference between TCP, UDP
TCP UDP → Reliable Unreliable → Connection-oriented Connectionless → Segment retransmission and flow control through windowing No windowing or retransmission → Acknowledge segments No acknowledgement of some applications, reliable transmission pro-tocol like TCP (Transmission Control Protocol)is impractical for multicast. Therefore, unreli-able transmission protocol such as UDP (UserDatagram Protocol) is generally adopted for mul-ticast applications. Multicast protocol is suit-able for many applications, e.g. video trans-missions, live broadcasts, stock quotes, or newsfeeds. These applications may have many re-ceivers or distribute time-sensitive data. To en-sure secure communications between a sender andits receivers, it is important to implement securitymeasures in a multicast environment.
These properties of multicast lead to securityissues and vulnerabilities because of two reasons:the issues are multicast- specific or the issues alsoexist in unicast, but the unicast solutions do notapply.the three multicast properties leads to vul-nerabilities and the areas of research that providesolutions to these issues. The multicast modeldelivers any traffic sent to the multicast addressto the entire group. This means that any hostcan send data to the multicast group. This leadsto two problems. First, group members need tobe able to verify that messages received are fromthe intended source. Multicast source authentica-tion solutions have been proposed to provide thisfunctionality. Second, there should be mecha-nisms to restrict unauthorized sources from send-ing data to multicast groups due to the poten-tial for denial-of-service attacks. Multicast senderaccess control solutions are necessary to defendagainst this threat. reparation of International Journal of Information Processing Paper in Two-Column Format
2. COMPARISON AND PERFOR-MANCE EVALUATION
In this section, we evaluate MABS performancein terms of resilience to packet loss, efficiency, au-thentication latency and DoS resilience. As wediscussed before, MABS does not assume any par-ticular underlying signature algorithm. This isalso true for all the literature multicast authenti-cation schemes referenced in this paper. There-fore, all the discussions and evaluations of MABSand the literature works are under the assumptionthat they are using the same underlying signaturealgorithm. : We consider the authentication ofdigital streams over a lossy network. The over-all approach taken is graph-based, as this yieldssimple methods for controlling overhead, delay,and the ability to authenticate, while serving tounify many previously known hash- and MAC-based techniques. The loss pattern of the networkis defined probabilistically, allowing both burstyand random packet loss to be modeled.The main challenges are fourfold. First, au-thenticity must be guaranteed even when onlythe sender of the data is trusted. Second, thescheme needs to scale to potentially millions of re-ceivers. Third, streamed media distribution canhave high packet loss. Finally, the system needsto be efficient to support fast packet rates. We usesimulations to evaluate the resilience to packetloss. The metric here is the verification rate, i.e.,the ratio of the number of authenticated pack-ets to the number of received packets we com-pare MABS with some well-known loss tolerantschemes EMSS,augmented chain,PiggyBack,treechain. These schemes are representatives ofgraph chaining, tree chaining, and erasure cod-ing schemes and are widely usedin performanceevaluation in the literature. For EMSS we choosethe chain configuration , which has the best per-formance among all the configurations of length. For AugChain , we choose chain configuration.For PiggyBack , we choose two class priorities.For Tree chain [1], we choose binary tree. Forall these schemes, we choose the block size of 256packets and simulate over 100 blocks. We con-sider the random loss and the burst loss with amaximum loss length of 10 packets. Figure 1. Verification rate under the random lossmodelThe verification rates under different loss ratesare given in below Figures. OurMABS and Treeschemes have perfect resilience to packet loss inthe sense that all the received packets can be au-thenticated. This is because all the packets inMABS and Tree schemes are independent fromeach other.
We consider latency, computation, and commu-nication overhead for efficiency evaluation underlossy channels and DoS channels.The notations used here are defined in Table :(i) All the evaluations are carried out over onpackets .
We use simulations to evaluate the resilienceto packet loss. The metric here is the verifica-tion rate, i.e., the ratio of the number of au-thenticated packets to the number of receivedpackets. We compare MABS with some well-known loss tolerant schemes EMSS augmentedchain (AugChain) Piggyback tree chain (Tree)and SAIDA [2]. These schemes are representa-tives of graph chaining, tree Chaining and era-
Srikanth Bethu, et al.,
Figure 2. Verification rate under the burst lossmodel with the maximum burst length 10Figure 3. All the evaluations are carried out overn packets sure coding schemes and are widely used in per-formance evaluation in the literature.
