Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing

A Hybrid and Efficient Scheme of Multicast Source Authentication

HE Jin-xin XU Gao-chao FU Xiao-dong ZHOU Zhi-guo

1 College of College of College of Computer 1 College of
Computer Science Computer Science Science and Computer Science
and Technology and Technology Technology and Technology
Jilin University Jilin University Jilin University Jilin University
Changchun, P.R. Changchun, P.R. Changchun, P.R. Changchun, P.R.
China China China China
2 College of Earth 2 College of
Sciences Computer
Jilin University Northeast Normal
Changchun, P.R. University
China Changchun, P.R.
China

Abstract successful deployment of group communication

Source authentication is the most important and
difficult problem in multicast security, and no
schemes can satisfy all multicast applications. So a
Hybrid Multicast Source Authentication (HMSA)
scheme was proposed based on two data structures:
hashing tree and hashing chain. Compared with
some other schemes in computation and
communication overheads, HMSA is simple, efficient
and secure.
1. Introduction
Fueled by the explosive growth of the Internet and
growing demand for novel types of group
communications, multicast has received a lot of
attention in recent years. In multicast, a single copy
of packets is sent by the sender and routed to each
receiver within the multicast group via
multicast-enabled router. For a wide range of
applications, multicast is an efficient and natural way
of communicating information [9]. However,
multicast services lack support for traffic
management, accounting and billing, reliability, and
security. So multicast security is identified as one of
the most important problems to solve for the
——————————-
This work is supported by the Jilin Province Natural Science
Foundation of China (Grant No.20050522).
applications. There are three distinct problem areas to
consider in providing multicast security services [4].
First and most important, in secure multicast group
members must be able to verify that the data received
is indeed sent by an authorized sender. This is called
origin authentication, includes group authentication
and source authentication. Group authentication is
the property that guarantees only that a message was
sent (or last modified) by a member of the group.
Since a MAC (Message Authentication Code) can be
used for group authentication, it is rather inexpensive
to authenticate even streaming data in real time. But
in most applications the receivers must be able to
establish the source of the data, at least for
themselves. In other words, source authentication is
more and more needed in multicast applications.
Moreover, a stronger version of the above property,
referred to as non-repudiation, which enables each
receiver to prove the origin of data to any impartial
third party [5]. Unfortunately, multicast source
authentication is a difficult problem. The simplest
solution is to digitally sign each packet, but signing
each packet is computationally expensive, and
introduces excessive per packet communication
overhead. Several solutions have been documented
that amortize the cost of digital signatures over
multiple packets, such as hashing tree and hashing
chain [3]. However, neither of them is efficient for
all kind of multicast applications. So a Hybrid

