Reducing delay and enhancing DoS resistance in multicast authentication through multigrade security

Many techniques for multicast authentication employ the principle of delayed key disclosure. These methods introduce delay in authentication, employ receiver-side buffers, and are susceptible to denial-of-service (DoS) attacks. Delayed key disclosure schemes have a binary concept of authentication and do not incorporate any notion of partial trust. This paper introduces staggered timed efficient stream loss-tolerant authentication (TESLA), a method for achieving multigrade authentication in multicast scenarios that reduces the delay needed to filter forged multicast packets and, consequently, mitigates the effects of DoS attacks. Staggered TESLA involves modifications to the popular multicast authentication scheme, TESLA, by incorporating the notion of multilevel trust through the use of multiple, staggered authentication keys in creating message authentication codes (MACs) for a multicast packet. We provide guidelines for determining the appropriate buffer size, and show that the use of multiple MACs and, hence, multiple grades of authentication, allows the receiver to flush forged packets quicker than in conventional TESLA. As a result, staggered TESLA provides an advantage against DoS attacks compared to conventional TESLA. We then examine two new strategies for reducing the time needed for complete authentication. In the first strategy, the multicast source uses assurance of the trustworthiness of entities in a neighborhood of the source, in conjunction with the multigrade authentication provided by staggered TESLA. The second strategy achieves reduced delay by introducing additional key distributors in the network.

[1]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[2]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[3]  Sanjoy Paul,et al.  Multicasting on the Internet and its Applications , 1998, Springer US.

[4]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[5]  Bob Briscoe,et al.  FLAMeS: Fast, Loss-Tolerant Authentication of Multicast Streams , 2000 .

[6]  Ran Canetti,et al.  Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction , 2005, RFC.

[7]  Adrian Perrig,et al.  Distillation Codes and Applications to DoS Resistant Multicast Authentication , 2004, NDSS.

[8]  Mostafa H. Ammar,et al.  HySOR: group key management with collusion-scalability tradeoffs using a hybrid structuring of receivers , 2002, Proceedings. Eleventh International Conference on Computer Communications and Networks.

[9]  Adrian Perrig,et al.  The BiBa one-time signature and broadcast authentication protocol , 2001, CCS '01.

[10]  Allen Gersho,et al.  Vector quantization and signal compression , 1991, The Kluwer international series in engineering and computer science.

[11]  Bruno Crispo,et al.  Chained Stream Authentication , 2000, Selected Areas in Cryptography.

[12]  Dimitri P. Bertsekas,et al.  Data networks (2nd ed.) , 1992 .

[13]  Shouhuai Xu,et al.  Authenticated multicast immune to denial-of-service attack , 2002, SAC '02.

[14]  Ran Canetti,et al.  Efficient authentication and signing of multicast streams over lossy channels , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[15]  Pankaj Rohatgi,et al.  A compact and fast hybrid signature scheme for multicast packet authentication , 1999, CCS '99.

[16]  Diego Gambetta Trust : making and breaking cooperative relations , 1992 .

[17]  Simon S. Lam,et al.  Digital signatures for flows and multicasts , 1998, Proceedings Sixth International Conference on Network Protocols (Cat. No.98TB100256).

[18]  Edwin K. P. Chong,et al.  Efficient multicast stream authentication using erasure codes , 2003, TSEC.

[19]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation and Analysis , 1992, RFC.

[20]  D. Collard,et al.  Trust : making and breaking cooperative relations , 1989 .

[21]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[22]  B. R. Badrinath,et al.  DV Based Positioning in Ad Hoc Networks , 2003, Telecommun. Syst..

[23]  Hua Wang,et al.  A secure multicast protocol with copyright protection , 2002, CCRV.

[24]  S. Cheung,et al.  An efficient message authentication scheme for link state routing , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[25]  Martin Reisslein,et al.  MPEG-4 and H.263 video traces for network performance evaluation , 2001, IEEE Netw..

[26]  Roberto Tamassia,et al.  Multicast authentication in fully adversarial networks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[27]  Edwin K. P. Chong,et al.  Efficient multicast packet authentication using signature amortization , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[28]  Rosario Gennaro,et al.  How to Sign Digital Streams , 1997, Inf. Comput..

[29]  Bruno Crispo,et al.  Individual single source authentication on the MBONE , 2000, 2000 IEEE International Conference on Multimedia and Expo. ICME2000. Proceedings. Latest Advances in the Fast Changing World of Multimedia (Cat. No.00TH8532).

[30]  Ran Canetti,et al.  Efficient and Secure Source Authentication for Multicast , 2001, NDSS.

[31]  Charalampos Manifavas,et al.  A new family of authentication protocols , 1998, OPSR.