We consider authentication latency, computa-tion, and communication overhead for efficiencyevaluation under lossy channels and DoS chan-nels.
The block-based approach requires each re-ceiver to collect an entire block before authen-ticating every packet in the block. A larger blocksize achieves higher computation efficiency, butalso incurs longer authentication latency. Ourdesign does not have authentication latency .Be-cause there is no relationship among packets andno limit on the number of packets in batch verifi-cation, each receiver can perform the batch verifi-cation over its buffered packets whenever higher-layer application require.
DoS is a method for an attacker to deplete theresources of a receiver. processing forged pack-ets from the attacker always consumes a certainamount of resources. The block-based approachhas poor resilience to DoS. Because there is nofiltering, each receiver has to recover the relation-ship among authentic packets mixed with forgedpackets. By using Merkle tree in our design, au-thentic packets and forged packets are separatedinto disjoint sets. Batch verification is carried outover each set. Therefore, each batch verificationcan authenticate a set of packets.
We compare the computation overhead of threebatch signature schemes in below table RSA andBLS require one modular exponentiation at thesender and DSA requires two modular multipli-cations when r value is computed offline. Usuallyone c-bit modular exponentiation is equivalent to1.5c modular multiplications over the same field.Moreover, a c-bit modular exponentiation in DLPis equivalent to a c/6-bit modular exponentia-tion in BLS for the same security level. There-fore, we can estimate that the computation over-head of one 1,024-bit RSA signing operation is reparation of International Journal of Information Processing Paper in Two-Column Format
3. CONCLUSIONS
To reduce the signature verification overheadsin the secure multimedia multicasting, block-based authentication schemes have been pro-posed. Unfortunately, most previous schemeshave many problems such as vulnerability topacket loss and lack of resilience to denial of ser- Figure 5. Comparisons over Lossy Channels:Table 2Given the same security level as 1,024-bit RSA,BLS generates a 171- bit signature and DSA
Schemes Length(bits) → MD-5 125 → SHA-1 160 → RSA 1024 → BLS 171 → DSA 320
Srikanth Bethu, et al., vice (DoS) attack. To overcome these problems,we develop a novel authentication scheme MABS.We have demonstrated that MABS is perfectlyresilient to packet loss due to the elimination ofthe correlation among packets and can effectivelydeal with DoS attack. Moreover, we also showthat the use of batch signature can achieve theefficiency less than or comparable with the con-ventional schemes. Finally, we further developtwo new batch signature schemes based on BLSand DSA, which are more efficient than the batchRSA signature scheme.
4. The References SectionREFERENCES
1. S.E. Deering, ”Multicast Routing in Internet-works and Extended LANs,”
Proc. ACM SIG-COMM Symp. Comm. Architectures and Pro-tocols ,pp. 55-64, Aug. 1988.2. T. Ballardie and J. Crowcroft, ”Multicast-Specific Security Threats and Counter-Measures,”
Proc. Second Ann. Network andDistributed System Security Symp. (NDSS95) ,pp. 2-16, Feb. 1995.3. P. Judge and M. Ammar, ”Security Issues andSolutions in Mulicast Content Distribution:A Survey,”
IEEE Network Magazine ,vol. 17,no. 1, pp. 30-36, Jan./Feb. 2003.4. Y. Zhou and Y. Fang, ”BABRA: Batch-BasedBroadcast Authentication in Wireless SensorNetworks,”
Proc. IEEE GLOBECOM, Nov.2006. .5. Y. Zhou, Xiaoyan Zhu and Y. Fang ”Mul-timedia Broadcast Authentication Based onBatch Signature,”
IEEE Transactions on Mo-bile Computing ,vol. 9, no. 7, pp. 72-77, July2010.
Srikanth Bethu is currentlythe Assistant Professor, HolyMary Institute of Technol-ogy and Science, JNTUHyderabad, Hyderabad. Heobtained his Bachelor ofEngineering from JNTUHyderabad. He rece-ived his Masters degree in Computer Science andEngineering from Osmania University, Hyder-abad.
K Kanthi Kumar is aAssociate Professor,HolyMary Institute of Technologyand Science, JNTU Hyder-abad, Hyderabad. He wasa Professor since 2010 withthe Electronics and Commu-nications Engineering,HITScollege,JNTU Hyderabad.During the past 10 years of his service at variousinstitutions he has over 5 research publications inrefereed International Journals and ConferenceProceedings..
MD Asrar Ahmed is a Software engi-neer,Infosys,Hyderabad,since2011.