0-7695-2909-7/07 $25.00 © 2007 IEEE 123

DOI 10.1109/SNPD.2007.176
Multicast Source Authentication (HMSA) scheme is
proposed based on hashing tree and hashing chain in
this paper, and performance evaluations showed
HMSA is cheaper, efficient and secure.
2. Related work
2.1. Hashing tree
In the hashing tree scheme, the sender first divides
the whole data into M blocks and then divides each
block into m packets and computes the individual
packet hashes. For block hash computation, it
associates each individual packet hash with a leaf
node of the hash tree. Each internal node’s hash is
the hash of the concatenation of the children’s hashes.
As Figure 1 depicted:
h12=hash(h1,h2),
h34=hash(h3,h4),
……,
h18=hash(h14, h58).
Figure 1. Hashing Tree
Using this function, the sender recursively computes
the root node’s hash. Within each packet, the sender
includes the signed block hash, the packet ID, and
the hashes of siblings of all the nodes in the current
packet’s path to the root [2]. Each receiver first
computes the hash of the received packet. It uses the
computed hash and the received hashes to compute
the root hash. If the computed root hash is identical
to the signed block hash, the received packet is
authentic.
Authenticity verification of the first received
packet of a block consists of a signature verification,
and computation of all hashes in the path from the
packet’s position in the tree to the root. In all, the
receiver needs to compute O (log2 m) hashes. Future
packet verifications require fewer hash computations
and no signature verification operations. Each packet
carries only O (log2 m) hashes along with the signed
124
block hash. Authenticity verification may require as
many as O (log2 m) hash computations. Caching
verified nodes decreases the number of hash
computations for subsequent packet verifications of
the same block.
Because the computation speed of hash
functions(MD5, SHA-1……)is about 1,000 times
faster than digital signature(RSA, ECC……)[1], the
computation overhead of hashing tree is much less
than signing each packet. And tree hashing also
supports non-repudiation, since the root hash of each
block is signed by the sender. However, per packet
communication overhead is even higher than signing
each packet.
2.2. Hashing chain
Hashing chain works as follows: first, the sender
divides the data into n blocks; second, it computes
the hash of the first block (for example, using MD5
or SHA-1), signs the hash payload, and sends the
signature to all receivers. It then sends each block
except the last block, appended with the hash of the
next block [8]. Figure 2 illustrates it: data is divided
into n blocks named B1, B2,……, Bn; the first
block’s hash B1 is signed; the first block consists of
B2’s hash along with the data; this continues until the
block Bn- 1, which contains the hash of Bn; the final
block does not contain a hash.
Figure 2. Hashing Chain
Each receiver verifies the sender’s signature,
extracts the hash of the first block and stores it.
When the first block arrives, the receiver computes
the hash and compares it to the stored hash. If two
hashes are identical, the first block’s integrity and
authenticity is established. The receiver then extracts
the second block’s hash and stores it, and repeats this
verification procedure until the last block. If the
packets are received in sequence, the receivers only
need a buffer to hold a block and a hash. Note that
due to the authentication chain that ends up in a
signature packet, hashing chain also provides
non-repudiation [7].
In hashing chain, there is only one public key
operation at the sender (a signature) and each
receiver (a verification). In addition, all parties
compute n hashes. Overall, this scheme only adds 1
signature (RSA is 128 bytes) and n hashes (n * 20
bytes, with SHA-1 for hashing) worth of overhead in
authenticating the entire stream. So both computation
and communication overheads of hashing chain are
less than hashing tree. But this scheme can not
tolerate packet loss, and the receivers can not
authenticate any future packets once any portion of
data is lost in transit. Furthermore, out-of-order
packet reception is also troublesome, and an
out-of-order packet must be buffered until all the
packets leading up to it are received and verified [6].
3. HMSA scheme
3.1. Main idea
As mentioned above, the main disadvantage of
hashing tree is high communication overhead, and
hashing chain is inefficient to packet loss. So we
considered how to combine hashing tree with
hashing chain efficiently, and make up of a Hybrid
Multicast Source Authentication (HMSA) scheme. In
hashing tree each packet carries 1 signature and (log2
m) hashes of siblings of all the nodes in the current
packet’s path to the root. However, each receiver
only needs to verify the first packet of each block, so
there are (m-1) packets carrying useless signatures in
each packet. Since hashing chain only needs 1
signature totally, HMSA uses hashing chain to
reduce the communication overhead of hashing tree
as below: first, the sender calculates the root hash of
each block using hashing tree; second, sends a packet
carrying the signature of the first block’s root hash to
each receiver; last, sends each packet carrying (log2
m) hashes of siblings of all the nodes in the current
packet’s path to the root and the root hash of the next
block, after each receiver received the signature
packet normally. To each receiver, firstly the root
signature of the first block is verified, if verification
is passed then each packet of the first block and the
root hash of the second block is verified; secondly
each packet of the second block is verified using the
root hash of the second block; …… ; finally the
origins of all packets is verified.
3.2. Performance evaluations
In summary, HMSA only needs 1 signature and n*
（ log2 m+1 ） hashes, so both computation and
communication overheads of it are much less than
hashing tree, but a little higher than hashing chain.
However, HMSA is loss-tolerant if the maximum
length of loss packet is less than the length of each
block, so which is superior to hashing chain in it.
125
4. Conclusion
In this paper, a novel scheme of multicast source
authentication that was named “HMSA” is proposed,
and it includes some merits as follow:
(1) Both computation and communication overheads
are reasonable and acceptable;
(2) Each packet is authenticated immediately, which
is loss-tolerant;
(3) Non-repudiation is supported.
So HMSA is efficient and practical to the most
source authentication of multicast applications. The
next work is to compare it with some other schemes
in detail using NS-2(Network Simulator version 2).
References
[1] M.Baugher, R.Canetti, L.Dondeti and F.Lindholm.
“Multicast Security(MESC) Group Key Management
Architecture”. IETF RFC 4046, April 2005.
[2] Yacine Challal, Abdelmadjid Bouabdallah and Yoann
Hinard. “Efficient multicast source authentication using
layered hash-chaining scheme”. Proceedings of the 29th
Annual IEEE International Conference on Local Computer
Networks(LCN’04).
[3] Thomas Hardjono, Laksminiath R. Dondeti. “Multicast
and Group Security”. Artech House Inc, 2003.
[4] T. Hardjono, B. Weis. “The Multicast Group Security
Architecture”. IETF RFC 3740, March 2004.
[5] Xianxian Li, Jinpeng Huai. “Efficient Non-Repudiation
Multicast Source Authentication Schemes”. J. Comput. Sci.
& Technol. pp.820-829, 17(6), 2002.
[6] Sanjoy Paul. “Multicasting on the internet and its
applications”. Kluwer Academic Publishers, 1998.
[7] A. Perrig, R. Canetti, D. Song, and J. D. Tygar.
“Efficient and secure source authentication for multicast”.
Network and Distributed System Security Symposium,
pp.35-46, February 2001.
[8] A.Perrig, D.Song, R.Canetti, J.D.Tygar and B.Briscoe.
“Timed Efficient Stream Loss-Tolerant
Authentication(TESLA): Multicast Source Authentication
Transform Introduction”. IETF RFC 4082, June 2005.
[9] Jung Min Park, Edwin K.P. Chong and Howard Jay
Siegel. “Efficient Multicast Packet Authentication Using
Signature Amortization”. Proceedings of the 2002 IEEE
Symposium on Security and Privacy, 2002.