Abstract
Multicast is a one to group communication. The applications of multicast are broadcasting stock quotes, videoconferencing, and software distribution. The deployment of efficient and secure communication mechanism is hindered because of the lack of security. There are various schemes such as simple hash scheme, hash tree scheme, and hash tree signature scheme. But these existing approaches also suffer from communication overhead and computation overhead. To solve the major problem of security concern is solved with support of source authentication mechanism. The purpose of our work is to evaluate the performance of multicast source authentication. The objectives of the proposed work are to reduce the communication overhead and computation cost of multicast communication system. The proposed work is implemented in QualNet 5.1.2.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
Keywords
- Multicast communication
- ECDSA
- Source authentication
- ECCSA
- Elliptic curve cryptography
- Hash tree
- Non-repudiation
1 Introduction
The large-scale development of Internet and use of electronics meant for communication resulted the new digital era of communication. The data or information can be sent to various network like unicast, broadcast, multicast, etc. In the case of unicast, there is one-to-one communication, while in case of broadcast one-to-all communication and in case of multicast the communication is between one source to a group of destinations. The demand of multipoint communications (multicast) among various parties is increasing. Unicast communications are overheaded and underutilized. Multicasting is increasing day by day for various applications such as video on demand (VoD), IPTv, broadcasting, and stock quotes. The multicast IP address is well known as class D. That is why, there are many security obstacles present in multicast. There is a need to maintain security goals to provide security at source and group ends. In multicast network, the source is not necessarily member of the group, so untrusted source may cause the rescuer deployment of the multicast services. Hash and digital signatures are the used for integrity [1], authentication, and non-repudiation. However, these mechanisms is used to design for point-to-point [2] transmission, and embedded in multicasting.
Multicast communication suffers from various challenges such as congestion, security threats, and addressing and the security threat is a biggest challenge in the multicast. This challenge is handled by source authentication and group authentication. Source authentication is main objective of proposed work. The researchers [3,4,5,6,7,8,9] have provided the mechanism for source authentication. The authors have used RSA [10, 11] for digital signature to achieve the source authentication [12], but existing mechanisms suffered from computation overhead and communication overhead. To solve these problems, we are proposing source authentication mechanism which is based on Elliptic Curve Cryptography Digital Signature Algorithm (ECDSA) [13, 14] for multicasting. The proposed approach is known as Elliptic Curve Cryptography Source Authentication (ECCSA).
2 Related Works
The literature possess several approaches and models for providing source authentication in multicast communication. The issues and challenges in the area of multicast security are described in this section existing multicast source authentication protocol such as simple off-line chaining, tree chaining, EMSS, and HMSA are described with their advantages and disadvantages.
In Hash chaining [9] scheme, the working of sender and receiver are described below into the blocks [15] then the hash of the first block is computed and signs the hash of the first block. The technique of the hash chaining scheme, sender first divides message M into 4 blocks {B1, B2, B3, B4} then computes the hash of the first block, signs it, and transmit to each receiver.
In tree chaining [16, 17] scheme each packet carries the required authentication information so that each can be individually verifiable. In other words, even if n − 1 out of n packets are lost the authenticity of the single received packet can be verified. The stream is signed block by block.
Efficient Multi-chained Stream Signature (EMSS) [18, 19] scheme each packet of the stream is hash linked [20, 21] to many target packets. Even if some packets are lost; a received packet is verifiable if it remains a hash-link path that relates the packet to a signature packet. For a given packet, the EMSS chooses target packets randomly.
Jin et al. [22] proposed a hybrid approach (HMSA) in which hash tree and hash chaining scheme are combined. In this approach, the author has targeted on the main disadvantage that occurs with both the scheme.
This section explained the existing multicast source authentication protocol with non-repudiation [11] and their advantages and disadvantages. There is no scheme which will satisfy all the requirements for multicast source authentication. In the next section, a novel multicast source authentication with non-repudiation protocol hash redundancy mitigation scheme for multicast source authentication [23] is proposed which makes a tradeoff between communications overhead [24] and robustness [25] against the packet loss.
