distillation codes and dos resistant multicast
play

Distillation Codes and DOS Resistant Multicast Prepared for CS 624 - PowerPoint PPT Presentation

Distillation Codes and DOS Resistant Multicast Prepared for CS 624 Fabian Monrose Johns Hopkins University Ryan Gardner Multicast Overview Server Router Client Client Client Multicast Overview Multicast enabled routers


  1. Distillation Codes and DOS Resistant Multicast Prepared for CS 624 – Fabian Monrose Johns Hopkins University Ryan Gardner

  2. Multicast Overview Server Router Client Client Client

  3. Multicast Overview • Multicast enabled routers • 224.0.0.0 - 239.255.255.255 (class D) • IGMP (Internet Group Management Protocol) • Subscribe to groups and unsubscribe

  4. Applications • Interactive applications – Teleconferencing – Video conferencing • Information broadcasts – News – Stocks • Updates – Software – Viruses

  5. Challenges • Authenticity • Malicious users • Tolerate packet loss • Minimal delay • (DoS attacks)

  6. Outline • Three naive solutions • Brief summary of related work • Efficient Multicast Stream Authentication using Erasure Codes • Distillation codes • Conclusion

  7. Naive Solution 1 Symmetric Authentication Review of MAC MAC K a,b Alice Bob K a,b K a,b Examples • hmac (sha1, md5) • umac • cbc mac (aes, 3des)

  8. Naive Solution 1 Symmetric Authentication Server K s,g MAC K s,g Router Client Client Client K s,g K s,g K s,g

  9. Naive Solution 1 Symmetric Authentication • Pros – Fast – Low space overhead – Virtually no delay – Simple • Cons – Any member of the group can “authenticate packets”

  10. Naive Solution 2 Sign Every Packet Review of Signature Sig A Alice Bob K priv_A K pub_A (K pub_A ) Examples • RSA-1024 (2048, etc.) • DSA • IBE short signatures

  11. Naive Solution 2 Sign Every Packet Server K priv_S Sig S Router Client Client Client K pub_S K pub_S K pub_S

  12. Naive Solution 2 Sign Every Packet • Pros – Guarantees authenticity – Perfect loss tolerance – Almost no delay • Cons – Computationally expensive for sender and receiver – High bandwidth overhead

  13. Naive Solution 3 Basic Signature Amortization Server P 1 K priv_S P 2 . . . P n Router Sig S (P 1 ,…P n ) Client Client Client K pub_S K pub_S K pub_S

  14. Naive Solution 3 Basic Signature Amortization • Pros – Unforgeable – Low computational cost – Low bandwidth overhead • Cons – No packet loss tolerance – Delay at receiver

  15. Outline • Three naive solutions • Brief summary of related work • Efficient Multicast Stream Authentication using Erasure Codes • Distillation codes • Conclusion

  16. Related Work • “Asymmetric MACs” – TESLA [12,13] – Biba “signature” [11] • Signature amortization…

  17. Signature Amortization • Signature generations are expensive • Boneh, Durfee, and Franklin showed can’t use MACs entirely… [2] • Break single signature into multiple packets • Fundamental issues – Packet loss – Maliciously inserted packets (DoS) • Some work done – Accumulators [16] – Erasure Codes [9,10]

  18. How to Sign Digital Streams [4] CRYPTO ‘97 • Objectives – Stream signing (not necessarily multicast) – Authenticity – Non-repudiation (even for partial streams) – Inexpensive – Low delay • General approach – Authentication chain bootstrapped with signature

  19. How to Sign Digital Streams . . . Packet 3 h(p 4 ) Packet 2 h(p 3 ) Packet 1 h(p 2 ) Signature h(p 1 )

  20. How to Sign Digital Streams • Pros – Simple – Low computation (single signature) – Low overhead – Authenticity – Non-repudiation (even for partial streams) – Low delay (if packets are sent at high frequency) • Cons – No loss tolerance

  21. Digital Signatures for Flows and Multicasts [16] IEEE/ACM Transactions on Networking 1999 • Objectives – Authenticity – “High” signing and verification rates – Loss tolerant – Non-repudiation – Inexpensive – Low delay • General approach – Create a common signature for blocks of packets – Self authenticating packets

  22. Digital Signatures for Flows and Multicasts Star Chaining Packet formation h(p 1 ) (per block) Appended to every Signature packet Packet 1 Packet 2 Packet 3 . . . Send Packet 1 Signature Packet 1 Signature Packet 1 Signature

  23. Digital Signatures for Flows and Multicasts Star Chaining Packet authentication Cached digests h(p i ) block 1 Signature Packet i block 2 from block j block 4

  24. Digital Signatures for Flows and Multicasts • Pros – Authenticity – “High” signing and verification rates – Perfect loss tolerance – Non-repudiation • Cons – Small sender delay – Extremely high bandwidth overhead

