Professional Documents
Culture Documents
MABS
1. Introduction
1.1 Introduction
Multicat is an efficient method to deliver multimedia content from a sender to a group of receivers and is gaining popular applications such as realtime stock quotes, interactive games, video conference, live video broadcast, or video on demand. Authentication is one of the critical topics in securing multicast in an environment attractive to malicious attacks. Basically, multicast authentication may provide the following security services: 1. Data integrity: Each receiver should be able to assure that received packets have not been modified during transmissions. 2. Data origin authentication: Each receiver should be able to assure that each received packet comes from the real sender as it claims. 3. No repudiation: The sender of a packet should not be able to deny sending the packet to receiver in case there is a dispute between the sender and receiver. All the three services can be supported by an asymmetric key technique called signature. In an ideal case, the sender generates a signature for each packet with its private key, which is called signing, and each receiver checks the validity of the signature with the senders public key, which is called verifying. If the verification succeeds, the receiver knows the packet is authentic. Designing a multicast authentication protocol is not an easy task. Generally, there are following issues in real world challenging the design. First, efficiency needs to be considered, especially for receivers. Compared with the multicast sender, which could be a powerful server, receivers can have different capabilities and resources. The receiver heterogeneity requires that the multicast authentication protocol be able to execute on not only powerful desktop computers but also resource-constrained mobile handsets. In particular, latency, computation, and communication overhead are major issues to be considered. Second, packet loss is inevitable. In the Internet, congestion at routers is a major reason causing packet loss. An overloaded router drops buffered packets according to its preset control policy. Though TCP provides a certain retransmission capability, multicast content is mainly transmitted over UDP, which does not provide any loss recovery support. In mobile
1
College of Engineering, Chengannur
MABS
Designing a multicast authentication protocol is not an easy as, there are following issues in real world challenging the design. First, efficiency needs to be considered, especially for receivers. Second is the packet loss that happens during the implementation phase. Therefore, for applications where the quality of service is critical to end users, a multicast authentication protocol should provide a certain level of resilience to packet loss. Specifically, the impact of packet loss on the authenticity of the alreadyreceived packets should be as small as possible.
2
College of Engineering, Chengannur
MABS
2.1.3 Definitions,Acronyms and Abbrevations MABS-Multicast Authentication based on Batch Signature DoS-Denial-of-Service DSA-Digital Signal Algorithm BLS- BonehLynnShacham signature RSA- Rivest- Shamir-Adleman signature 2.1.4 Overview The SRS document provides description about the system requirements, interfaces, features and functionalities.
3
College of Engineering, Chengannur
MABS
scheme with a packet filtering mechanism to alleviate the DoS impact while preserving the perfect resilience to packet loss. 2.2.3 User characteristics The software has a user who will be registering in the Desktop application that we would be developing. At this point he would be provided with a password. This password is being stored in the database which is used for further login by the user . Users include: y y Clients who wish to access the facilities in application MABS Admin
The user interface has to be developed in Netbeans IDE 6.9.1. The user has several options such as: 1. Registration 2. Signing 3. Updating profile 4. Data transfer mode 5. View report
2.2.4 General Constraints 1. There exists a client server communication. A high bandwidth communication is necessary. 2. This system can be supported in only those systems which provide Java support. 2.2.5 Database Requirements The list of clients along with login details of each user is maintained at the server in a database which is accessed by the application running at the server side. 2.2.6 Assumptions and Dependencies y Proper network connection is necessary between the computers for the proper working of the system. y Software must be installed at all the systems.
4
College of Engineering, Chengannur
MABS
2.2.7 User Interface The user interface is provided such that firstly the user has to login for using the facilities provided by the application. A help menu will also be provided in the main window. A login option is provided where the user has to enter password. The password is validated and the user gets access to the application. Options for transferring, receiving and reports are provided in the application. User is also provided with an option to change password. After carrying out intended operations user is logged out using logout option. A help menu will be provided in the interface. This menu driven support facilitates user to
use the facilities provided by the software and describes the initial user how to move through the application.
Hardware Requirements y y y Processor Primary Memory Storage : Pentium IV OR Above : : 256 MB RAM 40 GB Hard Disk
2.3.2 Functional Requirements MABS can achieve perfect resilience to packet loss in lossy channels in the sense that no matter how many packets are lost the already-received packets can still be authenticated by receivers.MABS-B is efficient in terms of less latency, computation, and communication overhead. Though MABS-E is less efficient than MABS-B since it includes the DoS defense, its overhead is still at the same level as previous schemes.Two new batch signature schemes based on BLS and DSA are introduced
5
College of Engineering, Chengannur
MABS
2.4.2 Maintainability The application will be designed in a manner that it is easy to modify the software system later when required and to incorporate new requirements in the individual modules.
2.4.3 Security Requirements The system is expected to give a secure multicast using batch signature along with a user authenticated password protection to access the application.