3 Proposed Method
Multicast communication suffers from various attacks such as distributed denial of service (DDoS) [26, 27], Message modification [25], replay attacks [28], and eavesdropping [29]. The attacker uses the source as data transmitter or it works as a source of data because multicast IP address [30] are well known to everyone. There is a need to provide a mechanism which protects the source of multicast communication and mechanism is known as multicast source authentication (MSA). This subsection is providing the procedure for packet generation procedure [31] and packet verification [32] procedure as follows:
Sender Side
Packet Generation Procedure: M is a message of any size and message is divided into blocks. The block size may be 2, 4, 8, 16, 32, 64, and 128(packets) (Fig. 1).
Hash Generation: The main arguments of the proposed work are based on following procedure.
-
Sender generates H ij (i = 1 and j = 1to 8) of first block root hash [H118] by using packet hashes H11, H12, H18 and hashes of the internal node. Similarly for others blocks.
-
Sender signed over root hash of the first block.
-
Sender sends signed hash of first block root to each receiver
-
Sender sends first packets P11 of block one with packet ID, sibling hashes of current packet path to root (H12, H134, and H158) and second block root hash [H118].
-
Sender sends the second packet with only first packet hash value h11. Because it uses to generate root hash of the value H11. Because it is used to generate root hash of the sender side.
-
Now, Sender sends the P13 with H14 and H12 only and uses the stored values to generate the root of the first block.
-
Sender sends the P14 with only H13.
-
Now, sender sends packets P15, P16, P17, and P18 according to step 4, 5, 6 and 7. So sender sends P15 with a sibling (H16, H178, H118) with second block root [H118], P16 with H15 and P17 with H18+H156.
-
Repeat all steps for n − 1 block and with last block no need to send the signature root packet.
Signature Generation & Distribution: Associate the root hash (H) of packet Pi with signature and does the following:
-
Choose a random number k (integer) between 1 to N − 1.
-
Generate Hash (P)
-
Generate the curve point k ·G = (a, b)
-
Generate e = a mod N. If e = 0 then go back to step 1
-
Generate \( d = (k^{ - 1} )\left( {h_{l} + ed_{a} } \right)\bmod \,N \). if \( d = 0, \) then go to step 1.
-
Sender’s signature for the root hash of packet Pi is the pair of integers (e, d).
Receiver Side
To verify Sender signature (e, d) on H: Receiver associated with public key C a does the following:
-
Verify that e and d are integers between 1 to (N − 1)
-
Generate h = H(m)
-
Generate \( t = (d^{ - 1} ) \, \text{mod}\, N \)
-
Generate \( v1 = h_{l} t\, \text{mod}\, N \) and \( v2 = et\, \text{mod}\, N \)
-
Generate curve point x \( v1G + v2 \) C a
-
If a = 0, then reject the signature, \( v = a\, \text{mod}\, N \)
-
Accept the signature if v = e.
Digest Regeneration and Verification of Root Hash
-
Receivers first receive the signed hash root of the first block.
-
Receivers unsigned the root hash and store it.
-
Receivers receive packet P11 and compute H11.
-
Now regenerate the hash root of the first block with help of H12, H134, H158 and computed first block root hash [H118].
Receivers verify the authentication of P11, H12, H134, H58 and second block hash of root, if stored root hash of block one is identical with the computed root hash of block one (Fig. 2).
-
Receivers store the value H12, H134, H156; second block root hash [H118].
-
Receivers get P12 along with previous packet hash, i.e., H11 then it computes the hash [33] of packet P11 and generates first block root hash with the help of store hashes. If computed first block root hash H118 is identical with stored first block root H118, so source is authentic along with packet P2.
-
Same way receiver received packet P3, P4 and with the help of stored value of hash to generate the first block root hash H118. The proposed work flow chart is given in Fig. 3.
4 Result Analysis and Discussion
We use QualNet simulator version 5.0 to simulate our work. QualNet simulator provides wide a variety of simulations
A platform that can predict wireless wired and mixed platform network and networking device performance.
4.1 Parameters Used
There are following parameters used for implementation of the work are shown in Table 1.
4.2 Experimental Topology
The general scenario of multicast is shown in Fig. 4. In this topology, there is one source and there are eight receivers. Source needs to send packet only once then in the network cloud there are many numbers of routers which makes a copy of the packet and send to its neighbor routers. Finally, packet is reached to the end router which makes many copies of packet as the number of receivers in a particular multicast group then transmit the packet to that entire receiver.
4.3 Result Analysis
There are many schemes [34, 35] discussed in literature survey and they used the RSA for source authentication for multicasting. According to NIST recommendation, achieving 128-bit security means that the RSA key should be at least 3072 bits although the same security can be provided using Elliptic Curve Cryptography Digital Signature Algorithm (ECDSA) [36] with the key of 256 bits. Hence the key size has been reduced.