  25. Summary of Related Work • Still significant deficiencies – No loss tolerance – Extremely high bandwidth overhead – Vulnerable to DoS attacks • Computational • Memory exhaustion

  26. Outline • Three naive solutions • Brief summary of related work • Efficient Multicast Stream Authentication using Erasure Codes • Distillation codes • Conclusion

  27. Efficient Multicast Stream Authentication using Erasure Codes [10] ACM Transactions on Information and Systems Security 2003 • Objectives – Ensure authenticity (non-repudiation) – Robustness to packet loss – Minimal overhead & delay – Robust against en route packet modification or insertion of small number of bogus packets • General approach – Amortize a signature over several packets using erasure codes

  28. Erasure Codes • Sender – Take m objects (the original data) and creates n “erasure encoded objects” • Receiver – Needs any m of the n objects sent, and can reconstruct “erasure decode” the original data • Space optimal

  29. Information Dispersal Algorithm (IDA) [14] • Basics – Create an n row matrix A such that any m of the n rows are linearly independent – Multiply that by our data – On receipt of m chunks, grab the corresponding m rows of A, A’ – Multiply received data by A’ -1 • Kevin will cover… • Pretty light computationally – One matrix multiplication at each end (matrix inversion at receiver) – O( n 2 ) encode – O( m 2 ) decode

  30. Signature Amortization using IDA - Description Break a stream up into blocks P 1,1 P 1,2 P 1,m P 2,1 P 2,2 P 2,m P 3,1 P 3,2 P 3,m P 4,1 . . . . . . . . .

  31. Signature Amortization using IDA For each block P 1 P 2 P n . . . h F . . . Packet digest F = h(P 1 )|| h(P 2 )|| … ||h(P n )

  32. Signature Amortization using IDA Erasure encode F using IDA Packet digest F . . . 1 2 m (broken into m chucks) IDA Erasure Encode . . . Encoded packet digest c 1 c 2 c 3 c 4 c n

  33. Signature Amortization using IDA F . . . Packet digest 1 2 m Sign F h h(F) sign(K priv ) sig K_priv (F) (m symbols) Erasure IDA Erasure Encode Encode Signature . . . Encoded signature ! 1 ! 2 ! 3 ! 4 ! n

  34. Signature Amortization using IDA Form each packet P 1 P 2 P n . . . . . . P i c 1 c 2 c 3 c 4 c n c i ! i . . . ! 1 ! 2 ! 3 ! 4 ! n

  35. Signature Amortization using IDA Reconstruction P i Need m packets: c i ! i . . . c 1 c 2 c m . . . ! 1 ! 2 ! m IDA Erasure Decode IDA Erasure Decode F = h(P 1 )|| h(P 2 )|| … ||h(P n ) Packet Digest sig K_priv (F) digest signature

  36. Signature Amortization using IDA Verification h(F) Packet h F = h(P 1 )|| h(P 2 )|| … ||h(P n ) digest y/n Signature Verify Digest sig K_priv (F) signature For each packet P i , verify: F = h(P 1 )|| h(P 2 )|| … ||h(P n ) P i extract compute hash = h(P i ) h(P i )

  37. Delays • Sender – Must append information to n packets before sending • Receiver – Must receive m packets to authenticate and use – (Frequently, all m packets should arrive approximately at the same time) • Consequences – Approximate additional delay of the time span of each block – For minimal delay, we need smaller block size

  38. Practical Costs - Computation Operations possible per Computational costs per block second Sender Receiver Pentium 2.4 GHz Erasure 1 0 2,755 encodes Erasure 0 1 3,700 decodes 25 RSA-1024 1 0 signature generations RSA-1024 0 1 1,170 signature verifications We can send approximately one block every 40 ms.

  39. Acceptable Delay The International Telecommunications Union – Telecommunications Standardization Sector states the following maximum end to end transmission times that they consider “allowable” with echo control. (Recommendation G.114) [5] Delay Acceptability. acceptable to most 0 - 150 ms user application. acceptable when the 150 - 400 ms impact on quality is aware of. 400 ms unacceptable

  40. Practical Costs - Bandwidth Given: n/m = 1.5 using RSA-1024 20 byte SHA-1 hash blocks of 64 packets (unencoded) of size 1024 bytes (65536 bytes total) Bandwidth overhead = 2112 bytes per block 3.2% Conclusion: Costs are extremely reasonable in the simple case.

  41. Authentication Probability • Burst losses are an important part of their analysis • 2 models – 2 state Markov chain model (2-MC) – “Biased coin toss”

  42. 2 State Markov Chain Model (2-MC) p 1,0 p 0,0 p 1,1 Packet arrives Packet lost p 0,1 used: ! 0 = 0.8 " = 8

  43. Biased Coin Toss Model q q q 1-q 1-q 1-q 1-q 1-q Packet Packet Packet Packet . . . arrives lost lost lost 1 2 b

Recommend


More recommend