Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Slides:



Advertisements
Similar presentations
Advanced Security Constructions and Key Management Class 16.
Advertisements

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada Analysis of Multimedia Authentication Schemes Mohamed Hefeeda (Joint work.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
Lecture 13 Message Signing
Scalable Authentication of MPEG-4 Streams Yongdong Wu & Robert H. Deng present: Yu-Song Syu.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
HASH Functions.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Chapter 21 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
Efficient Downloading and Updating Application on Smart Cards Yongsu Park, Junyoung Heo, Yookun Cho School of Computer Science and Engineering Seoul National.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 11 – Hash Functions.
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
Prepared by Dr. Lamiaa Elshenawy
Efficient and Secure Source Authentication for Multicast 報告者 : 李宗穎 Proceedings of the Internet Society Network and Distributed System Security Symposium.
DIGITAL SIGNATURE(DS) IN VIDEO. Contents  What is Digital Signature(DS)?  General Signature Vs. Digital Signatures  How DS is Different from Encryption?
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
COM 5336 Lecture 8 Digital Signatures
Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Cryptographic Hash Function
CS/ECE 478 Introduction to Network Security
Data Integrity: Applications of Cryptographic Hash Functions
Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig
Presentation transcript:

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.

Signing streams Stream: sequence of packets Signature: authenticity, non-repudiation E.g: Internet radio station Efficiency Cost of computation (real-time) Communication overhead Robustness Packet loss (UDP)

Outline 1. Existing solutions and their limitations Efficient signatures Amortized signatures 2. Our proposal Construction Optimality applications

Sign each Sign each packet (RSA, DSA,…) “Optimal” solution: Immediate authentication Packets individually verifiable Unpractical: Computational load too high. Maximum: 100 signatures / second 1 digital signature = 100 hashes 1234 AliceBob

Optimization Numerous tricks Small exponent (faster verification) Chinese Remainder Theorem (divide and conquer multiplications) Precomputations (time/memory trade-off) Gain: factor of 2. Incremental verification Variable level of security Signature very large

Hash 12 Hash(2) Digital signature Collision-resistant hash function h: Given h(x), hard to find y such that h(x)=h(y) Example: MD5, SHA-1 Verify the signature on Packet 1. This also authenticates Packet 2.

Hash chain (Gennaro, Rohatgi) Sender processes the stream backwards Append the hash of P i+1 to P i Sign only the first packet Extremely efficient: 1 hash computation / packet Overhead: 20 bytes / packet Problems: Offline case only Packet loss 1234 AliceBob h(2) h(3)h(4) …

One-time Signatures: generation One-time signature scheme: Choose a one-way function f: D->D and 168 elements {a i } of D. Private signing key: family {a i } Public verification key: family {f(a i )} To sign a message M: Hash: h(M) = b 1 b 2 b 3 …………b 160 (in binary) Append to h(M) the number of 0 in h(M): b 1 b 2 b 3 …………b 160 b 161 b 162 …………b 168 Signature: s 0 s 1 s 2 …………s 168 where: S i = a i if b i = 0, otherwise S i = f(a i )

OTS: verification To verify a signature s 0 s 1 s 2 …………s 168 on M: Hash M Append to h(M) the number of 0 in h(M): b 1 b 2 b 3 …………b 160 b 161 b 162 …………b 168 Verify that f(S i )= f(a i ) if b i = 0, otherwise S i = f(a i ) OTS are secure: Can’t flip a 1 to a 0 Can’t flip a 0 to a 1

OTS: efficiency Fast compared to digital signatures : Verify: as fast as RSA with small exponent Sign: twice as fast as DSA Can be used only once Very large: 1000 bytes

OTS chain (Gennaro, Rohatgi) Packet P i contains the public-key to sign P i+1 Faster than “sign each” for online streams Limitations: Overhead: 1000 bytes / packet Issue of packet loss 1234 AliceBob K(2) K(3)K(4)

OTS: optimization Size of OTS proportional to the number of bits of the quantity being signed. MD5: 128 bits, SHA-1: 160 bits Use shorter output? Family of hash functions: 2^40 80-bit hash functions Cost of birthday attack: 2^80 Total output length: 120 bits

Packet groups (Wong & Lam) Sender: Packet 3 is sent as: Receiver: same in reverse h(1) Sign hash

Packet groups: efficiency Trade-off: Efficiency: many packets / group Communication overhead: few packets / group

Packet groups: Tree Sender: Packet 3 is sent as: Receiver: same in reverse Sign 3 78

Motivations Communication overhead: USER_DATA section (MPEG video and audio) Watermarking Open parallel connection Existing solutions Resistant to worst-case packet loss Space / time trade-off We propose: Resistant to average loss New trade-off: efficiency and authentication speed

Model Random loss Bursts (UDP) Maximize length of single worst-case burst Sender Packet buffer (size p) Hash buffer (size h) Receiver Packet buffer Hash buffer Overhead: m: maximum number of hashes / packet

Simple case: no packet buffering Chain of strength a: the hash of packet P i is appended to two other packets: P i+1 and P i+a Only the last packet is signed. Algorithm for generation and verification of the sequence Example: chain of strength 3

Characteristics of a chain Sender: Buffers 1 packet Stores a hashes Receiver Buffer OK: 1 hash Buffer loss: 2 hashes Resistance to loss B = a-1 (optimal) Avg(B) = a-1

Generic Construction (p>1) p=2: one new packet: Example: augmented chain of strength 3

Generalization Sender buffers: p packets h hashes Start with a chain of strength (h-p) Insert (p-1) new packets in-between with the extremity property

Insertion 1 Very simple to implement Optimally resistant to loss But: m grows linearly with p

Insertion 2 Constant m Recursive embedding AB21 AB21

Characteristics Sender Buffers p packets Hash buffer of size h = a+p Receiver Buffer OK: (p+3)/2 Buffer loss: 2 + (p+3)/2 Resistance to loss: B=p(a-1) (optimal) fast recovery B = p (h-p)

Comparison with other schemes SchemeSignaturehashOverhead (bytes) lossverification WL star anyimmediate WL tree anyimmediate LW tree full anyimmediate Chains 11643burstsdelayed

Alternate models Hash buffer of average capacity Average burst Recall B = p (h-p) Average hash: B = p(h-p/2) Average burst: B = p.h

Offline stream authentication Offline stream entirely known to sender signed only once Solution: hash chain Resistance to loss use augmented chains efficiency concern: receiver

Insertion 3 Focus: reduce Buffer OK Buffer Loss = Buffer OK + constant Consider forward edges are never taken.

Conclusion Efficient and flexible authentication scheme. Strength: resistance to random loss (bursts) Implemented as plug-in to Real Audio Player

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.