Effect of Packet Size on Computation Time
It can be observed from the Fig. 5 that the computation time in case of HTS is highest and computation time SHS and HTSS are approximately equal and greater than ECCSA scheme.
Effect of Packet Size on Computation Time
It can be observed from the Fig. 6 that the computation time in case of HTS is highest and computation time SHS and HTSS are approximately equal and greater than ECCSA scheme.
Effect of Packet Size on Communication Overhead
It can be observed from the Fig. 7 that the communication overhead is less than SHS, HTS, and HTSS.
Effect of Packet Size on Verification Rate
It can be observed from the Fig. 8 that the verification rate of ECCSA is greater than the HTS [37] but less than HTSS and SHS. The verification rate is a little bit less but the other advantage of ECCSA schemes is less communication overhead because the ECCSA scheme did not send the redundant data through the channel.
Effect of Packet Size on Communication Overhead
Figure 8 shows the comparative result of existing schemes and purposed scheme. The base of comparison is communication overhead on block size 16 (packets). It can be observed from the graph that the communication overhead is less than the SHS, HTS and HTSS.
5 Conclusions
The multicast source authentication technique known as Elliptic Curve Cryptography Source Authentication is proposed. This approach is a combination of two different algorithms which perform its operation according to network conditions. This scheme is used to reduce the computation overhead and communication overhead and the scheme have less communication overhead as compared to SHS, HTS, and HTSS.
The proposed work is for wired multicast communication model but rapid growth of wireless communication and wireless-based application like military application, software updates, audio, video conferencing, intelligent houses etc. force us to deploy the techniques for multicast source authentication with non-repudiation which can efficiently work on wired as well as wireless (heterogeneous) environment.
References
Challal Y, Bettahar H, Bouabdallah (2004) A taxonomy of multicast data origin authentication: issues and solutions. IEEE Comm Surveys Tutorials 6(3):34–57
Wang Q, Nahrstedt K (2009) Time valid one-time signature for time-critical multicast data authentication. In: IEEE INFOCOM, Rio de Janeiro
Balasubramanian K, Roopa R (2012) HTSS: hash tree signature scheme for multicast authentication. IJCA proceedings on international conference in recent trends in computational methods, communication and controls (ICON3C), no 6, pp 28–32, Apr 2012
Berbecaru D, Albertalli L, Lioy A (2010) The forward diffusion scheme for multicast authentication. IEEE/ACM Trans Netw 18(6):1855–1868
Perrig A, Canetti R, Song D, Tygar J (2001) Efficient and secure source authentication for multicast. In: Proceedings of network and distributed system security symposium (NDSS-2001), vol 1, pp 35–46
Park JM, Chong E, Siegel H (2002) Efficient multicast packet authentication using signature amortization. In: Proceedings of the IEEE symposium on research in security and privacy, pp 227–240
Lin IC, Sung CC (2010) An efficient source authentication for multicast based on Merkle hash tree. In: Proceedings of international conference on intelligent information hiding and multimedia signal processing (IIH-MSP-2010), pp 5–8, Oct 2010
Perrig A, Tygar JD, Song D, Canetti R (2000) Efficient authentication and signing of multicast streams over lossy channels. In: IEEE Symposium on Security and Privacy, pp 56–73
Perrig A, Tygar JD et al (2001) Efficient and secure source authentication for multicast. In: Internet society network and distributed system security, pp 35–46
ElKabbany GF, Aslan HK (2012) Efficient design for the implementation of Wong-Lam multicast authentication protocol using two-levels of parallelism. IJCSI Int Comput Sci Issues 9(3, 1), May 2012
Hou A, Yang S et al (2009) Secure elliptic curve generating algorithm over GF. Comput Eng 23:138–140
Park JM, Siegel JM et al (2002) Efficient multicast packet authentication using signature amortization. In: IEEE Symposium on Security and Privacy
Chan A (2003) A graph-theoretical analysis of multicast authentication. In: 23rd international conference on distributed computing systems