2.4.4 Portability This application will be developed using platform independent java technology. Hence it provides portability.
6
College of Engineering, Chengannur
MABS
Level 0
Level 1
7
College of Engineering, Chengannur
MABS
Level 2
Module Description User Management: A user is allowed to enter the application after authentication of that particular user. Users have to provide user name and password .If a particular user is not in the login table, then he cant access the system .For unregistered users there is an option for signing. After login the user will be provided with options for broadcasting, unicasting and multicasting data. The user will be provided with an inbox containing with files sent to the user by others. User will also be provided with options to join and unjoin multicast
8
College of Engineering, Chengannur
MABS
groups. User can also add or remove others from multicast groups owned by him. Users will be provided with reports to review details of previous transmission.
Network Management : Network management is concerned with division of data into packets, grouping of packets into batches, encryption of data, signature generation at the sender side and detection of batches, decryption of data, signature verification at the receiver side. It also consists of generation of acknowledgement system for UDP packets, resending of unacknowledged packets and detection of duplicate packets. Detection and prevention of DoS attack is also the function of this module. Various schemes:
Batch RSA RSA is a very popular cryptographic algorithm in many security protocols. In order to use RSA, a sender chooses two large random primes P and Q to get N=PQ, and then calculates two exponents e, d such that ed=1mod (N), where (N)=(P-1)(Q-1). The sender publishes (e, N) as its public key and keeps d in secret as its private key. A signature of a message m can be generated as = (h(m))d mod N, where h( ) is a collision resistant hash function. The
sender sends {m, } to a receiver that can verify the authenticity of message m by checking e = h(m) mod N.
Batch DSA A DSA digital signature is computed using a set of domain parameters, a private key x, a per message secret number k, data to be signed, and a hash function. A digital signature is verified using the same domain parameters, a public key y that is mathematically associated with the private key x used to generate the digital signature, data to be verified, and the same hash function that was used during signature generation. p= a prime modulus, where 2L1 < p < 2L, and L is the bit length of p. q =a prime divisor of (p 1), where 2N1 < q < 2 N, and N is the bit length of q. g =a generator of the subgroup of order q mod p, such that 1 < g < p. x =the private key that must remain secret; x is a randomly or pseudo randomly generated integer, such that 0 < x < q, i.e., x is in the range [1, q1].
9
College of Engineering, Chengannur
MABS
y =the public key, where y = gx mod p. k =a secret number that is unique to each message; k is a randomly or pseudo randomly generated integer, such that 0 < k < q, i.e., k is in the range [1, q1]. h() =a hash function.
Given message m, the signer generates a signature by randomly selecting an integer k with 0 < k < q. Computing h = h(m). Computing r = (gk mod p) mod q, and computing s = rk hx mod q. The signature for m is (r,s). The receiver can verify message m by first computing h=h(m) and then checking whether ((gsr-1 yhr-1) mod p) mod q = r This is because if the packet is authentic, then ((gsr-1 yhr-1) mod p) mod q =((g(s+hx)r-1) mod p) mod q =( gk mod p) mod q =r
Batch BLS The BLS signature scheme uses a cryptographic primitive called pairing.Let
be a non-degenerate, efficiently computable, bilinear pairing function where G, GT are groups of prime order, r. Let g be a generator of G. The key generation algorithm selects a random integer x in the interval [0, r 1]. The private key is x. The holder of the private key publishes the public key, gx. Signing: Given the private key x, and some message m, we compute the signature by hashing the string m, as h = H(m). We output the signature Verification: Given a signature = hx.
Admin Management: Admin is allowed to enter the application after authentication. Admin has to provide user name and password .After login admin can change the network, firewall settings, set the key for signing of packets.
10
College of Engineering, Chengannur
MABS
4. Conclusion
To reduce the signature verification overheads in the secure multimedia multicasting, blockbased authentication schemes have been proposed. Unfortunately, most previous schemes have many problems such as vulnerability to packet loss and lack of resilience to denial of service (DoS) attack. To overcome these problems, we develop a novel authentication scheme MABS. MABS is perfectly resilient to packet loss due to the elimination of the correlation among packets and can effectively deal with DoS attack. Moreover, the use of batch signature can achieve the efficiency less than or comparable with the conventional schemes. Finally, we further develop two new batch signature schemes based on BLS and DSA, which are more efficient than the batch RSA signature scheme.
5. References
y Yun Zhou, Xiaoyan Zhu, Yuguang Fang ,MABS: Multicast Authentication Based on Batch Signature IEEE Transactions on mobile computing, July 2010 y P. Judge and M. Ammar, Security Issues and Solutions in Multicast Content Distribution: A Survey, IEEE Network Magazine, vol. 17, no. 1, pp. 30-36, Jan./Feb. 2003. y http://en.wikipedia.org/wiki
11
College of Engineering, Chengannur