Shiv kumar S, Umamaheswari G (2014) Certificate authority schemes using elliptic curve cryptography, rsa and their variants simulation using Ns2. Am J Appl Sci 11(2):171–179
Sridevi J, Mangaiyarkarasi R (2011) Efficient multicast packet authentication using digital signature. Int J Comput Appl® (IJCA). In: International Conference on Emerging Technology Trends (ICETT)
Jin-xin, Zhou ZG et al (2007) A hybrid and efficient scheme of multicast source authentication. In: Eighth ACIS international conference on software engineering, artificial intelligence networking and parallel/distributed computing, vol 2, pp 123–125
Suri SS, Varghese G (2001) A lower bound for multicast key distribution. In: Proceedings of IEEE INFOCOM, pp 422–431, Apr 2001
Eltaief H, Youssef H (2010) RMLCC: recovery-based multi-layer connected chain mechanism for multicast source authentication. In: 35th annual IEEE conference on local computer networks, Colorado
Wong CK, Gouda M, Lam SS (1998) Secure group communications using key graph. In: Proceedings of the ACM SIGCOMM’98, Canada, pp 68–79, Sept 1998
Boneh D, Franklin M et al (2001) Lower bounds for multicast message authentication. Eurocrypt, LNCS (2045):437–452
Borella M, Swider D, Uludag S, Brewster G (1998) Internet packet loss: measurement and implications for end-to-end Qos. In: International conference on parallel processing, Aug 1998
Gennaro R, Rohatgi P (2001) How to sign digital streams. Inf Comput
Pannetrat A, Molva R (2003) Efficient multicast packet authentication. In: Proceedings of the ISOC network and distributed system security symposium, pp 251–262, Feb 2003
Qing-Hai A, Lu X et al (2012) Research on design principles of elliptic curve public key cryptography and its implementation. In: International conference on computer science and service system 2012
Perrig A, Canetti R, Tygar JD, Song D (2004) Efficient authentication and signing of multicast streams over lossy channels. In: Proceeding IEEE symposium on security and privacy (SP ’00), pp 56–75, Feb 2004
Solum E, Chakravarthy R (2009) Modular over-the-wire configurable security forlonglived critical infrastructure monitoring systems. In: Proceedings of 3rd ACM international conference on distributed event-based systems (DEBS 2009), Nashville, TN, July 2009
Choi S (2005) Denial-of-service resistant multicast authentication protocol with prediction hashing and one-way key chain. In: Seventh IEEE international symposium on multimedia (ISM ’05), Dec 2005
Bergadano F, Crispo B et al (2002) Individual authentication in multiparty communications. Comput Secur 21(8):719–735
Canetti R, Pinkas B et al (1999) Multicast security: a taxonomy and ecient constructions. INFOCOM
Hauser CH, Thanigaina than Manivannan et al (2012) Evaluating multicast message authentication protocols for use in wide area power grid data delivery services. In: 45th Hawaii international conference on system sciences
Zhou Y, Fang Y (2007) Multimedia broadcast authentication based on batch signature. IEEE Comm Magazine 45(8):72–77
FeiJia and Mario Gerla (2010) Group-based secure source authentication protocol for VANETs. Workshop on Heterogeneous, Multi-hop Wireless and Mobile Networks, IEEE
Challal Y, Bouabdallah A (2004) A taxonomy of multicast data origin authentication: issues and solutions. IEEE Commun Surv Tutorials—COMSUR 6(1–4):34–57
Bergadano F, Crispo B (2000) Individual single source authentication on the MBone. In: IEEE international conference on multimedia and expo
Fuloria F, Alvarez F (2010) The protection of substation communications. In Proceedings of SCADA security scientific symposium, Jan 2010
Bai Z, Yang H, Zhang W (2011) Study on fast implementation of prime-field ECC. Commun Technol 12(87–89):92
Pang S, Liu S, Cong F, Yao Z (2011) An efficient scalar multiplication algorithm on montgomery-form elliptic curve. Acta Electronica Sinica 04:865–868
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Mohan, Y., Krishna, C.R., Singh, K. (2018). Performance Evaluation of Multicast Source Authentication Scheme. In: Bokhari, M., Agrawal, N., Saini, D. (eds) Cyber Security. Advances in Intelligent Systems and Computing, vol 729. Springer, Singapore. https://doi.org/10.1007/978-981-10-8536-9_38
Download citation
DOI: https://doi.org/10.1007/978-981-10-8536-9_38
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-8535-2
Online ISBN: 978-981-10-8536-9
eBook Packages: EngineeringEngineering (R0)